Hi. We're trying to configure a basic SSL (TLS) connection through OpenLDAP version 2.4.6. We're using Linux, Debian Version 4.0 ('etch') INTEL.
The pertinent info...
slapd.conf
include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema
pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args
loglevel -1 logfile /usr/local/var/openldap-data/logb
TLSCACertificateFile /home/bwaldorf/certs/1024pcert.pem TLSCertificateFile /home/bwaldorf/certs/1024pcert.pem TLSCertificateKeyFile /home/bwaldorf/certs/1024pkey.pem TLSCipherSuite DES-CBC-SHA TLSVerifyClient never
#TLSRandFile #TLSEphemeralDHParamFile
####################################################################### # BDB database definitions #######################################################################
database bdb suffix "o=replDB" rootdn "cn=replman,o=replDB" rootpw password timelimit 1 idletimeout 4
access to attrs=userPassword by self write by anonymous auth by * none
access to * by self write by * read
directory /usr/local/var/openldap-data
index sn,mail,uid,title eq
ldap.conf
TLS_CACERT /home/bwaldorf/certs/1024pcert.pem TLS_CERT /home/bwaldorf/certs/1024pcert.pem TLS_KEY /home/bwaldorf/certs/1024pkey.pem
So we try the following search (-ZZ to force the command to be successful)...
ldapsearch -x -D "cn=replman,o=replDB" -w password -b "o=replDB1" -ZZ
And we get the following output (below) with -d -1... (sorry for the excessive messages).
Looks like the problem is... "connection_read(13): unable to get TLS client DN, error=49 id=5"
I did some googling for this error, but never found a thread with a cause/solution.
Thanks in advance for your time and help!
daemon: activity on 1 descriptor daemon: activity on: slap_listener_activate(8): daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 busy
slap_listener(ldap:///)
daemon: activity on 1 descriptor daemon: listen=8, new connection on 13 daemon: activity on:daemon: added 13r (active) listener=(nil)
conn=5 fd=13 ACCEPT from IP=127.0.0.1:32933 (IP=0.0.0.0:389)) daemon: epoll: listen=7 active_threads=1 tvp=zero. daemon: epoll: listen=8 active_threads=1 tvp=zero. daemon: activity on 1 descriptor daemon: activity on: 13r daemon: read active on 13 daemon: epoll: listen=7 active_threads=1 tvp=zero. connection_get(13) daemon: epoll: listen=8 active_threads=1 tvp=zero. connection_get(13): got connid=5 connection_read(13): checking for input on id=5 ber_get_next ldap_read: want=8, got=8 0000: 30 1d 02 01 01 77 18 80 0....w.. ldap_read: want=23, got=23 0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146 0010: 36 2e 32 30 30 33 37 6.20037 ber_get_next: tag 0x30 len 29 contents: ber_dump: buf=0xa0c11fc8 ptr=0xa0c11fc8 end=0xa0c11fe5 len=29. 0000: 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 ...w...1.3.6.1.4 0010: 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .1.1466.20037 ber_get_next ldap_read: want=8 error=Resource temporarily unavailable conn=5 op=0 do_extended ber_scanf fmt ({m) ber: ber_dump: buf=0xa0c11fc8 ptr=0xa0c11fcb end=0xa0c11fe5 len=26 0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1. 0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037 conn=5 op=0 EXT oid=1.3.6.1.4.1.1466.20037 do_extended: oid=1.3.6.1.4.1.1466.20037 daemon: activity on 1 descriptor conn=5 op=0 STARTTLS daemon: activity on:send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0 daemon: epoll: listen=7 active_threads=1 tvp=zero ber_flush2: 14 bytes to sd 13 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........ ldap_write: want=14, written=14 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........ conn=5 op=0 RESULT oid= err=0 text= daemon: epoll: listen=8 active_threads=1 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 13r daemon: read active on 13 daemon: epoll: listen=7 active_threads=1 tvp=zero connection_get(13) daemon: epoll: listen=8 active_threads=1 tvp=zero connection_get(13): got connid=5 connection_read(13): checking for input on id=5 TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=11 0000: 80 74 01 03 01 00 4b 00 00 00 20 .t....K....... tls_read: want=107, got=107 0000: 00 00 39 00 00 38 00 00 35 00 00 16 00 00 13 00 ..9..8..5....... 0010: 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f 03 00 .......3..2../.. 0020: 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00 12 ................ 0030: 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 00 .....@.......... 0040: 00 06 04 00 80 00 00 03 02 00 80 15 2d dd 5d 9a ............-.]. 0050: f5 29 55 3b 15 f2 e5 47 18 9c 22 f2 7d 07 51 72 .)U;...G..".}.Qr 0060: 60 1f 38 61 8d 9a e7 67 2a 5e 9e `.8a...g*^..}. TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A tls_write: want=985, written=985 0000: 16 03 01 00 4a 02 00 00 46 03 01 48 92 1d e7 69 ....J...F..H...i 0010: f3 a0 ea 95 0f 3b 21 71 a5 b0 11 34 27 91 b8 0b .....;!q...4'... 0020: d1 25 4f ca d5 56 fd 55 d2 0f 33 20 a7 fe 44 07 .%O..V.U..3 ..D. 0030: 8a 33 a1 ec 46 61 01 94 2a 05 9a 59 9e 95 02 ec .3..Fa..*..Y.... 0040: 99 82 42 77 1d f6 bf 6e b4 0f 05 23 00 09 00 16 ..Bw...n...#.... 0050: 03 01 03 7c 0b 00 03 78 00 03 75 00 03 72 30 82 ...|...x..u..r0. 0060: 03 6e 30 82 02 d7 a0 03 02 01 02 02 01 00 30 0d .n0...........0. 0070: 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 81 87 ..*.H........0.. 0080: 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 11 30 1.0...U....US1.0 0090: 0f 06 03 55 04 08 13 08 4e 65 77 20 59 6f 72 6b ...U....New York 00a0: 31 15 30 13 06 03 55 04 07 13 0c 50 6f 75 67 68 1.0...U....Pough 00b0: 6b 65 65 70 73 69 65 31 0c 30 0a 06 03 55 04 0a keepsie1.0...U.. 00c0: 13 03 49 42 4d 31 0c 30 0a 06 03 55 04 0b 13 03 ..IBM1.0...U.... 00d0: 54 50 46 31 0e 30 0c 06 03 55 04 03 13 05 44 61 TPF1.0...U....Da 00e0: 76 69 64 31 22 30 20 06 09 2a 86 48 86 f7 0d 01 vid1"0 ..*.H.... 00f0: 09 01 16 13 6d 6f 7a 65 73 68 74 61 40 75 73 2e ....mozeshta@us. 0100: 69 62 6d 2e 63 6f 6d 30 1e 17 0d 30 38 30 33 31 ibm.com0...08031 0110: 31 30 31 31 36 31 31 5a 17 0d 31 30 31 32 30 37 1011611Z..101207 0120: 30 31 31 36 31 31 5a 30 81 87 31 0b 30 09 06 03 011611Z0..1.0... 0130: 55 04 06 13 02 55 53 31 11 30 0f 06 03 55 04 08 U....US1.0...U.. 0140: 13 08 4e 65 77 20 59 6f 72 6b 31 15 30 13 06 03 ..New York1.0... 0150: 55 04 07 13 0c 50 6f 75 67 68 6b 65 65 70 73 69 U....Poughkeepsi 0160: 65 31 0c 30 0a 06 03 55 04 0a 13 03 49 42 4d 31 e1.0...U....IBM1 0170: 0c 30 0a 06 03 55 04 0b 13 03 54 50 46 31 0e 30 .0...U....TPF1.0 0180: 0c 06 03 55 04 03 13 05 44 61 76 69 64 31 22 30 ...U....David1"0 0190: 20 06 09 2a 86 48 86 f7 0d 01 09 01 16 13 6d 6f ..*.H........mo 01a0: 7a 65 73 68 74 61 40 75 73 2e 69 62 6d 2e 63 6f zeshta@us.ibm.co 01b0: 6d 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 m0..0...*.H..... 01c0: 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 ac ee .......0........ 01d0: f9 a7 40 cc 73 af 67 a0 ea 46 08 45 a5 fd 44 71 ..@.s.g..F.E..Dq 01e0: a4 04 3e 51 f7 39 51 82 3d 7e 9b 99 ae 1d c1 22 ..>Q.9Q.=~....." 01f0: 67 10 e7 15 d1 a9 65 75 e9 3e 0f 77 64 d1 14 4d g.....eu.>.wd..M 0200: 28 f0 8c ba d3 ed 87 e9 b1 5b 11 c1 3f 11 ed 1a (........[..?... 0210: 96 9a 3f b3 4b f3 db bd 84 41 11 aa ea 37 6d ab ..?.K....A...7m. 0220: c5 fb a9 bb ab 9d 87 66 b2 31 7a c8 35 06 06 ec .......f.1z.5... 0230: fb 07 f1 29 f5 f3 fd 29 f4 df 33 bf 40 de 84 6f ...)...)..3.@..o 0240: 9d 66 ea 57 42 ab 0f 13 a0 07 71 d5 e0 6d 02 03 .f.WB.....q..m.. 0250: 01 00 01 a3 81 e7 30 81 e4 30 1d 06 03 55 1d 0e ......0..0...U.. 0260: 04 16 04 14 11 76 af b1 5a bd 99 53 a5 de 02 35 .....v..Z..S...5 0270: 06 51 c4 01 74 71 2c c6 30 81 b4 06 03 55 1d 23 .Q..tq,.0....U.# 0280: 04 81 ac 30 81 a9 80 14 11 76 af b1 5a bd 99 53 ...0.....v..Z..S 0290: a5 de 02 35 06 51 c4 01 74 71 2c c6 a1 81 8d a4 ...5.Q..tq,..... 02a0: 81 8a 30 81 87 31 0b 30 09 06 03 55 04 06 13 02 ..0..1.0...U.... 02b0: 55 53 31 11 30 0f 06 03 55 04 08 13 08 4e 65 77 US1.0...U....New 02c0: 20 59 6f 72 6b 31 15 30 13 06 03 55 04 07 13 0c York1.0...U.... 02d0: 50 6f 75 67 68 6b 65 65 70 73 69 65 31 0c 30 0a Poughkeepsie1.0. 02e0: 06 03 55 04 0a 13 03 49 42 4d 31 0c 30 0a 06 03 ..U....IBM1.0... 02f0: 55 04 0b 13 03 54 50 46 31 0e 30 0c 06 03 55 04 U....TPF1.0...U. 0300: 03 13 05 44 61 76 69 64 31 22 30 20 06 09 2a 86 ...David1"0 ..*. 0310: 48 86 f7 0d 01 09 01 16 13 6d 6f 7a 65 73 68 74 H........mozesht 0320: 61 40 75 73 2e 69 62 6d 2e 63 6f 6d 82 01 00 30 a@us.ibm.com...0 0330: 0c 06 03 55 1d 13 04 05 30 03 01 01 ff 30 0d 06 ...U....0....0.. 0340: 09 2a 86 48 86 f7 0d 01 01 04 05 00 03 81 81 00 .*.H............ 0350: a8 39 22 f9 88 b2 c1 e6 95 5e af 4d ae f6 89 e5 .9"......^.M.... 0360: 64 82 37 42 f6 5b 00 56 22 d0 c6 b9 5f 70 36 2f d.7B.[.V"..._p6/ 0370: 8f 10 bb 5a d1 18 33 2a 37 8a a0 f2 c3 53 21 12 ...Z..3*7....S!. 0380: 2c 28 8a 62 a9 e0 b5 5a 70 4c 77 f1 5c 33 d2 a3 ,(.b...ZpLw.\3.. 0390: 6d 77 e8 6e e8 7e 5b 74 d9 3a 70 24 38 89 ce 11 mw.n.~[t.:p $8... 03a0: 4c ec 64 51 f2 be 61 4c 18 09 25 13 48 e2 5b 13 L.dQ..aL..%.H.[. 03b0: d9 fa 8c 0c b7 a2 dd 09 dd e8 da 01 c7 29 2b 9a .............)+. 03c0: 22 51 6f 19 54 e7 02 90 75 0e a9 3a 4b e0 d1 a4 "Qo.T...u..:K... 03d0: 16 03 01 00 04 0e 00 00 00 ...........: TLS trace: SSL_accept:SSLv3 flush data tls_read: want=5 error=Resource temporarily unavailable TLS trace: SSL_accept:error in SSLv3 read client certificate A.........: TLS trace: SSL_accept:error in SSLv3 read client certificate A.........: daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=1 tvp=zero daemon: epoll: listen=8 active_threads=1 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 13r daemon: read active on 13 daemon: epoll: listen=7 active_threads=1 tvp=zero connection_get(13) daemon: epoll: listen=8 active_threads=1 tvp=zero connection_get(13): got connid=5 connection_read(13): checking for input on id=5 tls_read: want=5, got=5 0000: 16 03 01 00 86 ...........: tls_read: want=134, got=134 0000: 10 00 00 82 00 80 91 6b 72 70 d5 4e 89 66 4e 5f .......krp.N.fN_ 0010: f2 d6 d6 41 e7 3a 85 1e 8e ce 85 4d 90 ac 4a ec ...A.:.....M..J. 0020: 81 f6 4d 2c 1d 94 85 e8 78 cf c9 68 11 77 b3 4e ..M,....x..h.w.N 0030: 13 97 62 43 e2 e8 12 44 42 46 c6 bc c3 74 c7 ad ..bC...DBF...t.. 0040: f7 46 22 2b ac 8c 8e 59 5d de f4 fd f9 73 3f 76 .F"+...Y]....s?v 0050: 1b 58 1f da 5c 95 49 a6 73 ec 75 37 fc 38 fa 53 .X...I.s.u7.8.S 0060: 6d 3c a9 fd 2a 7d c3 f7 b9 79 e7 3f 8f da df 04 m<..*}...y.?.... 0070: cb 06 e2 67 75 3c 57 cf 8e 60 6e e4 27 fa 23 a3 ...gu<W..`n.'.#. 0080: b8 fb c6 5b 14 7e ...[.~ TLS trace: SSL_accept:SSLv3 read client key exchange A tls_read: want=5, got=5 0000: 14 03 01 00 01 ..... tls_read: want=1, got=1 0000: 01 ..... tls_read: want=5, got=5 0000: 16 03 01 00 28 ....( tls_read: want=40, got=40 0000: 77 34 09 6c 45 e9 f1 f0 a2 e6 cb 2d e4 49 27 42 w4.lE......-.I'B 0010: 45 a5 84 74 bb bd 0f 6e 24 70 e1 b0 0f 19 83 4a E..t...n $p.....J 0020: 7a 41 c3 b3 ca fe 80 68 zA.....h TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A tls_write: want=51, written=51 0000: 14 03 01 00 01 01 16 03 01 00 28 97 a6 bb b1 8c ..........(..... 0010: 50 d4 6f 60 2c fb c7 d1 10 a6 a6 37 ff ea 0b e8 P.o`,......7.... 0020: 60 d0 f1 6b 34 d7 26 7b a9 c8 c0 45 72 33 7c 67 `..k4.&{...Er3| g 0030: b4 07 93 ... TLS trace: SSL_accept:SSLv3 flush data connection_read(13): unable to get TLS client DN, error=49 id=5 conn=5 fd=13 TLS established tls_ssf=56 ssf=56 daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=1 tvp=zero daemon: epoll: listen=8 active_threads=1 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 13r daemon: read active on 13 daemon: epoll: listen=7 active_threads=1 tvp=zero connection_get(13) daemon: epoll: listen=8 active_threads=1 tvp=zero connection_get(13): got connid=5 connection_read(13): checking for input on id=5 ber_get_next tls_read: want=5, got=0
ldap_read: want=8, got=0
ber_get_next on fd 13 failed errno=0 (Success) connection_read(13): input error=-2 id=5, closing. connection_closing: readying conn=5 sd=13 for close connection_close: conn=5 sd=13 daemon: removing 13 daemon: activity on 1 descriptor tls_write: want=29, written=29 0000: 15 03 01 00 18 73 41 45 4f f9 51 03 05 e6 66 c2 .....sAEO.Q...f. 0010: f5 65 d2 a9 ab 03 aa 8d d1 79 ef 18 8c .e.......y.... TLS trace: SSL3 alert write:warning:close notify conn=5 fd=13 closed (connection lost) daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL