Hi,
I am using openldap-2.4.26 on one machine, and pam_ldap-186 and nss_ldap-265 on another machine, both machines running Fedora-10.
I am trying for a secure communication using TLS/SSL. when I try to connect to the LDAP client machine using SSH, after authentication success the shell prompt is returned after 3 min or 4 mins. I don't know why it is taking so much time. This is happening for the users which are present only in LDAP database i.e. this user is not created on the client machine.
At the server side I am getting following errors.
TLS: can't accept: (unknown).
connection_read(18): TLS accept failure error=-1 id=1068, closing
connection_closing: readying conn=1068 sd=18 for close
connection_close: conn=1068 sd=18
daemon: removing 18
conn=1068 fd=18 closed (TLS negotiation failure)
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=NULL
I have created the CA certificate with CA.sh script. I followed the procedure given below.
I copied the same cacert.pem file from server to the client machine afte running the above procedure on server machine.
The configuration files are as follows.
slapd.conf
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
LSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
TLSCACertificateFile /etc/pki/CA/cacert.pem
TLSCertificateFile /etc/pki/tls/misc/newcert.pem
TLSCertificateKeyFile /etc/pki/tls/misc/newkey.pem
TLSVerifyClient allow
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
access to attrs=userPassword
by self write
by anonymous auth
by * none
access to *
by * read
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=samsung,dc=com"
rootdn "cn=Manager,dc=samsung,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw 123qwe
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
#unique id so equality match only
index uid eq
index userPassword eq
#allows general searching on commonname,givenname and mail
index cn,gn,sn,ou,o,mail eq,sub
index objectClass eq
and ldap.conf has the following configuration
base dc=samsung,dc=com
uri ldaps://localhost.localdomain/
tls_cacertfile /etc/pki/CA/cacert.pem
pam_password md5
nss_map_attribute gecos description
Please let me know where I am making mistake? how to fix this problem.
Warm Regards
Vijay S.