On 11-08-09 2:45 PM, Rich Megginson wrote:
> On 08/09/2011 12:43 PM, Daniel Qian wrote:
>> On 11-08-09 2:12 PM, Rich Megginson wrote:
>>> On 08/09/2011 11:59 AM, Daniel Qian wrote:
>>>> On 11-08-09 12:55 PM, Rich Megginson wrote:
>>>>> On 08/09/2011 10:15 AM, Daniel Qian wrote:
>>>>>> On 11-08-09 11:21 AM, Rich Megginson wrote:
>>>>>>> On 08/09/2011 09:07 AM, Daniel Qian wrote:
>>>>>>>> On 11-08-09 10:49 AM, Rich Megginson wrote:
>>>>>>>>> On 08/09/2011 08:33 AM, Daniel Qian wrote:
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> I have slapd 2.4.24 and everything works without TLS. but if
>>>>>>>>>> I add a -Z option to the ldapsearch command I get this:
>>>>>>>>>>
>>>>>>>>>> [root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D
>>>>>>>>>> cn=admin,cn=config -wxxxxxxx -Z -H ldap://ldaprov1.prod
>>>>>>>>>> cn=config
>>>>>>>>>> ldap_start_tls: Connect error (-11)
>>>>>>>>>> ldap_result: Can't contact LDAP server (-1)
>>>>>>>>>>
>>>>>>>>>> slapd.log shows something like this : connection_read(16):
>>>>>>>>>> TLS accept failure error=-1 id=1006, closing
>>>>>>>>>>
>>>>>>>>>> Output from openssl debug:
>>>>>>>>>>
>>>>>>>>>> [root@ldaprov1 cacerts]# openssl s_client -connect
>>>>>>>>>> hostname:389 -showcerts -state -CAfile cacert.pem
>>>>>>>>>> CONNECTED(00000003)
>>>>>>>>>> SSL_connect:before/connect initialization
>>>>>>>>>> SSL_connect:SSLv2/v3 write client hello A
>>>>>>>>>> 140225133647680:error:140790E5:SSL routines:SSL23_WRITE:ssl
>>>>>>>>>> handshake failure:s23_lib.c:177:
>>>>>>>>>> ---
>>>>>>>>>> no peer certificate available
>>>>>>>>>> ---
>>>>>>>>>> No client certificate CA names sent
>>>>>>>>>> ---
>>>>>>>>>> SSL handshake has read 0 bytes and written 113 bytes
>>>>>>>>>> ---
>>>>>>>>>> New, (NONE), Cipher is (NONE)
>>>>>>>>>> Secure Renegotiation IS NOT supported
>>>>>>>>>> Compression: NONE
>>>>>>>>>> Expansion: NONE
>>>>>>>>>> ---
>>>>>>>>>>
>>>>>>>>>> The configurations are as follow (same command as above but
>>>>>>>>>> without the -Z option):
>>>>>>>>>>
>>>>>>>>>> [root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D
>>>>>>>>>> cn=admin,cn=config -wxxxxxx -H ldap://hostname cn=config
>>>>>>>>>> dn: cn=config
>>>>>>>>>> objectClass: olcGlobal
>>>>>>>>>> cn: config
>>>>>>>>>> olcConfigFile: /etc/openldap/slapd.conf
>>>>>>>>>> olcConfigDir: /etc/openldap/slapd.d
>>>>>>>>>> olcAllows: bind_v2
>>>>>>>>>> olcArgsFile: /var/run/openldap/slapd.args
>>>>>>>>>> olcAttributeOptions: lang-
>>>>>>>>>> olcAuthzPolicy: none
>>>>>>>>>> olcConcurrency: 0
>>>>>>>>>> olcConnMaxPending: 100
>>>>>>>>>> olcConnMaxPendingAuth: 1000
>>>>>>>>>> olcGentleHUP: FALSE
>>>>>>>>>> olcIdleTimeout: 0
>>>>>>>>>> olcIndexSubstrIfMaxLen: 4
>>>>>>>>>> olcIndexSubstrIfMinLen: 2
>>>>>>>>>> olcIndexSubstrAnyLen: 4
>>>>>>>>>> olcIndexSubstrAnyStep: 2
>>>>>>>>>> olcIndexIntLen: 4
>>>>>>>>>> olcLocalSSF: 71
>>>>>>>>>> olcLogLevel: 9
>>>>>>>>>> olcPidFile: /var/run/openldap/slapd.pid
>>>>>>>>>> olcReadOnly: FALSE
>>>>>>>>>> olcReverseLookup: FALSE
>>>>>>>>>> olcSaslSecProps: noplain,noanonymous
>>>>>>>>>> olcSockbufMaxIncoming: 262143
>>>>>>>>>> olcSockbufMaxIncomingAuth: 16777215
>>>>>>>>>> olcThreads: 16
>>>>>>>>>> olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem
>>>>>>>>>> olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt
>>>>>>>>>> olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key
>>>>>>>>>> olcTLSVerifyClient: never
>>>>>>>>>> olcToolThreads: 1
>>>>>>>>>> olcWriteTimeout: 0
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I verified the ldap user can read all the TLS files and they
>>>>>>>>>> are setup fine
>>>>>>>>>>
>>>>>>>>>> [root@ldaprov1 cacerts]# openssl verify -purpose sslserver
>>>>>>>>>> -CAfile cacert.pem ldaprov1.crt
>>>>>>>>>> ldaprov1.crt: OK
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Anyone can tell me what I am missing here?
