On 04/12/2011 01:14 PM, Judith Flo Gaya wrote:
Hello Quanah,
On 4/12/11 7:28 PM, Quanah Gibson-Mount wrote:
--On Tuesday, April 12, 2011 7:10 PM +0200 Judith Flo Gayajflo@imppc.org wrote:
( I installed a newer version of openldap in my server as the RH6 uses an old one, I compiled it with tls and openssl)
From the client I do : ldapsearch -x -ZZ -d1 -h curri0.imppc.local:636
This is a startTLS request. You are using LDAPS. This will never work.
Try
ldapsearch -x -H ldaps://curri0.imppc.local:636/
It doesn't work either, still complains about not being able to contact the server. But now I see a different error:
ldapsearch -x -H ldaps://curri0.imppc.local:636 -d1 ldap_url_parse_ext(ldaps://curri0.imppc.local:636) ldap_create ldap_url_parse_ext(ldaps://curri0.imppc.local:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP curri0.imppc.local:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 172.19.5.13:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: could not initialize moznss using security dir /etc/openldap/cacerts - error -8174:Unknown code ___f 18. TLS: could not add the certificate (null) - error -8192:Unknown code ___f 0. TLS: error: connect - force handshake failure -1 - error -8054:Unknown code ___f 138 TLS: can't connect: . ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
If you are using /usr/bin/ldapsearch on Fedora 14 and later, it is linked with Mozilla NSS instead of openssl. But openldap with moznss works the same as it does with openssl.
Do you have your CA cert on the client machine? If so, did you specify it in /etc/openldap/ldap.conf or ~/.ldaprc? If not, you can also specify it on the command line like this:
LDAPTLS_CACERT=/path/to/ca_cert.pem ldapsearch -x -H ldaps://curri0.imppc.local:636/
See http://www.openldap.org/faq/data/cache/1514.html for information about how to use Mozilla NSS.
and this is what the server says: slap_listener_activate(8):
slap_listener(ldaps://curri0.imppc.local:636)
connection_get(12): got connid=1008 connection_read(12): checking for input on id=1008 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(12): got connid=1008 connection_read(12): checking for input on id=1008 TLS trace: SSL3 alert read:fatal:bad certificate TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate. connection_read(12): TLS accept failure error=-1 id=1008, closing connection_close: conn=1008 sd=12
any clue? the error on the client side seems to indicate that the client is trying to use the nss from the mozilla but I never meant to this, openssl is installed. Thanks a lot for your help. j
instead.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc.
Zimbra :: the leader in open source messaging and collaboration