Hey Neil,
thanks for the tip, I might try re-compiling it with the options you mentioned. The things is, at the moment (and for the last couple of days), all has been working flawlessly, even on phpldapadmin (with which I always had those issues), so I cannot reproduce the error anymore (and therefore I wouldn't be able to tell if the recompilation-trick worked or not...). But again, assuming the problem would be some certificate field, this wouldn't change over time, so it still wouldn't explain why it worked sometimes while others not... I'm starting to believe it was just a random error, but again, I'm still afraid it will spontaneously show up some time in the future and give me a lot of headaches...
Anyway, as I mentioned, now it all seems to be working fine, but I still get this error when clients (successfully) connect:
slapd[13887]: connection_read(14): unable to get TLS client DN, error=49 id=14
It seems to be an issue related to the client certificate, but I am specifically saying on slapd.conf "TLSVerifyClient never", so I am out of ideas as to how to fix this error...
Cheers,
Em 08-04-2010 19:20, Neil Dunbar escreveu:
On 8 Apr 2010, at 03:57, Daniel Gomes wrote:
First of all, the specs: it's a OpenLDAP 2.4.19 compiled (manually, not via apt-get) on a Ubuntu 8.04 (Hardy)
Hmm. Ubuntu and Debian OpenLDAP packages use GNUTLS by default, and I've certainly had problems with cert name recognition - especially with subjectAltNames in certificates before. Hit it with the LDAP URI set to the name in the subjectName, and it works. Hit it with the subjectAltName DNS names, and it tends to barf.
I recompile the OpenLDAP debs from package source (better still - use the 2.4.21 package from Lucid), and change debian/configure.options from "--with-ssl=gnutls" to "--with-ssl=openssl"; also change the debian/control file dependencies from "libgnutls-dev (>= {version})" to "libssl-dev". Follow that with a dpkg-buildpackage -rfakeroot, and you should end up with OpenSSL linked packages.
Note: I'm not trying to get into yet another Debian/GNUTLS/OpenSSL licensing debate here, just saying what works for me.
Cheers,
Neil
NEIL DUNBAR Systems Architect
(602) 850-5783 work +44 7976 616583 mobile +1 (602) 535-6914 US mobile www.llnw.com