Hello,
Hm, using debian etch 64b - maybe a 64b story ? For now, I just cannot manage to make it work - errors have changed, but still no way to connect to the server -.-.
I'll post tomorrow the new config and its error messages.
Thank you for those who tried to help me.
Regards,
C.
On Wed, Jul 7, 2010 at 9:40 PM, Bryan Boone v_1bboon@yahoo.com wrote:
Hi Cedric. I have the same problems. I am using Opensuse 11.2 64-bit edition. Other people have the same problem. I think this must be a bug in opensuse anyway. I wonder if you are experiencing the same issue. I switched over to SLES 10 and I don't have any problems.
From: Cedric Jeanneret cedric.jeanneret@camptocamp.com To: openldap-technical@openldap.org Sent: Wed, July 7, 2010 3:17:27 AM Subject: TLS problem
Hello,
I'm trying to configure an openldap with TLS so that all connections are encrypted.
Here's the revelent part of my slapd.conf:
TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSVerifyClient never TLSCertificateFile /etc/ldap/ssl/server.crt TLSCertificateKeyFile /etc/ldap/ssl/server.key
Here's my ldap.conf:
URI ldaps://my.server.ltd BASE dc=my,dc=server,dc=ltd LDAP_VERSION 3
#SIZELIMIT 12 #TIMELIMIT 15 #DEREF never ssl start_tls ssl on TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3
While starting slapd with: slapd -h 'ldaps:///' -g openldap -u openldap -d 16383
and trying to connect to it with: ldapsearch -Z -d 16383 -LLL -b cn=admin,dc=my,dc=server,dc=ltd -w "foo.bar" -S cn -h my.server.ltd -p 636 cn
I have these logs : [slapd]
daemon: activity on 1 descriptor
slap_listener(ldaps:///)daemon: listen=7, new connection on 11
ldap_pvt_gethostbyname_a: host=my, r=0 daemon: added 11r (active) listener=(nil) conn=0 fd=11 ACCEPT from IP=xx.yy.zz.aa:38806 (IP=0.0.0.0:636) daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: 11r daemon: read activity on 11 connection_get(11) connection_get(11): got connid=0 connection_read(11): checking for input on id=0 TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=11 0000: 30 3e 02 01 01 63 39 04 00 0a 01 0>...c9.... TLS trace: SSL_accept:error in SSLv2/v3 read client hello A TLS: can't accept. TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol s23_srvr.c:562 connection_read(11): TLS accept failure error=-1 id=0, closing connection_closing: readying conn=0 sd=11 for close connection_close: conn=0 sd=11 daemon: removing 11 conn=0 fd=11 closed (TLS negotiation failure) daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: waked daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL
[ldapsearch]
ldap_create ldap_url_parse_ext(ldap://my.server.ltd:636) ldap_pvt_sasl_getmech ldap_search put_filter: "(objectclass=*)" put_filter: simple put_simple_filter: "objectclass=*" ldap_build_search_req ATTRS: supportedSASLMechanisms ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP my.server.ltd:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying xx.yy.zz.aa:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_dump: buf=0xb92b6d68 ptr=0xb92b6d68 end=0xb92b6da8 len=64 0000: 30 3e 02 01 01 63 39 04 00 0a 01 00 0a 01 00 02 0>...c9......... 0010: 01 00 02 01 00 01 01 00 87 0b 6f 62 6a 65 63 74 ..........object 0020: 63 6c 61 73 73 30 19 04 17 73 75 70 70 6f 72 74 class0...support 0030: 65 64 53 41 53 4c 4d 65 63 68 61 6e 69 73 6d 73 edSASLMechanisms ber_scanf fmt ({) ber: ber_dump: buf=0xb92b6d68 ptr=0xb92b6d6d end=0xb92b6da8 len=59 0000: 63 39 04 00 0a 01 00 0a 01 00 02 01 00 02 01 00 c9.............. 0010: 01 01 00 87 0b 6f 62 6a 65 63 74 63 6c 61 73 73 .....objectclass 0020: 30 19 04 17 73 75 70 70 6f 72 74 65 64 53 41 53 0...supportedSAS 0030: 4c 4d 65 63 68 61 6e 69 73 6d 73 LMechanisms ber_flush2: 64 bytes to sd 3 0000: 30 3e 02 01 01 63 39 04 00 0a 01 00 0a 01 00 02 0>...c9......... 0010: 01 00 02 01 00 01 01 00 87 0b 6f 62 6a 65 63 74 ..........object 0020: 63 6c 61 73 73 30 19 04 17 73 75 70 70 6f 72 74 class0...support 0030: 65 64 53 41 53 4c 4d 65 63 68 61 6e 69 73 6d 73 edSASLMechanisms ldap_write: want=64, written=64 0000: 30 3e 02 01 01 63 39 04 00 0a 01 00 0a 01 00 02 0>...c9......... 0010: 01 00 02 01 00 01 01 00 87 0b 6f 62 6a 65 63 74 ..........object 0020: 63 6c 61 73 73 30 19 04 17 73 75 70 70 6f 72 74 class0...support 0030: 65 64 53 41 53 4c 4d 65 63 68 61 6e 69 73 6d 73 edSASLMechanisms ldap_result ld 0xb92ae158 msgid 1 wait4msg ld 0xb92ae158 msgid 1 (infinite timeout) wait4msg continue ld 0xb92ae158 msgid 1 all 1 ** ld 0xb92ae158 Connections:
- host: my.server.ltd port: 636 (default)
refcnt: 2 status: Connected last used: Wed Jul 7 12:11:03 2010
** ld 0xb92ae158 Outstanding Requests:
- msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0 ld 0xb92ae158 request count 1 (abandoned 0) ** ld 0xb92ae158 Response Queue: Empty ld 0xb92ae158 response count 0 ldap_chkResponseList ld 0xb92ae158 msgid 1 all 1 ldap_chkResponseList returns ld 0xb92ae158 NULL ldap_int_select read1msg: ld 0xb92ae158 msgid 1 all 1 ber_get_next ldap_read: want=8, got=0
ber_get_next failed. ldap_err2string ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
I really don't know what to do. My certificates are correct I guess, as we're using them in apache for https... For information, they are self-signed.
