Quanah Gibson-Mount <quanah@zimbra.com> wrote on 11/09/2009 05:04:27 PM:

> Quanah Gibson-Mount <quanah@zimbra.com>

> 11/09/2009 05:04 PM
>
> To

>
> Tomasz Welman/Poland/IBM@IBMPL, openldap-technical@openldap.org

>
> cc

>
> Subject

>
> Re: Problem with ldaps:// when switching from 2.3 to 2.4

>
> --On Monday, November 09, 2009 1:08 PM +0100 Tomasz Welman
> <tomasz.welman@pl.ibm.com> wrote:
>
> > I have to machine, on the first there is no problem in connecting to the
> > LDAP server (IBM directory server).
> > The first machine is RedHat RHEL5 Client, the second is Ubuntu karmic
> > 9.10.
>
> > root@xwing:/etc/ldap# uname -a
> > Linux xwing 2.6.31-server #1 SMP Thu Oct 1 11:55:18 CEST 2009 i686
> > GNU/Linux
> > root@xwing:/etc/ldap# dpkg -l |grep ldap
> > ii  ldap-utils                                 2.4.15-1ubuntu3
> > OpenLDAP utilities
> > ii  libldap-2.4-2                              2.4.15-1ubuntu3
> > OpenLDAP libraries
> > root@xwing:/etc/ldap# cat ldap.conf
>
> Note that the second machine is using GnuTLS instead of OpenSSL, since it
> is Debian based.  There have been a number of fixes to OpenLDAP for GnuTLS
> support since 2.4.15:
>
> OpenLDAP 2.4.16 Release (2009/04/05)
>    Fixed libldap GnuTLS with x509v1 CA certs (ITS#5992)
>    Fixed libldap GnuTLS with CA chains (ITS#5991)
>    Fixed libldap GnuTLS TLSVerifyClient try (ITS#5981)
>
> OpenLDAP 2.4.17 Release (2009/07/13)
>    Fixed libldap GnuTLS private key init (ITS#6053)
>
>
> If you want to use a GnuTLS based version of OpenLDAP, I suggest you build
> a newer release.
>

I have a third machine with the same configuration but with an exception that it is
upgraded to Ubuntu Karmic (sorry, earlier I said the 2nd was karmic but it's jaunty), so LDAP versions are:

root@darthvader:/etc/ldap# dpkg -l |grep ldap
rc  ldap-auth-config                           0.5.2                                      Config package for LDAP authentication
ii  ldap-utils                                 2.4.18-0ubuntu1                            OpenLDAP utilities
ii  libaprutil1-ldap                           1.3.9+dfsg-1ubuntu1                        The Apache Portable Runtime Utility Library -
ii  libldap-2.4-2                              2.4.18-0ubuntu1                            OpenLDAP libraries

and the TLS:
root@darthvader:/etc/ldap# dpkg -l |grep tls
ii  libcurl3-gnutls                            7.19.5-1ubuntu2                            Multi-protocol file transfer library (GnuTLS)
ii  libgnutls26                                2.8.3-2                                    the GNU TLS library - runtime library
ii  libneon27-gnutls                           0.28.6-1                                   An HTTP and WebDAV client library (GnuTLS enab



The problem is exactly the same as on the second machine:

root@darthvader:/etc/ldap# ldapsearch -d5 -x -H ldaps://myldapserver.com
ldap_url_parse_ext(ldaps://myldapserver.com)
ldap_create
ldap_url_parse_ext(ldaps://myldapserver.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP myldapserver.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 9.17.186.253:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


Of course insecure connection works perfectly.

Any suggestions?


--
Tomasz 'Trog' Welman
Software Developer
external: 48-12-628-9449
ITN: 34819449
T/L: 9449

IBM SWG Lab, Krakow, Poland
IBM Polska Sp. z o.o. oddział w Krakowie
ul. Armii Krajowej 18 30 -150 Kraków
NIP: 526-030-07-24, KRS 0000012941
Kapitał zakładowy: 33.000.000 PLN