Marcelo de Moraes Serpa
2010-05-19 03:53:05 UTC
Hello all,
I hope someone could help me -- I'm trying for almost one whole day already
and couldn't get LDAP over SSL to work, without success.
The objective is to setup a development box for testing purposes, so, the
simpler the better, however, it must be as simple as needed only.
I've followed this tutorial:
http://islandlinux.org/howto/installing-secure-ldap-openldap-ssl-ubuntu-using-self-signed-certificate.
I'm on Mac OSX Snow Leopard, though.
slapd version: @(#) $OpenLDAP: slapd 2.4.11 (Feb 11 2010 02:23:14)
//Installed from MacPorts
I have generated a self-signed certificate using this command:
sudo openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout
server.pem -days 3650
I've set the Common Name to "localhost".
The configuration files look like this (non-relevanted parts snipped):
slapd.conf:
TLSCipherSuite HIGH:MEDIUM:-SSLv2
TLSCACertificateFile /Users/myuser/Sandbox/server.pem
TLSCertificateFile /Users/myuser/Sandbox/server.pem
TLSCertificateKeyFile /Users/myuser/Sandbox/server.pem
TLSVerifyUser never
ldap.conf
BASE dc=mycompany,dc=com
URI ldaps://localhost/
TLS_REQCERT never
I'm starting slapd with the following command:
sudo /usr/libexec/slapd -f /opt/local/etc/openldap/slapd.conf -d1 -h
"ldaps:///"
And testing the connection with the following:
ldapsearch -H ldaps://localhost -d255
When running ldapsearch, I get the following as output:
ldap_create
that obvious. I then switch to the terminal that has slapd running on the
fg, and I see the following:
(snip)
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
*connection_read(13): TLS accept failure error=-1 id=0, closing*
connection_closing: readying conn=0 sd=13 for close
connection_close: conn=0 sd=13
What I don't understand is why it is failing if I've set both sides to
ignore certificates. What am I doing wrong?
Marcelo.
I hope someone could help me -- I'm trying for almost one whole day already
and couldn't get LDAP over SSL to work, without success.
The objective is to setup a development box for testing purposes, so, the
simpler the better, however, it must be as simple as needed only.
I've followed this tutorial:
http://islandlinux.org/howto/installing-secure-ldap-openldap-ssl-ubuntu-using-self-signed-certificate.
I'm on Mac OSX Snow Leopard, though.
slapd version: @(#) $OpenLDAP: slapd 2.4.11 (Feb 11 2010 02:23:14)
//Installed from MacPorts
I have generated a self-signed certificate using this command:
sudo openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout
server.pem -days 3650
I've set the Common Name to "localhost".
The configuration files look like this (non-relevanted parts snipped):
slapd.conf:
TLSCipherSuite HIGH:MEDIUM:-SSLv2
TLSCACertificateFile /Users/myuser/Sandbox/server.pem
TLSCertificateFile /Users/myuser/Sandbox/server.pem
TLSCertificateKeyFile /Users/myuser/Sandbox/server.pem
TLSVerifyUser never
ldap.conf
BASE dc=mycompany,dc=com
URI ldaps://localhost/
TLS_REQCERT never
I'm starting slapd with the following command:
sudo /usr/libexec/slapd -f /opt/local/etc/openldap/slapd.conf -d1 -h
"ldaps:///"
And testing the connection with the following:
ldapsearch -H ldaps://localhost -d255
When running ldapsearch, I get the following as output:
ldap_create
ldap_url_parse_ext(ldaps://localhost)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
supportedSASLMechanisms
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ::1 636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
tls_write: want=124, written=124
0000: 80 7a 01 03 01 00 51 00 00 00 20 00 00 39 00 00 .z....Q...
..9..
0010: 38 00 00 35 00 00 16 00 00 13 00 00 0a 07 00 c0
8..5............
0020: 00 00 33 00 00 32 00 00 2f 00 00 07 05 00 80 03
..3..2../.......
0030: 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00
................
0040: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08
0050: 00 00 06 04 00 80 00 00 03 02 00 80 0c e4 9d 98
................
0060: c1 ad 36 d0 88 fb 6b 92 32 a0 ce 22 63 82 99 3b
..6...k.2.."c..;
0070: 3b 3d 03 03 38 05 d0 a1 30 2d 9f d2
;=..8...0-..
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=0
TLS: can't connect.
ldap_perror
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
As you can see, it fails with the "TLS: can't connect" error message. Notldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
supportedSASLMechanisms
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ::1 636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
tls_write: want=124, written=124
0000: 80 7a 01 03 01 00 51 00 00 00 20 00 00 39 00 00 .z....Q...
..9..
0010: 38 00 00 35 00 00 16 00 00 13 00 00 0a 07 00 c0
8..5............
0020: 00 00 33 00 00 32 00 00 2f 00 00 07 05 00 80 03
..3..2../.......
0030: 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00
................
0040: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08
0050: 00 00 06 04 00 80 00 00 03 02 00 80 0c e4 9d 98
................
0060: c1 ad 36 d0 88 fb 6b 92 32 a0 ce 22 63 82 99 3b
..6...k.2.."c..;
0070: 3b 3d 03 03 38 05 d0 a1 30 2d 9f d2
;=..8...0-..
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=0
TLS: can't connect.
ldap_perror
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
that obvious. I then switch to the terminal that has slapd running on the
fg, and I see the following:
(snip)
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
*connection_read(13): TLS accept failure error=-1 id=0, closing*
connection_closing: readying conn=0 sd=13 for close
connection_close: conn=0 sd=13
What I don't understand is why it is failing if I've set both sides to
ignore certificates. What am I doing wrong?
Marcelo.