Any help would be great.
Thank you!
Best regards,
C.
-- Cédric Jeanneret | System Administrator 021 619 10 32 | Camptocamp SA cedric.jeanneret@camptocamp.com | PSE-A / EPFL
--On Wednesday, July 07, 2010 10:08 PM +0200 Cédric Jeanneret cedric.jeanneret@camptocamp.com wrote:
Hello,
Hm, using debian etch 64b - maybe a 64b story ? For now, I just cannot manage to make it work - errors have changed, but still no way to connect to the server -.-.
I'll post tomorrow the new config and its error messages.
Thank you for those who tried to help me.
Debian uses GnuTLS instead of OpenSSL to build OpenLDAP. GnuTLS has a number of interesting behaviors. I advise building your own OpenLDAP with OpenSSL instead.
Regards,
C.
On Wed, Jul 7, 2010 at 9:40 PM, Bryan Boone v_1bboon@yahoo.com wrote:
Hi Cedric. I have the same problems. I am using Opensuse 11.2 64-bit edition. Other people have the same problem. I think this must be a bug in opensuse anyway. I wonder if you are experiencing the same issue. I switched over to SLES 10 and I don't have any problems.
From: Cedric Jeanneret cedric.jeanneret@camptocamp.com To: openldap-technical@openldap.org Sent: Wed, July 7, 2010 3:17:27 AM Subject: TLS problem
Hello,
I'm trying to configure an openldap with TLS so that all connections are encrypted.
Here's the revelent part of my slapd.conf:
TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSVerifyClient never TLSCertificateFile /etc/ldap/ssl/server.crt TLSCertificateKeyFile /etc/ldap/ssl/server.key
Here's my ldap.conf:
URI ldaps://my.server.ltd BASE dc=my,dc=server,dc=ltd LDAP_VERSION 3
# SIZELIMIT 12 # TIMELIMIT 15 # DEREF never ssl start_tls ssl on TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3
While starting slapd with: slapd -h 'ldaps:///' -g openldap -u openldap -d 16383
and trying to connect to it with: ldapsearch -Z -d 16383 -LLL -b cn=admin,dc=my,dc=server,dc=ltd -w "foo.bar" -S cn -h my.server.ltd -p 636 cn
I have these logs : [slapd]
daemon: activity on 1 descriptor
slap_listener(ldaps:///)daemon: listen=7, new connection on 11
ldap_pvt_gethostbyname_a: host=my, r=0 daemon: added 11r (active) listener=(nil) conn=0 fd=11 ACCEPT from IP=xx.yy.zz.aa:38806 (IP=0.0.0.0:636) daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: 11r daemon: read activity on 11 connection_get(11) connection_get(11): got connid=0 connection_read(11): checking for input on id=0 TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=11 0000: 30 3e 02 01 01 63 39 04 00 0a 01 0>...c9.... TLS trace: SSL_accept:error in SSLv2/v3 read client hello A TLS: can't accept. TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol s23_srvr.c:562 connection_read(11): TLS accept failure error=-1 id=0, closing connection_closing: readying conn=0 sd=11 for close connection_close: conn=0 sd=11 daemon: removing 11 conn=0 fd=11 closed (TLS negotiation failure) daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: waked daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL
[ldapsearch]
