Hi. We're trying to configure a basic SSL (TLS) connection through
OpenLDAP version 2.4.6. We're using Linux, Debian Version 4.0 ('etch')
INTEL.
The pertinent info...
slapd.conf
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
loglevel -1
logfile /usr/local/var/openldap-data/logb
TLSCACertificateFile /home/bwaldorf/certs/1024pcert.pem
TLSCertificateFile /home/bwaldorf/certs/1024pcert.pem
TLSCertificateKeyFile /home/bwaldorf/certs/1024pkey.pem
TLSCipherSuite DES-CBC-SHA
TLSVerifyClient never
#TLSRandFile
#TLSEphemeralDHParamFile
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "o=replDB"
rootdn "cn=replman,o=replDB"
rootpw password
timelimit 1
idletimeout 4
access to attrs=userPassword
by self write
by anonymous auth
by * none
access to *
by self write
by * read
directory /usr/local/var/openldap-data
index sn,mail,uid,title eq
ldap.conf
TLS_CACERT /home/bwaldorf/certs/1024pcert.pem
TLS_CERT /home/bwaldorf/certs/1024pcert.pem
TLS_KEY /home/bwaldorf/certs/1024pkey.pem
So we try the following search (-ZZ to force the command to be
successful)...
ldapsearch -x -D "cn=replman,o=replDB" -w password -b "o=replDB1" -ZZ
And we get the following output (below) with -d -1... (sorry for the
excessive messages).
Looks like the problem is...
"connection_read(13): unable to get TLS client DN, error=49 id=5"
I did some googling for this error, but never found a thread with a
cause/solution.
Thanks in advance for your time and help!
daemon: activity on 1 descriptor
daemon: activity on:
slap_listener_activate(8):
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 busy
>>> slap_listener(ldap:///)
daemon: activity on 1 descriptor
daemon: listen=8, new connection on 13
daemon: activity on:daemon: added 13r (active) listener=(nil)
conn=5 fd=13 ACCEPT from IP=127.0.0.1:32933 (IP=0.0.0.0:389))
daemon: epoll: listen=7 active_threads=1 tvp=zero.
daemon: epoll: listen=8 active_threads=1 tvp=zero.
daemon: activity on 1 descriptor
daemon: activity on: 13r
daemon: read active on 13
daemon: epoll: listen=7 active_threads=1 tvp=zero.
connection_get(13)
daemon: epoll: listen=8 active_threads=1 tvp=zero.
connection_get(13): got connid=5
connection_read(13): checking for input on id=5
ber_get_next
ldap_read: want=8, got=8
0000: 30 1d 02 01 01 77 18 80 0....w..
ldap_read: want=23, got=23
0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34
36 .1.3.6.1.4.1.146
0010: 36 2e 32 30 30 33 37 6.20037
ber_get_next: tag 0x30 len 29 contents:
ber_dump: buf=0xa0c11fc8 ptr=0xa0c11fc8 end=0xa0c11fe5 len=29.
0000: 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 2e
34 ...w...1.3.6.1.4
0010: 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .1.1466.20037
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
conn=5 op=0 do_extended
ber_scanf fmt ({m) ber:
ber_dump: buf=0xa0c11fc8 ptr=0xa0c11fcb end=0xa0c11fe5 len=26
0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e
w...1.3.6.1.4.1.
0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037
conn=5 op=0 EXT oid=1.3.6.1.4.1.1466.20037
do_extended: oid=1.3.6.1.4.1.1466.20037
daemon: activity on 1 descriptor
conn=5 op=0 STARTTLS
daemon: activity on:send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
daemon: epoll: listen=7 active_threads=1 tvp=zero
ber_flush2: 14 bytes to sd 13
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
conn=5 op=0 RESULT oid= err=0 text=
daemon: epoll: listen=8 active_threads=1 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 13r
daemon: read active on 13
daemon: epoll: listen=7 active_threads=1 tvp=zero
connection_get(13)
daemon: epoll: listen=8 active_threads=1 tvp=zero
connection_get(13): got connid=5
connection_read(13): checking for input on id=5
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
0000: 80 74 01 03 01 00 4b 00 00 00 20 .t....K.......
tls_read: want=107, got=107
0000: 00 00 39 00 00 38 00 00 35 00 00 16 00 00 13
00 ..9..8..5.......
0010: 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f 03
00 .......3..2../..
0020: 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00
12 ................
0030: 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08
00 .....@..........
0040: 00 06 04 00 80 00 00 03 02 00 80 15 2d dd 5d
9a ............-.].
0050: f5 29 55 3b 15 f2 e5 47 18 9c 22 f2 7d 07 51
72 .)U;...G..".}.Qr
0060: 60 1f 38 61 8d 9a e7 67 2a 5e 9e `.8a...g*^..}.
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
tls_write: want=985, written=985
0000: 16 03 01 00 4a 02 00 00 46 03 01 48 92 1d e7
69 ....J...F..H...i
0010: f3 a0 ea 95 0f 3b 21 71 a5 b0 11 34 27 91 b8
0b .....;!q...4'...
0020: d1 25 4f ca d5 56 fd 55 d2 0f 33 20 a7 fe 44
07 .%O..V.U..3 ..D.
0030: 8a 33 a1 ec 46 61 01 94 2a 05 9a 59 9e 95 02
ec .3..Fa..*..Y....
0040: 99 82 42 77 1d f6 bf 6e b4 0f 05 23 00 09 00
16 ..Bw...n...#....
0050: 03 01 03 7c 0b 00 03 78 00 03 75 00 03 72 30
82 ...|...x..u..r0.
0060: 03 6e 30 82 02 d7 a0 03 02 01 02 02 01 00 30
0d .n0...........0.
0070: 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 81
87 ..*.H........0..
0080: 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 11 30
1.0...U....US1.0
0090: 0f 06 03 55 04 08 13 08 4e 65 77 20 59 6f 72 6b ...U....New
York
00a0: 31 15 30 13 06 03 55 04 07 13 0c 50 6f 75 67 68
1.0...U....Pough
00b0: 6b 65 65 70 73 69 65 31 0c 30 0a 06 03 55 04 0a
keepsie1.0...U..
00c0: 13 03 49 42 4d 31 0c 30 0a 06 03 55 04 0b 13
03 ..IBM1.0...U....
00d0: 54 50 46 31 0e 30 0c 06 03 55 04 03 13 05 44 61
TPF1.0...U....Da
00e0: 76 69 64 31 22 30 20 06 09 2a 86 48 86 f7 0d 01
vid1"0 ..*.H....
00f0: 09 01 16 13 6d 6f 7a 65 73 68 74 61 40 75 73
2e ....mozeshta@us.
0100: 69 62 6d 2e 63 6f 6d 30 1e 17 0d 30 38 30 33 31
ibm.com0...08031
0110: 31 30 31 31 36 31 31 5a 17 0d 31 30 31 32 30 37
1011611Z..101207
0120: 30 31 31 36 31 31 5a 30 81 87 31 0b 30 09 06 03
011611Z0..1.0...
0130: 55 04 06 13 02 55 53 31 11 30 0f 06 03 55 04 08
U....US1.0...U..
0140: 13 08 4e 65 77 20 59 6f 72 6b 31 15 30 13 06 03 ..New
York1.0...
0150: 55 04 07 13 0c 50 6f 75 67 68 6b 65 65 70 73 69
U....Poughkeepsi
0160: 65 31 0c 30 0a 06 03 55 04 0a 13 03 49 42 4d 31
e1.0...U....IBM1
0170: 0c 30 0a 06 03 55 04 0b 13 03 54 50 46 31 0e
30 .0...U....TPF1.0
0180: 0c 06 03 55 04 03 13 05 44 61 76 69 64 31 22
30 ...U....David1"0
0190: 20 06 09 2a 86 48 86 f7 0d 01 09 01 16 13 6d
6f ..*.H........mo
01a0: 7a 65 73 68 74 61 40 75 73 2e 69 62 6d 2e 63 6f
zeshta(a)us.ibm.co
01b0: 6d 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01
m0..0...*.H.....
01c0: 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 ac
ee .......0........
01d0: f9 a7 40 cc 73 af 67 a0 ea 46 08 45 a5 fd 44
71 ..@.s.g..F.E..Dq
01e0: a4 04 3e 51 f7 39 51 82 3d 7e 9b 99 ae 1d c1
22 ..>Q.9Q.=~....."
01f0: 67 10 e7 15 d1 a9 65 75 e9 3e 0f 77 64 d1 14 4d
g.....eu.>.wd..M
0200: 28 f0 8c ba d3 ed 87 e9 b1 5b 11 c1 3f 11 ed 1a
(........[..?...
0210: 96 9a 3f b3 4b f3 db bd 84 41 11 aa ea 37 6d
ab ..?.K....A...7m.
0220: c5 fb a9 bb ab 9d 87 66 b2 31 7a c8 35 06 06
ec .......f.1z.5...
0230: fb 07 f1 29 f5 f3 fd 29 f4 df 33 bf 40 de 84
6f ...)...)..3.@..o
0240: 9d 66 ea 57 42 ab 0f 13 a0 07 71 d5 e0 6d 02
03 .f.WB.....q..m..
0250: 01 00 01 a3 81 e7 30 81 e4 30 1d 06 03 55 1d
0e ......0..0...U..
0260: 04 16 04 14 11 76 af b1 5a bd 99 53 a5 de 02
35 .....v..Z..S...5
0270: 06 51 c4 01 74 71 2c c6 30 81 b4 06 03 55 1d
23 .Q..tq,.0....U.#
0280: 04 81 ac 30 81 a9 80 14 11 76 af b1 5a bd 99
53 ...0.....v..Z..S
0290: a5 de 02 35 06 51 c4 01 74 71 2c c6 a1 81 8d
a4 ...5.Q..tq,.....
02a0: 81 8a 30 81 87 31 0b 30 09 06 03 55 04 06 13
02 ..0..1.0...U....
02b0: 55 53 31 11 30 0f 06 03 55 04 08 13 08 4e 65 77
US1.0...U....New
02c0: 20 59 6f 72 6b 31 15 30 13 06 03 55 04 07 13 0c
York1.0...U....
02d0: 50 6f 75 67 68 6b 65 65 70 73 69 65 31 0c 30 0a
Poughkeepsie1.0.
02e0: 06 03 55 04 0a 13 03 49 42 4d 31 0c 30 0a 06
03 ..U....IBM1.0...
02f0: 55 04 0b 13 03 54 50 46 31 0e 30 0c 06 03 55 04
U....TPF1.0...U.
0300: 03 13 05 44 61 76 69 64 31 22 30 20 06 09 2a
86 ...David1"0 ..*.
0310: 48 86 f7 0d 01 09 01 16 13 6d 6f 7a 65 73 68 74
H........mozesht
0320: 61 40 75 73 2e 69 62 6d 2e 63 6f 6d 82 01 00 30
a@us.ibm.com...0
0330: 0c 06 03 55 1d 13 04 05 30 03 01 01 ff 30 0d
06 ...U....0....0..
0340: 09 2a 86 48 86 f7 0d 01 01 04 05 00 03 81 81
00 .*.H............
0350: a8 39 22 f9 88 b2 c1 e6 95 5e af 4d ae f6 89
e5 .9"......^.M....
0360: 64 82 37 42 f6 5b 00 56 22 d0 c6 b9 5f 70 36 2f
d.7B.[.V"..._p6/
0370: 8f 10 bb 5a d1 18 33 2a 37 8a a0 f2 c3 53 21
12 ...Z..3*7....S!.
0380: 2c 28 8a 62 a9 e0 b5 5a 70 4c 77 f1 5c 33 d2
a3 ,(.b...ZpLw.\3..
0390: 6d 77 e8 6e e8 7e 5b 74 d9 3a 70 24 38 89 ce 11 mw.n.~[t.:p
$8...
03a0: 4c ec 64 51 f2 be 61 4c 18 09 25 13 48 e2 5b 13
L.dQ..aL..%.H.[.
03b0: d9 fa 8c 0c b7 a2 dd 09 dd e8 da 01 c7 29 2b
9a .............)+.
03c0: 22 51 6f 19 54 e7 02 90 75 0e a9 3a 4b e0 d1 a4
"Qo.T...u..:K...
03d0: 16 03 01 00 04 0e 00 00 00 ...........:
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5 error=Resource temporarily unavailable
TLS trace: SSL_accept:error in SSLv3 read client certificate A.........:
TLS trace: SSL_accept:error in SSLv3 read client certificate A.........:
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=1 tvp=zero
daemon: epoll: listen=8 active_threads=1 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 13r
daemon: read active on 13
daemon: epoll: listen=7 active_threads=1 tvp=zero
connection_get(13)
daemon: epoll: listen=8 active_threads=1 tvp=zero
connection_get(13): got connid=5
connection_read(13): checking for input on id=5
tls_read: want=5, got=5
0000: 16 03 01 00 86 ...........:
tls_read: want=134, got=134
0000: 10 00 00 82 00 80 91 6b 72 70 d5 4e 89 66 4e
5f .......krp.N.fN_
0010: f2 d6 d6 41 e7 3a 85 1e 8e ce 85 4d 90 ac 4a
ec ...A.:.....M..J.
0020: 81 f6 4d 2c 1d 94 85 e8 78 cf c9 68 11 77 b3
4e ..M,....x..h.w.N
0030: 13 97 62 43 e2 e8 12 44 42 46 c6 bc c3 74 c7
ad ..bC...DBF...t..
0040: f7 46 22 2b ac 8c 8e 59 5d de f4 fd f9 73 3f
76 .F"+...Y]....s?v
0050: 1b 58 1f da 5c 95 49 a6 73 ec 75 37 fc 38 fa
53 .X..\.I.s.u7.8.S
0060: 6d 3c a9 fd 2a 7d c3 f7 b9 79 e7 3f 8f da df 04
m<..*}...y.?....
0070: cb 06 e2 67 75 3c 57 cf 8e 60 6e e4 27 fa 23
a3 ...gu<W..`n.'.#.
0080: b8 fb c6 5b 14 7e ...[.~
TLS trace: SSL_accept:SSLv3 read client key exchange A
tls_read: want=5, got=5
0000: 14 03 01 00 01 .....
tls_read: want=1, got=1
0000: 01 .....
tls_read: want=5, got=5
0000: 16 03 01 00 28 ....(
tls_read: want=40, got=40
0000: 77 34 09 6c 45 e9 f1 f0 a2 e6 cb 2d e4 49 27 42
w4.lE......-.I'B
0010: 45 a5 84 74 bb bd 0f 6e 24 70 e1 b0 0f 19 83 4a E..t...n
$p.....J
0020: 7a 41 c3 b3 ca fe 80 68 zA.....h
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
tls_write: want=51, written=51
0000: 14 03 01 00 01 01 16 03 01 00 28 97 a6 bb b1
8c ..........(.....
0010: 50 d4 6f 60 2c fb c7 d1 10 a6 a6 37 ff ea 0b e8
P.o`,......7....
0020: 60 d0 f1 6b 34 d7 26 7b a9 c8 c0 45 72 33 7c 67 `..k4.&{...Er3|
g
0030: b4 07 93 ...
TLS trace: SSL_accept:SSLv3 flush data
connection_read(13): unable to get TLS client DN, error=49 id=5
conn=5 fd=13 TLS established tls_ssf=56 ssf=56
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=1 tvp=zero
daemon: epoll: listen=8 active_threads=1 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 13r
daemon: read active on 13
daemon: epoll: listen=7 active_threads=1 tvp=zero
connection_get(13)
daemon: epoll: listen=8 active_threads=1 tvp=zero
connection_get(13): got connid=5
connection_read(13): checking for input on id=5
ber_get_next
tls_read: want=5, got=0
ldap_read: want=8, got=0
ber_get_next on fd 13 failed errno=0 (Success)
connection_read(13): input error=-2 id=5, closing.
connection_closing: readying conn=5 sd=13 for close
connection_close: conn=5 sd=13
daemon: removing 13
daemon: activity on 1 descriptor
tls_write: want=29, written=29
0000: 15 03 01 00 18 73 41 45 4f f9 51 03 05 e6 66
c2 .....sAEO.Q...f.
0010: f5 65 d2 a9 ab 03 aa 8d d1 79 ef 18 8c .e.......y....
TLS trace: SSL3 alert write:warning:close notify
conn=5 fd=13 closed (connection lost)
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL