On 08/09/2011 09:07 AM, Daniel Qian wrote:
On 11-08-09 10:49 AM, Rich Megginson wrote:
On 08/09/2011 08:33 AM, Daniel Qian wrote:
Hi,
I have slapd 2.4.24 and everything works without TLS. but if I add a -Z option to the ldapsearch command I get this:
[root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D cn=admin,cn=config -wxxxxxxx -Z -H ldap://ldaprov1.prod cn=config ldap_start_tls: Connect error (-11) ldap_result: Can't contact LDAP server (-1)
slapd.log shows something like this : connection_read(16): TLS accept failure error=-1 id=1006, closing
Output from openssl debug:
[root@ldaprov1 cacerts]# openssl s_client -connect hostname:389 -showcerts -state -CAfile cacert.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A 140225133647680:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 113 bytes
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE
The configurations are as follow (same command as above but without the -Z option):
[root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D cn=admin,cn=config -wxxxxxx -H ldap://hostname cn=config dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: /etc/openldap/slapd.conf olcConfigDir: /etc/openldap/slapd.d olcAllows: bind_v2 olcArgsFile: /var/run/openldap/slapd.args olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcLocalSSF: 71 olcLogLevel: 9 olcPidFile: /var/run/openldap/slapd.pid olcReadOnly: FALSE olcReverseLookup: FALSE olcSaslSecProps: noplain,noanonymous olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 16 olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key olcTLSVerifyClient: never olcToolThreads: 1 olcWriteTimeout: 0
I verified the ldap user can read all the TLS files and they are setup fine
[root@ldaprov1 cacerts]# openssl verify -purpose sslserver -CAfile cacert.pem ldaprov1.crt ldaprov1.crt: OK
Anyone can tell me what I am missing here?
No, but we're missing
- platform
- tls implementation (openssl, moznss, gnutls)
- output of ldapsearch -x -d 1 -Z ...... rest of arguments .....
Its Fedora 15
ldd /usr/sbin/slapd linux-vdso.so.1 => (0x00007fff76fff000) libltdl.so.7 => /usr/lib64/libltdl.so.7 (0x00007f0f29fcd000) libdb-4.8.so => /lib64/libdb-4.8.so (0x00007f0f29c53000) libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f0f29a38000) libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f0f29801000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f0f295e6000) libssl3.so => /usr/lib64/libssl3.so (0x00007f0f293b0000) libsmime3.so => /usr/lib64/libsmime3.so (0x00007f0f29183000) libnss3.so => /usr/lib64/libnss3.so (0x00007f0f28e4b000) libnssutil3.so => /usr/lib64/libnssutil3.so (0x00007f0f28c2b000) libplds4.so => /lib64/libplds4.so (0x00007f0f28a28000) libplc4.so => /lib64/libplc4.so (0x00007f0f28824000) libnspr4.so => /lib64/libnspr4.so (0x00007f0f285e6000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f0f283cb000) libc.so.6 => /lib64/libc.so.6 (0x00007f0f28032000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f0f27e2d000) libfreebl3.so => /lib64/libfreebl3.so (0x00007f0f27bcc000) libz.so.1 => /lib64/libz.so.1 (0x00007f0f279b5000) /lib64/ld-linux-x86-64.so.2 (0x00007f0f2a66a000)
the ldapsearch -d 1 option tells me a lot more: ..... ldap_msgfree TLS: file ldaprov1.crt does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping. TLS: file cacert.pem does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping. TLS: file ldaprov1.key does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping. .....
I tell slapd to look for specific files but how come it is still checking in a directory?
I don't know. What does /etc/openldap/ldap.conf say? Do you have a ~/.ldaprc or ~/ldaprc for the user "ldap"?
if I move all the files to a different directory like the following:
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem olcTLSCertificateFile: /etc/ssl/certs/ldaprov1.crt olcTLSCertificateKeyFile: /etc/ssl/certs/ldaprov1.key
slapd still checks the /etc/openldap/cacerts directory:
TLS: did not find any valid CA certificates in /etc/openldap/cacerts TLS: could not initialize moznss using security dir /etc/openldap/cacerts prefix - error -8174. TLS: could perform TLS system initialization. TLS: error: could not initialize moznss security context - error -5939:No more entries in the directory TLS: can't create ssl handle.
and also it seems to be using moznss by default?
Right. Fedora 14 and later use moznss.
Thanks, Daniel