Quanah Gibson-Mount quanah@zimbra.com wrote on 11/09/2009 05:04:27 PM:
Quanah Gibson-Mount quanah@zimbra.com 11/09/2009 05:04 PM
To
Tomasz Welman/Poland/IBM@IBMPL, openldap-technical@openldap.org
cc
Subject
Re: Problem with ldaps:// when switching from 2.3 to 2.4
--On Monday, November 09, 2009 1:08 PM +0100 Tomasz Welman tomasz.welman@pl.ibm.com wrote:
I have to machine, on the first there is no problem in connecting to
the
LDAP server (IBM directory server). The first machine is RedHat RHEL5 Client, the second is Ubuntu karmic 9.10.
root@xwing:/etc/ldap# uname -a Linux xwing 2.6.31-server #1 SMP Thu Oct 1 11:55:18 CEST 2009 i686 GNU/Linux root@xwing:/etc/ldap# dpkg -l |grep ldap ii ldap-utils 2.4.15-1ubuntu3 OpenLDAP utilities ii libldap-2.4-2 2.4.15-1ubuntu3 OpenLDAP libraries root@xwing:/etc/ldap# cat ldap.conf
Note that the second machine is using GnuTLS instead of OpenSSL, since
it
is Debian based. There have been a number of fixes to OpenLDAP for
GnuTLS
support since 2.4.15:
OpenLDAP 2.4.16 Release (2009/04/05) Fixed libldap GnuTLS with x509v1 CA certs (ITS#5992) Fixed libldap GnuTLS with CA chains (ITS#5991) Fixed libldap GnuTLS TLSVerifyClient try (ITS#5981)
OpenLDAP 2.4.17 Release (2009/07/13) Fixed libldap GnuTLS private key init (ITS#6053)
If you want to use a GnuTLS based version of OpenLDAP, I suggest you
build
a newer release.
I have a third machine with the same configuration but with an exception that it is upgraded to Ubuntu Karmic (sorry, earlier I said the 2nd was karmic but it's jaunty), so LDAP versions are:
root@darthvader:/etc/ldap# dpkg -l |grep ldap rc ldap-auth-config 0.5.2 Config package for LDAP authentication ii ldap-utils 2.4.18-0ubuntu1 OpenLDAP utilities ii libaprutil1-ldap 1.3.9+dfsg-1ubuntu1 The Apache Portable Runtime Utility Library - ii libldap-2.4-2 2.4.18-0ubuntu1 OpenLDAP libraries
and the TLS: root@darthvader:/etc/ldap# dpkg -l |grep tls ii libcurl3-gnutls 7.19.5-1ubuntu2 Multi-protocol file transfer library (GnuTLS) ii libgnutls26 2.8.3-2 the GNU TLS library - runtime library ii libneon27-gnutls 0.28.6-1 An HTTP and WebDAV client library (GnuTLS enab
The problem is exactly the same as on the second machine:
root@darthvader:/etc/ldap# ldapsearch -d5 -x -H ldaps://myldapserver.com ldap_url_parse_ext(ldaps://myldapserver.com) ldap_create ldap_url_parse_ext(ldaps://myldapserver.com:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP myldapserver.com:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 9.17.186.253:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Of course insecure connection works perfectly.
Any suggestions?
-- Tomasz 'Trog' Welman Software Developer external: 48-12-628-9449 ITN: 34819449 T/L: 9449
IBM SWG Lab, Krakow, Poland IBM Polska Sp. z o.o. oddział w Krakowie ul. Armii Krajowej 18 30 -150 Kraków NIP: 526-030-07-24, KRS 0000012941 Kapitał zakładowy: 33.000.000 PLN