>>>>>>>>> No, but we're missing
>>>>>>>>> 1) platform
>>>>>>>>> 2) tls implementation (openssl, moznss, gnutls)
>>>>>>>>> 3) output of ldapsearch -x -d 1 -Z ...... rest of arguments .....
>>>>>>>>>
>>>>>>>>
>>>>>>>> Its Fedora 15
>>>>>>>>
>>>>>>>> ldd /usr/sbin/slapd
>>>>>>>> linux-vdso.so.1 => (0x00007fff76fff000)
>>>>>>>> libltdl.so.7 => /usr/lib64/libltdl.so.7
>>>>>>>> (0x00007f0f29fcd000)
>>>>>>>> libdb-4.8.so => /lib64/libdb-4.8.so (0x00007f0f29c53000)
>>>>>>>> libsasl2.so.2 => /usr/lib64/libsasl2.so.2
>>>>>>>> (0x00007f0f29a38000)
>>>>>>>> libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f0f29801000)
>>>>>>>> libresolv.so.2 => /lib64/libresolv.so.2
>>>>>>>> (0x00007f0f295e6000)
>>>>>>>> libssl3.so => /usr/lib64/libssl3.so (0x00007f0f293b0000)
>>>>>>>> libsmime3.so => /usr/lib64/libsmime3.so
>>>>>>>> (0x00007f0f29183000)
>>>>>>>> libnss3.so => /usr/lib64/libnss3.so (0x00007f0f28e4b000)
>>>>>>>> libnssutil3.so => /usr/lib64/libnssutil3.so
>>>>>>>> (0x00007f0f28c2b000)
>>>>>>>> libplds4.so => /lib64/libplds4.so (0x00007f0f28a28000)
>>>>>>>> libplc4.so => /lib64/libplc4.so (0x00007f0f28824000)
>>>>>>>> libnspr4.so => /lib64/libnspr4.so (0x00007f0f285e6000)
>>>>>>>> libpthread.so.0 => /lib64/libpthread.so.0
>>>>>>>> (0x00007f0f283cb000)
>>>>>>>> libc.so.6 => /lib64/libc.so.6 (0x00007f0f28032000)
>>>>>>>> libdl.so.2 => /lib64/libdl.so.2 (0x00007f0f27e2d000)
>>>>>>>> libfreebl3.so => /lib64/libfreebl3.so (0x00007f0f27bcc000)
>>>>>>>> libz.so.1 => /lib64/libz.so.1 (0x00007f0f279b5000)
>>>>>>>> /lib64/ld-linux-x86-64.so.2 (0x00007f0f2a66a000)
>>>>>>>>
>>>>>>>>
>>>>>>>> the ldapsearch -d 1 option tells me a lot more:
>>>>>>>> .....
>>>>>>>> ldap_msgfree
>>>>>>>> TLS: file ldaprov1.crt does not end in [.0] - does not appear
>>>>>>>> to be a CA certificate directory file with a properly hashed
>>>>>>>> file name - skipping.
>>>>>>>> TLS: file cacert.pem does not end in [.0] - does not appear to
>>>>>>>> be a CA certificate directory file with a properly hashed file
>>>>>>>> name - skipping.
>>>>>>>> TLS: file ldaprov1.key does not end in [.0] - does not appear
>>>>>>>> to be a CA certificate directory file with a properly hashed
>>>>>>>> file name - skipping.
>>>>>>>> .....
>>>>>>>>
>>>>>>>> I tell slapd to look for specific files but how come it is
>>>>>>>> still checking in a directory?
>>>>>>> I don't know. What does /etc/openldap/ldap.conf say? Do you
>>>>>>> have a ~/.ldaprc or ~/ldaprc for the user "ldap"?
>>>>>>
>>>>>> So even for slapd the setting TLS_CACERTDIR in
>>>>>> /etc/openldap/ldap.conf takes precedence over
>>>>>> olcTLSCACertificateFile in cn=config? I set
>>>>>> /etc/openldap/ldap.conf for client only and did not mean it for
>>>>>> slapd.
>>>>> I don't know. Can someone confirm that this is how it works when
>>>>> using openssl or gnutls for crypto? That is, I don't think this
>>>>> problem is specific to moznss.
>>>>>>
>>>>>> Now after I removed it from /etc/openldap/ldap.conf, ldapsearch
>>>>>> -d 1 is indicating the CA certificate not valid:
>>>>>>
>>>>>> TLS: certificate [CA certificate details omitted here...] is not
>>>>>> valid - error -8172:Unknown code ___f 20.
>>>>>> error -8172:Unknown code ___f 20.
>>>>>> tls_write: want=7, written=7
>>>>>> 0000: 15 03 01 00 02 02 30 ......0
>>>>>> TLS: error: connect - force handshake failure: errno 21 - moznss
>>>>>> error -8172
>>>>>> TLS: can't connect: TLS error -8172:Unknown code ___f 20.
>>>>>> ldap_err2string
>>>>>> ldap_start_tls: Connect error (-11)
>>>>>> additional info: TLS error -8172:Unknown code ___f 20
>>>>>>
>>>>>> Does this mean all the certificates I created on the same server
>>>>>> with openssl can not be used by modnss in slapd? I never delt
>>>>>> with modnss before
>>>>> 20 means SEC_ERROR_UNTRUSTED_ISSUER
>>>>>
>>>>> Can you provide the entire log leading up to this point? you can
>>>>> paste it to fpaste.org if you don't want to spam the list with too
>>>>> much information.
>>>>>
>>>>> Yes, openldap with moznss should work _exactly_ like openldap with
>>>>> openssl. If this is something that was working before this is a
>>>>> bug that needs to be fixed asap.
>>>>
>>>> I ran the same ldapsearch command from a Centos box which has
>>>> openssl and the error messages says this :
>>>>
>>>> TLS certificate verification: Error, self signed certificate in
>>>> certificate chain
>>>>
>>>> which is not true. I have separate CA certificate and server
>>>> certificate. The server certificate is signed by the CA certificate.
>>> openssl seems to be complaining about the CA certificate:
>>> #
>>> TLS certificate verification: depth: 1, err: 19, subject:
>>> /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic Media
>>> Group root CA/emailAddress=sysadmin(a)theepicmediagroup.com, issuer:
>>> /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic Media
>>> Group root CA/emailAddress=sysadmin(a)theepicmediagroup.com
>>> #
>>> TLS certificate verification: Error, self signed certificate in
>>> certificate chain
>>>
>>> Note that the subject: is the same as the issuer: - that is, it is a
>>> self signed certificate (self issued).
>>>
>>> But I'm not sure if this is the real problem.
>>
>> That certificate it is complaining about is actually the ROOT CA. But
>> I have another server certificate specified by
>> "olcTLSCertificateFile: /etc/ssl/certs/ldaprov1.crt" in cn=config and
>> its subject and issuer are shown below:
>>
>> certs]# openssl x509 -noout -issuer -subject -in
>> /etc/ssl/certs/ldaprov1.crt
>> issuer= /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic
>> Media Group root CA/emailAddress=sysadmin(a)theepicmediagroup.com
>> subject= /C=CA/ST=Ontario/L=Toronto/O=Epic Media
>> Group/OU=IT/CN=ldaprov1.prod/emailAddress=sysadmin(a)theepicmediagroup.com
>>
>> Its that the client can't seem to get it for some reasons.
>>> #
>>> TLS trace: SSL3 alert write:fatal:unknown CA
>>>
>>> Do you have the CA cert on the client machine?
>>
>> I put the same CA cert on the client machine, both in
>> /etc/ldap.conf(/etc/nss_ldap.conf on Fedora now) and
>> /etc/openldap/ldap.conf
>>
>>>>
>>>> Seems the server certificate defined in olcTLSCertificateFile never
>>>> gets recognized by the client.
