Quanah Gibson-Mount <quanah@zimbra.com> wrote on
11/09/2009 05:04:27 PM:
> Quanah Gibson-Mount <quanah@zimbra.com>
> 11/09/2009 05:04 PM
>
> To
>
> Tomasz Welman/Poland/IBM@IBMPL, openldap-technical@openldap.org
>
> cc
>
> Subject
>
> Re: Problem with ldaps:// when switching from 2.3 to 2.4
>
> --On Monday, November 09, 2009 1:08 PM +0100 Tomasz Welman
> <tomasz.welman@pl.ibm.com> wrote:
>
> > I have to machine, on the first there is no problem in connecting
to the
> > LDAP server (IBM directory server).
> > The first machine is RedHat RHEL5 Client, the second is Ubuntu
karmic
> > 9.10.
>
> > root@xwing:/etc/ldap# uname -a
> > Linux xwing 2.6.31-server #1 SMP Thu Oct 1 11:55:18 CEST 2009
i686
> > GNU/Linux
> > root@xwing:/etc/ldap# dpkg -l |grep ldap
> > ii ldap-utils
2.4.15-1ubuntu3
> > OpenLDAP utilities
> > ii libldap-2.4-2
2.4.15-1ubuntu3
> > OpenLDAP libraries
> > root@xwing:/etc/ldap# cat ldap.conf
>
> Note that the second machine is using GnuTLS instead of OpenSSL, since
it
> is Debian based. There have been a number of fixes to OpenLDAP
for GnuTLS
> support since 2.4.15:
>
> OpenLDAP 2.4.16 Release (2009/04/05)
> Fixed libldap GnuTLS with x509v1 CA certs (ITS#5992)
> Fixed libldap GnuTLS with CA chains (ITS#5991)
> Fixed libldap GnuTLS TLSVerifyClient try (ITS#5981)
>
> OpenLDAP 2.4.17 Release (2009/07/13)
> Fixed libldap GnuTLS private key init (ITS#6053)
>
>
> If you want to use a GnuTLS based version of OpenLDAP, I suggest you
build
> a newer release.
>
I have a third machine with the same configuration
but with an exception that it is
upgraded to Ubuntu Karmic (sorry, earlier I said the
2nd was karmic but it's jaunty), so LDAP versions are:
root@darthvader:/etc/ldap# dpkg -l |grep ldap
rc ldap-auth-config
0.5.2
Config package for LDAP
authentication
ii ldap-utils
2.4.18-0ubuntu1
OpenLDAP utilities
ii libaprutil1-ldap
1.3.9+dfsg-1ubuntu1
The Apache Portable Runtime Utility Library -
ii libldap-2.4-2
2.4.18-0ubuntu1
OpenLDAP libraries
and the TLS:
root@darthvader:/etc/ldap# dpkg -l |grep tls
ii libcurl3-gnutls
7.19.5-1ubuntu2
Multi-protocol file transfer library (GnuTLS)
ii libgnutls26
2.8.3-2
the GNU TLS library - runtime
library
ii libneon27-gnutls
0.28.6-1
An HTTP and WebDAV client library
(GnuTLS enab
The problem is exactly the same as on
the second machine:
root@darthvader:/etc/ldap# ldapsearch
-d5 -x -H ldaps://myldapserver.com
ldap_url_parse_ext(ldaps://myldapserver.com)
ldap_create
ldap_url_parse_ext(ldaps://myldapserver.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP myldapserver.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 9.17.186.253:636
ldap_pvt_connect: fd: 3 tm: -1 async:
0
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact
LDAP server (-1)
Of course insecure connection works
perfectly.
Any suggestions?
--
Tomasz 'Trog' Welman
Software Developer
external: 48-12-628-9449
ITN: 34819449
T/L: 9449
IBM SWG Lab, Krakow, Poland
IBM Polska Sp. z o.o. oddział w Krakowie
ul. Armii Krajowej 18 30 -150 Kraków
NIP: 526-030-07-24, KRS 0000012941
Kapitał zakładowy: 33.000.000 PLN