ldap_create ldap_url_parse_ext(ldap://my.server.ltd:636) ldap_pvt_sasl_getmech ldap_search put_filter: "(objectclass=*)" put_filter: simple put_simple_filter: "objectclass=*" ldap_build_search_req ATTRS: supportedSASLMechanisms ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP my.server.ltd:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying xx.yy.zz.aa:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_dump: buf=0xb92b6d68 ptr=0xb92b6d68 end=0xb92b6da8 len=64 0000: 30 3e 02 01 01 63 39 04 00 0a 01 00 0a 01 00 02 0>...c9......... 0010: 01 00 02 01 00 01 01 00 87 0b 6f 62 6a 65 63 74 ..........object 0020: 63 6c 61 73 73 30 19 04 17 73 75 70 70 6f 72 74 class0...support 0030: 65 64 53 41 53 4c 4d 65 63 68 61 6e 69 73 6d 73 edSASLMechanisms ber_scanf fmt ({) ber: ber_dump: buf=0xb92b6d68 ptr=0xb92b6d6d end=0xb92b6da8 len=59 0000: 63 39 04 00 0a 01 00 0a 01 00 02 01 00 02 01 00 c9.............. 0010: 01 01 00 87 0b 6f 62 6a 65 63 74 63 6c 61 73 73 .....objectclass 0020: 30 19 04 17 73 75 70 70 6f 72 74 65 64 53 41 53 0...supportedSAS 0030: 4c 4d 65 63 68 61 6e 69 73 6d 73 LMechanisms ber_flush2: 64 bytes to sd 3 0000: 30 3e 02 01 01 63 39 04 00 0a 01 00 0a 01 00 02 0>...c9......... 0010: 01 00 02 01 00 01 01 00 87 0b 6f 62 6a 65 63 74 ..........object 0020: 63 6c 61 73 73 30 19 04 17 73 75 70 70 6f 72 74 class0...support 0030: 65 64 53 41 53 4c 4d 65 63 68 61 6e 69 73 6d 73 edSASLMechanisms ldap_write: want=64, written=64 0000: 30 3e 02 01 01 63 39 04 00 0a 01 00 0a 01 00 02 0>...c9......... 0010: 01 00 02 01 00 01 01 00 87 0b 6f 62 6a 65 63 74 ..........object 0020: 63 6c 61 73 73 30 19 04 17 73 75 70 70 6f 72 74 class0...support 0030: 65 64 53 41 53 4c 4d 65 63 68 61 6e 69 73 6d 73 edSASLMechanisms ldap_result ld 0xb92ae158 msgid 1 wait4msg ld 0xb92ae158 msgid 1 (infinite timeout) wait4msg continue ld 0xb92ae158 msgid 1 all 1 ** ld 0xb92ae158 Connections:
- host: my.server.ltd port: 636 (default)
refcnt: 2 status: Connected last used: Wed Jul 7 12:11:03 2010
** ld 0xb92ae158 Outstanding Requests:
- msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0 ld 0xb92ae158 request count 1 (abandoned 0) ** ld 0xb92ae158 Response Queue: Empty ld 0xb92ae158 response count 0 ldap_chkResponseList ld 0xb92ae158 msgid 1 all 1 ldap_chkResponseList returns ld 0xb92ae158 NULL ldap_int_select read1msg: ld 0xb92ae158 msgid 1 all 1 ber_get_next ldap_read: want=8, got=0
ber_get_next failed. ldap_err2string ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
I really don't know what to do. My certificates are correct I guess, as we're using them in apache for https... For information, they are self-signed.
Any help would be great.
Thank you!
Best regards,
C.
-- Cédric Jeanneret | System Administrator 021 619 10 32 | Camptocamp SA cedric.jeanneret@camptocamp.com | PSE-A / EPFL
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
On Wednesday, 7 July 2010 21:27:52 Quanah Gibson-Mount wrote:
--On Wednesday, July 07, 2010 10:08 PM +0200 Cédric Jeanneret
cedric.jeanneret@camptocamp.com wrote:
Hello,
Hm, using debian etch 64b - maybe a 64b story ?
64bit works just fine (on other distros), so not a '64b story'.
For now, I just cannot manage to make it work - errors have changed, but still no way to connect to the server -.-.
I'll post tomorrow the new config and its error messages.
Thank you for those who tried to help me.
Debian uses GnuTLS instead of OpenSSL to build OpenLDAP. GnuTLS has a number of interesting behaviors. I advise building your own OpenLDAP with OpenSSL instead.
Before suggesting changing the software, maybe we should ensure the OP isn't trying to do START_TLS on the ldaps port?
While starting slapd with: slapd -h 'ldaps:///' -g openldap -u openldap -d 16383
and trying to connect to it with: ldapsearch -Z -d 16383 -LLL -b cn=admin,dc=my,dc=server,dc=ltd -w "foo.bar" -S cn -h my.server.ltd -p 636 cn
Regards, Buchan
openldap-technical@openldap.org