>>>>
>>>> Centos openssl output pasted - http://fpaste.org/7Hju/
>>>> Fedora moznss output pasted - http://fpaste.org/aE19/
>>>
>>> If you remove TLS_CACERTDIR from /etc/openldap/ldap.conf and then
>>> specify
>>> olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem
>>> olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt
>>> olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key
>>>
>> That is what I have been doing, or trying to do the whole time. Note
>> the last three lines from the current configuration as shown below
>> from the Centos client:
>>
>> .prod:/etc/openldap/cacerts]# ldapsearch -x -LLL -b cn=config -D
>> cn=admin,cn=config -wtesting123 -H ldap://ldaprov1.prod cn=config
>> dn: cn=config
>> objectClass: olcGlobal
>> cn: config
>> olcConfigFile: /etc/openldap/slapd.conf
>> olcConfigDir: /etc/openldap/slapd.d
>> olcAllows: bind_v2
>> olcArgsFile: /var/run/openldap/slapd.args
>> olcAttributeOptions: lang-
>> olcAuthzPolicy: none
>> olcConcurrency: 0
>> olcConnMaxPending: 100
>> olcConnMaxPendingAuth: 1000
>> olcGentleHUP: FALSE
>> olcIdleTimeout: 0
>> olcIndexSubstrIfMaxLen: 4
>> olcIndexSubstrIfMinLen: 2
>> olcIndexSubstrAnyLen: 4
>> olcIndexSubstrAnyStep: 2
>> olcIndexIntLen: 4
>> olcLocalSSF: 71
>> olcLogLevel: 9
>> olcPidFile: /var/run/openldap/slapd.pid
>> olcReadOnly: FALSE
>> olcReverseLookup: FALSE
>> olcSaslSecProps: noplain,noanonymous
>> olcSockbufMaxIncoming: 262143
>> olcSockbufMaxIncomingAuth: 16777215
>> olcThreads: 16
>> olcTLSVerifyClient: never
>> olcToolThreads: 1
>> olcWriteTimeout: 0
>> olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
>> olcTLSCertificateFile: /etc/ssl/certs/ldaprov1.crt
>> olcTLSCertificateKeyFile: /etc/ssl/certs/ldaprov1.key
> try starting slapd with -d 1
got the following from the log:
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on:
Aug 9 19:27:27 ldaprov2 slapd[28972]:
Aug 9 19:27:27 ldaprov2 slapd[28972]: slap_listener_activate(7):
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7 busy
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: >>> slap_listener(ldap:///)
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on:
Aug 9 19:27:27 ldaprov2 slapd[28972]:
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: listen=7, new connection
on 14
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on:
Aug 9 19:27:27 ldaprov2 slapd[28972]: 14r
Aug 9 19:27:27 ldaprov2 slapd[28972]:
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: read active on 14
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: added 14r (active)
listener=(nil)
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on:
Aug 9 19:27:27 ldaprov2 slapd[28972]:
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_get(14)
Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_get(14): got connid=1003
Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_read(14): checking for
input on id=1003
Aug 9 19:27:27 ldaprov2 slapd[28972]: op tag 0x77, time 1312932447
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on:
Aug 9 19:27:27 ldaprov2 slapd[28972]:
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: conn=1003 op=0 do_extended
Aug 9 19:27:27 ldaprov2 slapd[28972]: conn=1003 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Aug 9 19:27:27 ldaprov2 slapd[28972]: do_extended:
oid=1.3.6.1.4.1.1466.20037
Aug 9 19:27:27 ldaprov2 slapd[28972]: conn=1003 op=0 STARTTLS
Aug 9 19:27:27 ldaprov2 slapd[28972]: send_ldap_extended: err=0 oid= len=0
Aug 9 19:27:27 ldaprov2 slapd[28972]: send_ldap_response: msgid=1
tag=120 err=0
Aug 9 19:27:27 ldaprov2 slapd[28972]: conn=1003 op=0 RESULT oid= err=0
text=
Aug 9 19:27:27 ldaprov2 slapd[28972]: conn=1003 fd=14 ACCEPT from
IP=10.10.2.44:54439 (IP=0.0.0.0:389)
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on:
Aug 9 19:27:27 ldaprov2 slapd[28972]: 14r
Aug 9 19:27:27 ldaprov2 slapd[28972]:
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: read active on 14
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_get(14)
Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_get(14): got connid=1003
Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_read(14): checking for
input on id=1003
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on:
Aug 9 19:27:27 ldaprov2 slapd[28972]:
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on:
Aug 9 19:27:27 ldaprov2 slapd[28972]: 14r
Aug 9 19:27:27 ldaprov2 slapd[28972]:
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: read active on 14
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_get(14)
Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_get(14): got connid=1003
Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_read(14): checking for
input on id=1003
Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_read(14): TLS accept
failure error=-1 id=1003, closing
Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_closing: readying
conn=1003 sd=14 for close
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on:
Aug 9 19:27:27 ldaprov2 slapd[28972]:
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10
active_threads=0 tvp=zero
Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_close: conn=1003 sd=14
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: removing 14
Aug 9 19:27:27 ldaprov2 slapd[28972]: conn=1003 fd=14 closed (TLS
negotiation failure)
On 08/09/2011 01:31 PM, Daniel Qian wrote:
> On 11-08-09 2:45 PM, Rich Megginson wrote:
>> On 08/09/2011 12:43 PM, Daniel Qian wrote:
>>> On 11-08-09 2:12 PM, Rich Megginson wrote:
>>>> On 08/09/2011 11:59 AM, Daniel Qian wrote:
>>>>> On 11-08-09 12:55 PM, Rich Megginson wrote:
>>>>>> On 08/09/2011 10:15 AM, Daniel Qian wrote:
>>>>>>> On 11-08-09 11:21 AM, Rich Megginson wrote:
>>>>>>>> On 08/09/2011 09:07 AM, Daniel Qian wrote:
>>>>>>>>> On 11-08-09 10:49 AM, Rich Megginson wrote:
>>>>>>>>>> On 08/09/2011 08:33 AM, Daniel Qian wrote:
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> I have slapd 2.4.24 and everything works without TLS. but if
>>>>>>>>>>> I add a -Z option to the ldapsearch command I get this:
>>>>>>>>>>>
>>>>>>>>>>> [root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D
>>>>>>>>>>> cn=admin,cn=config -wxxxxxxx -Z -H ldap://ldaprov1.prod
>>>>>>>>>>> cn=config
>>>>>>>>>>> ldap_start_tls: Connect error (-11)
>>>>>>>>>>> ldap_result: Can't contact LDAP server (-1)
>>>>>>>>>>>
>>>>>>>>>>> slapd.log shows something like this : connection_read(16):
>>>>>>>>>>> TLS accept failure error=-1 id=1006, closing
>>>>>>>>>>>
>>>>>>>>>>> Output from openssl debug:
>>>>>>>>>>>
>>>>>>>>>>> [root@ldaprov1 cacerts]# openssl s_client -connect
>>>>>>>>>>> hostname:389 -showcerts -state -CAfile cacert.pem
>>>>>>>>>>> CONNECTED(00000003)
>>>>>>>>>>> SSL_connect:before/connect initialization
>>>>>>>>>>> SSL_connect:SSLv2/v3 write client hello A
>>>>>>>>>>> 140225133647680:error:140790E5:SSL routines:SSL23_WRITE:ssl
>>>>>>>>>>> handshake failure:s23_lib.c:177:
>>>>>>>>>>> ---
>>>>>>>>>>> no peer certificate available
>>>>>>>>>>> ---
>>>>>>>>>>> No client certificate CA names sent
>>>>>>>>>>> ---
>>>>>>>>>>> SSL handshake has read 0 bytes and written 113 bytes
>>>>>>>>>>> ---
>>>>>>>>>>> New, (NONE), Cipher is (NONE)
>>>>>>>>>>> Secure Renegotiation IS NOT supported
>>>>>>>>>>> Compression: NONE
>>>>>>>>>>> Expansion: NONE
>>>>>>>>>>> ---
>>>>>>>>>>>
>>>>>>>>>>> The configurations are as follow (same command as above but
>>>>>>>>>>> without the -Z option):
>>>>>>>>>>>
>>>>>>>>>>> [root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D
>>>>>>>>>>> cn=admin,cn=config -wxxxxxx -H ldap://hostname cn=config
>>>>>>>>>>> dn: cn=config
>>>>>>>>>>> objectClass: olcGlobal
>>>>>>>>>>> cn: config
>>>>>>>>>>> olcConfigFile: /etc/openldap/slapd.conf
>>>>>>>>>>> olcConfigDir: /etc/openldap/slapd.d
>>>>>>>>>>> olcAllows: bind_v2
>>>>>>>>>>> olcArgsFile: /var/run/openldap/slapd.args
>>>>>>>>>>> olcAttributeOptions: lang-
>>>>>>>>>>> olcAuthzPolicy: none
>>>>>>>>>>> olcConcurrency: 0
>>>>>>>>>>> olcConnMaxPending: 100
>>>>>>>>>>> olcConnMaxPendingAuth: 1000
>>>>>>>>>>> olcGentleHUP: FALSE
>>>>>>>>>>> olcIdleTimeout: 0
>>>>>>>>>>> olcIndexSubstrIfMaxLen: 4
>>>>>>>>>>> olcIndexSubstrIfMinLen: 2
>>>>>>>>>>> olcIndexSubstrAnyLen: 4
>>>>>>>>>>> olcIndexSubstrAnyStep: 2
>>>>>>>>>>> olcIndexIntLen: 4
>>>>>>>>>>> olcLocalSSF: 71
>>>>>>>>>>> olcLogLevel: 9
>>>>>>>>>>> olcPidFile: /var/run/openldap/slapd.pid
>>>>>>>>>>> olcReadOnly: FALSE
>>>>>>>>>>> olcReverseLookup: FALSE
>>>>>>>>>>> olcSaslSecProps: noplain,noanonymous
>>>>>>>>>>> olcSockbufMaxIncoming: 262143
>>>>>>>>>>> olcSockbufMaxIncomingAuth: 16777215
>>>>>>>>>>> olcThreads: 16
>>>>>>>>>>> olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem
>>>>>>>>>>> olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt
>>>>>>>>>>> olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key
>>>>>>>>>>> olcTLSVerifyClient: never
>>>>>>>>>>> olcToolThreads: 1
>>>>>>>>>>> olcWriteTimeout: 0
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I verified the ldap user can read all the TLS files and they
>>>>>>>>>>> are setup fine
>>>>>>>>>>>
>>>>>>>>>>> [root@ldaprov1 cacerts]# openssl verify -purpose sslserver
>>>>>>>>>>> -CAfile cacert.pem ldaprov1.crt
>>>>>>>>>>> ldaprov1.crt: OK
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Anyone can tell me what I am missing here?
>>>>>>>>>> No, but we're missing
>>>>>>>>>> 1) platform
>>>>>>>>>> 2) tls implementation (openssl, moznss, gnutls)
>>>>>>>>>> 3) output of ldapsearch -x -d 1 -Z ...... rest of arguments
>>>>>>>>>> .....
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Its Fedora 15
>>>>>>>>>
>>>>>>>>> ldd /usr/sbin/slapd
>>>>>>>>> linux-vdso.so.1 => (0x00007fff76fff000)
>>>>>>>>> libltdl.so.7 => /usr/lib64/libltdl.so.7
>>>>>>>>> (0x00007f0f29fcd000)
>>>>>>>>> libdb-4.8.so => /lib64/libdb-4.8.so (0x00007f0f29c53000)
>>>>>>>>> libsasl2.so.2 => /usr/lib64/libsasl2.so.2
>>>>>>>>> (0x00007f0f29a38000)
>>>>>>>>> libcrypt.so.1 => /lib64/libcrypt.so.1
>>>>>>>>> (0x00007f0f29801000)
>>>>>>>>> libresolv.so.2 => /lib64/libresolv.so.2
>>>>>>>>> (0x00007f0f295e6000)
>>>>>>>>> libssl3.so => /usr/lib64/libssl3.so (0x00007f0f293b0000)
>>>>>>>>> libsmime3.so => /usr/lib64/libsmime3.so
>>>>>>>>> (0x00007f0f29183000)
>>>>>>>>> libnss3.so => /usr/lib64/libnss3.so (0x00007f0f28e4b000)
>>>>>>>>> libnssutil3.so => /usr/lib64/libnssutil3.so
>>>>>>>>> (0x00007f0f28c2b000)
>>>>>>>>> libplds4.so => /lib64/libplds4.so (0x00007f0f28a28000)
>>>>>>>>> libplc4.so => /lib64/libplc4.so (0x00007f0f28824000)
>>>>>>>>> libnspr4.so => /lib64/libnspr4.so (0x00007f0f285e6000)
>>>>>>>>> libpthread.so.0 => /lib64/libpthread.so.0
>>>>>>>>> (0x00007f0f283cb000)
>>>>>>>>> libc.so.6 => /lib64/libc.so.6 (0x00007f0f28032000)
>>>>>>>>> libdl.so.2 => /lib64/libdl.so.2 (0x00007f0f27e2d000)
>>>>>>>>> libfreebl3.so => /lib64/libfreebl3.so
>>>>>>>>> (0x00007f0f27bcc000)
>>>>>>>>> libz.so.1 => /lib64/libz.so.1 (0x00007f0f279b5000)
>>>>>>>>> /lib64/ld-linux-x86-64.so.2 (0x00007f0f2a66a000)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> the ldapsearch -d 1 option tells me a lot more:
>>>>>>>>> .....
>>>>>>>>> ldap_msgfree
>>>>>>>>> TLS: file ldaprov1.crt does not end in [.0] - does not appear
>>>>>>>>> to be a CA certificate directory file with a properly hashed
>>>>>>>>> file name - skipping.
>>>>>>>>> TLS: file cacert.pem does not end in [.0] - does not appear to
>>>>>>>>> be a CA certificate directory file with a properly hashed file
>>>>>>>>> name - skipping.
>>>>>>>>> TLS: file ldaprov1.key does not end in [.0] - does not appear
>>>>>>>>> to be a CA certificate directory file with a properly hashed
>>>>>>>>> file name - skipping.
>>>>>>>>> .....
>>>>>>>>>
>>>>>>>>> I tell slapd to look for specific files but how come it is
>>>>>>>>> still checking in a directory?
>>>>>>>> I don't know. What does /etc/openldap/ldap.conf say? Do you
>>>>>>>> have a ~/.ldaprc or ~/ldaprc for the user "ldap"?
>>>>>>>
>>>>>>> So even for slapd the setting TLS_CACERTDIR in
>>>>>>> /etc/openldap/ldap.conf takes precedence over
>>>>>>> olcTLSCACertificateFile in cn=config? I set
>>>>>>> /etc/openldap/ldap.conf for client only and did not mean it for
>>>>>>> slapd.
>>>>>> I don't know. Can someone confirm that this is how it works when
>>>>>> using openssl or gnutls for crypto? That is, I don't think this
>>>>>> problem is specific to moznss.
>>>>>>>
>>>>>>> Now after I removed it from /etc/openldap/ldap.conf, ldapsearch
>>>>>>> -d 1 is indicating the CA certificate not valid:
>>>>>>>
>>>>>>> TLS: certificate [CA certificate details omitted here...] is not
>>>>>>> valid - error -8172:Unknown code ___f 20.
>>>>>>> error -8172:Unknown code ___f 20.
>>>>>>> tls_write: want=7, written=7
>>>>>>> 0000: 15 03 01 00 02 02 30 ......0
>>>>>>> TLS: error: connect - force handshake failure: errno 21 - moznss
>>>>>>> error -8172
>>>>>>> TLS: can't connect: TLS error -8172:Unknown code ___f 20.
>>>>>>> ldap_err2string
>>>>>>> ldap_start_tls: Connect error (-11)
>>>>>>> additional info: TLS error -8172:Unknown code ___f 20
>>>>>>>
>>>>>>> Does this mean all the certificates I created on the same server
>>>>>>> with openssl can not be used by modnss in slapd? I never delt
>>>>>>> with modnss before
>>>>>> 20 means SEC_ERROR_UNTRUSTED_ISSUER
>>>>>>
>>>>>> Can you provide the entire log leading up to this point? you can
>>>>>> paste it to fpaste.org if you don't want to spam the list with
>>>>>> too much information.
>>>>>>
>>>>>> Yes, openldap with moznss should work _exactly_ like openldap
>>>>>> with openssl. If this is something that was working before this
>>>>>> is a bug that needs to be fixed asap.
>>>>>
>>>>> I ran the same ldapsearch command from a Centos box which has
>>>>> openssl and the error messages says this :
>>>>>
>>>>> TLS certificate verification: Error, self signed certificate in
>>>>> certificate chain
>>>>>
>>>>> which is not true. I have separate CA certificate and server
>>>>> certificate. The server certificate is signed by the CA certificate.
>>>> openssl seems to be complaining about the CA certificate:
>>>> #
>>>> TLS certificate verification: depth: 1, err: 19, subject:
>>>> /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic Media
>>>> Group root CA/emailAddress=sysadmin(a)theepicmediagroup.com, issuer:
>>>> /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic Media
>>>> Group root CA/emailAddress=sysadmin(a)theepicmediagroup.com
>>>> #
>>>> TLS certificate verification: Error, self signed certificate in
>>>> certificate chain
>>>>
>>>> Note that the subject: is the same as the issuer: - that is, it is
>>>> a self signed certificate (self issued).
>>>>
>>>> But I'm not sure if this is the real problem.
>>>
>>> That certificate it is complaining about is actually the ROOT CA.
>>> But I have another server certificate specified by
>>> "olcTLSCertificateFile: /etc/ssl/certs/ldaprov1.crt" in cn=config
>>> and its subject and issuer are shown below:
>>>
>>> certs]# openssl x509 -noout -issuer -subject -in
>>> /etc/ssl/certs/ldaprov1.crt
>>> issuer= /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic
>>> Media Group root CA/emailAddress=sysadmin(a)theepicmediagroup.com
>>> subject= /C=CA/ST=Ontario/L=Toronto/O=Epic Media
>>> Group/OU=IT/CN=ldaprov1.prod/emailAddress=sysadmin(a)theepicmediagroup.com
>>>
>>>
>>> Its that the client can't seem to get it for some reasons.
>>>> #
>>>> TLS trace: SSL3 alert write:fatal:unknown CA
>>>>
>>>> Do you have the CA cert on the client machine?
>>>
>>> I put the same CA cert on the client machine, both in
>>> /etc/ldap.conf(/etc/nss_ldap.conf on Fedora now) and
>>> /etc/openldap/ldap.conf
>>>
>>>>>
>>>>> Seems the server certificate defined in olcTLSCertificateFile
>>>>> never gets recognized by the client.
>>>>>
>>>>> Centos openssl output pasted - http://fpaste.org/7Hju/
>>>>> Fedora moznss output pasted - http://fpaste.org/aE19/
>>>>
>>>> If you remove TLS_CACERTDIR from /etc/openldap/ldap.conf and then
>>>> specify
>>>> olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem
>>>> olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt
>>>> olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key
>>>>
>>> That is what I have been doing, or trying to do the whole time. Note
>>> the last three lines from the current configuration as shown below
>>> from the Centos client:
>>>
>>> .prod:/etc/openldap/cacerts]# ldapsearch -x -LLL -b cn=config -D
>>> cn=admin,cn=config -wtesting123 -H ldap://ldaprov1.prod cn=config
>>> dn: cn=config
>>> objectClass: olcGlobal
>>> cn: config
>>> olcConfigFile: /etc/openldap/slapd.conf
>>> olcConfigDir: /etc/openldap/slapd.d
>>> olcAllows: bind_v2
>>> olcArgsFile: /var/run/openldap/slapd.args
>>> olcAttributeOptions: lang-
>>> olcAuthzPolicy: none
>>> olcConcurrency: 0
>>> olcConnMaxPending: 100
>>> olcConnMaxPendingAuth: 1000
>>> olcGentleHUP: FALSE
>>> olcIdleTimeout: 0
>>> olcIndexSubstrIfMaxLen: 4
>>> olcIndexSubstrIfMinLen: 2
>>> olcIndexSubstrAnyLen: 4
>>> olcIndexSubstrAnyStep: 2
>>> olcIndexIntLen: 4
>>> olcLocalSSF: 71
>>> olcLogLevel: 9
>>> olcPidFile: /var/run/openldap/slapd.pid
>>> olcReadOnly: FALSE
>>> olcReverseLookup: FALSE
>>> olcSaslSecProps: noplain,noanonymous
>>> olcSockbufMaxIncoming: 262143
>>> olcSockbufMaxIncomingAuth: 16777215
>>> olcThreads: 16
>>> olcTLSVerifyClient: never
>>> olcToolThreads: 1
>>> olcWriteTimeout: 0
>>> olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
>>> olcTLSCertificateFile: /etc/ssl/certs/ldaprov1.crt
>>> olcTLSCertificateKeyFile: /etc/ssl/certs/ldaprov1.key
>> try starting slapd with -d 1
>
> got the following from the log:
With -d 1 there should be a lot more output than this?
>
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on:
> Aug 9 19:27:27 ldaprov2 slapd[28972]:
> Aug 9 19:27:27 ldaprov2 slapd[28972]: slap_listener_activate(7):
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7 busy
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: >>> slap_listener(ldap:///)
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on:
> Aug 9 19:27:27 ldaprov2 slapd[28972]:
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: listen=7, new
> connection on 14
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on:
> Aug 9 19:27:27 ldaprov2 slapd[28972]: 14r
> Aug 9 19:27:27 ldaprov2 slapd[28972]:
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: read active on 14
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: added 14r (active)
> listener=(nil)
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on:
> Aug 9 19:27:27 ldaprov2 slapd[28972]:
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_get(14)
> Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_get(14): got
> connid=1003
> Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_read(14): checking
> for input on id=1003
> Aug 9 19:27:27 ldaprov2 slapd[28972]: op tag 0x77, time 1312932447
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on:
> Aug 9 19:27:27 ldaprov2 slapd[28972]:
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: conn=1003 op=0 do_extended
> Aug 9 19:27:27 ldaprov2 slapd[28972]: conn=1003 op=0 EXT
> oid=1.3.6.1.4.1.1466.20037
> Aug 9 19:27:27 ldaprov2 slapd[28972]: do_extended:
> oid=1.3.6.1.4.1.1466.20037
> Aug 9 19:27:27 ldaprov2 slapd[28972]: conn=1003 op=0 STARTTLS
> Aug 9 19:27:27 ldaprov2 slapd[28972]: send_ldap_extended: err=0 oid=
> len=0
> Aug 9 19:27:27 ldaprov2 slapd[28972]: send_ldap_response: msgid=1
> tag=120 err=0
> Aug 9 19:27:27 ldaprov2 slapd[28972]: conn=1003 op=0 RESULT oid=
> err=0 text=
> Aug 9 19:27:27 ldaprov2 slapd[28972]: conn=1003 fd=14 ACCEPT from
> IP=10.10.2.44:54439 (IP=0.0.0.0:389)
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on:
> Aug 9 19:27:27 ldaprov2 slapd[28972]: 14r
> Aug 9 19:27:27 ldaprov2 slapd[28972]:
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: read active on 14
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_get(14)
> Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_get(14): got
> connid=1003
> Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_read(14): checking
> for input on id=1003
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on:
> Aug 9 19:27:27 ldaprov2 slapd[28972]:
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on:
> Aug 9 19:27:27 ldaprov2 slapd[28972]: 14r
> Aug 9 19:27:27 ldaprov2 slapd[28972]:
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: read active on 14
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_get(14)
> Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_get(14): got
> connid=1003
> Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_read(14): checking
> for input on id=1003
> Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_read(14): TLS accept
> failure error=-1 id=1003, closing
> Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_closing: readying
> conn=1003 sd=14 for close
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on:
> Aug 9 19:27:27 ldaprov2 slapd[28972]:
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10
> active_threads=0 tvp=zero
> Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_close: conn=1003 sd=14
> Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: removing 14
> Aug 9 19:27:27 ldaprov2 slapd[28972]: conn=1003 fd=14 closed (TLS
> negotiation failure)
>