If you haven't done so already, you should verify that:
s_client -> s_server
works, then if
s_client -> slapd(8)
works. In both cases, be sure to use appropriate s_client
flags to enable server certificate verification. (If you
have questions about how to use s_client or s_server, see
the OpenSSL docs, use OpenSSL support lists.) And then,
if you still have problems, I suggest you enable both client
and server side debugging, rerun your simple authentication
(or just anonymous) bind, and then examine the output for hints.

And you might try 2.2.13 as, IIRC, some of ldapsearch(1)'s
error reporting was improved (though I don't recall if it
would make a difference here).

Kurt

At 01:00 AM 11/27/2005, Amir Saad wrote:
>i use Fedora 4 , Heimdal Kerberos , Cyrus-SASL 2.1.19 , OpenSSL , OpenLdap 2.3.11
>
>i want to use SSL with Ldap but i got the following errors:
>**********************************************************************
>ldapsearch -H ldaps://localhost/ -b cn=BA,dc=demo,dc=mydomain,dc=org
>ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
>
>*also i tried the following: (Simple Auth)
>
>ldapsearch -H ldaps://localhost/ -b cn=BA,dc=demo,dc=mydomain,dc=org -x
>ldap_bind: Can't contact LDAP server (-1)
>**********************************************************************
>
>the slapd is started using:
> /usr/local/libexec/slapd -u root -f /usr/local/etc/openldap/slapd.conf -h "ldap:/// ldaps:///"
>
>i tried to connect to ldap instead of ldaps and it worked but i need to use TLS/SSL .
>
>here is nmap localhost:
>***********************************************************************************************
>PORT STATE SERVICE
>22/tcp open ssh
>25/tcp open smtp
>80/tcp open http
>88/tcp open kerberos-sec
>111/tcp open rpcbind
>389/tcp open ldap
>543/tcp open klogin
>631/tcp open ipp
>636/tcp open ldapssl
>749/tcp open kerberos-adm
>750/tcp open kerberos
>838/tcp open unknown
>913/tcp open unknown
>923/tcp open unknown
>2049/tcp open nfs
>***********************************************************************************************
>
>i added the following two directives to the slapd.conf:
>TLSCertificateFile /0/CA/newcert.pem
>TLSCertificateKeyFile /0/CA/newcert.pem
>
>i added the following directives to the /etc/openldap/ldap.conf:
>TLS_CACERTDIR /etc/openldap/cacerts
>TLS_CACERT /etc/openldap/newcert.pem
>TLS_REQCERT allow
>
>i hope u can help!
>thanks for ur time!
>
>Amir Saad
>Software Engineer
>
>

i checked openldap.org, the latest release is 2.3.12, do u suggest using it?
thanks
Amir Saad
Software Engineer

________________________________

From: Quanah Gibson-Mount [mailto:***@stanford.edu]
Sent: Tue 11/29/2005 12:00 AM
To: OpenLDAP-***@OpenLDAP.org
Cc: Kurt D. Zeilenga; Amir Saad
Subject: Re: ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)





--On Monday, November 28, 2005 1:30 PM -0800 "Kurt D. Zeilenga"
<***@OpenLDAP.org> wrote:

> If you haven't done so already, you should verify that:
> s_client -> s_server
> works, then if
> s_client -> slapd(8)
> works. In both cases, be sure to use appropriate s_client
> flags to enable server certificate verification. (If you
> have questions about how to use s_client or s_server, see
> the OpenSSL docs, use OpenSSL support lists.) And then,
> if you still have problems, I suggest you enable both client
> and server side debugging, rerun your simple authentication
> (or just anonymous) bind, and then examine the output for hints.
>
> And you might try 2.2.13 as, IIRC, some of ldapsearch(1)'s
> error reporting was improved (though I don't recall if it
> would make a difference here).

Do you mean 2.3.13? :)

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

--On Tuesday, November 29, 2005 9:41 AM +0200 Amir Saad
<***@bibalex.org> wrote:

> i checked openldap.org, the latest release is 2.3.12, do u suggest using
> it? thanks
> Amir Saad

Yes.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

thanks for your reply
i tried the s_server and s_client and both worked together, then i tried to connect slapd on port 636:
openssl s_client -connect localhost:636 -cert /etc/openldap/ca.crt -key /etc/openldap/ca.key
and this worked too, the s_client got response from the connection...
after this test, i think OpenSSL works fine, LDAP works fine without SSL
now the question is, why i can't use ldaps ?
i hope u can answer me
thanks alot for your time....

Amir Saad
Junior Software Engineer

________________________________

From: Kurt D. Zeilenga [mailto:***@OpenLDAP.org]
Sent: Mon 11/28/2005 11:30 PM
To: Amir Saad
Cc: OpenLDAP-***@OpenLDAP.org
Subject: Re: ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)



If you haven't done so already, you should verify that:
s_client -> s_server
works, then if
s_client -> slapd(8)
works. In both cases, be sure to use appropriate s_client
flags to enable server certificate verification. (If you
have questions about how to use s_client or s_server, see
the OpenSSL docs, use OpenSSL support lists.) And then,
if you still have problems, I suggest you enable both client
and server side debugging, rerun your simple authentication
(or just anonymous) bind, and then examine the output for hints.

And you might try 2.2.13 as, IIRC, some of ldapsearch(1)'s
error reporting was improved (though I don't recall if it
would make a difference here).

Kurt

At 01:00 AM 11/27/2005, Amir Saad wrote:
>i use Fedora 4 , Heimdal Kerberos , Cyrus-SASL 2.1.19 , OpenSSL , OpenLdap 2.3.11
>
>i want to use SSL with Ldap but i got the following errors:
>**********************************************************************
>ldapsearch -H ldaps://localhost/ -b cn=BA,dc=demo,dc=mydomain,dc=org
>ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
>
>*also i tried the following: (Simple Auth)
>
>ldapsearch -H ldaps://localhost/ -b cn=BA,dc=demo,dc=mydomain,dc=org -x
>ldap_bind: Can't contact LDAP server (-1)
>**********************************************************************
>
>the slapd is started using:
> /usr/local/libexec/slapd -u root -f /usr/local/etc/openldap/slapd.conf -h "ldap:/// ldaps:///"
>
>i tried to connect to ldap instead of ldaps and it worked but i need to use TLS/SSL .
>
>here is nmap localhost:
>***********************************************************************************************
>PORT STATE SERVICE
>22/tcp open ssh
>25/tcp open smtp
>80/tcp open http
>88/tcp open kerberos-sec
>111/tcp open rpcbind
>389/tcp open ldap
>543/tcp open klogin
>631/tcp open ipp
>636/tcp open ldapssl
>749/tcp open kerberos-adm
>750/tcp open kerberos
>838/tcp open unknown
>913/tcp open unknown
>923/tcp open unknown
>2049/tcp open nfs
>***********************************************************************************************
>
>i added the following two directives to the slapd.conf:
>TLSCertificateFile /0/CA/newcert.pem
>TLSCertificateKeyFile /0/CA/newcert.pem
>
>i added the following directives to the /etc/openldap/ldap.conf:
>TLS_CACERTDIR /etc/openldap/cacerts
>TLS_CACERT /etc/openldap/newcert.pem
>TLS_REQCERT allow
>
>i hope u can help!
>thanks for ur time!
>
>Amir Saad
>Software Engineer
>
>

> i added the following two directives to the slapd.conf:
> TLSCertificateFile /0/CA/newcert.pem
> TLSCertificateKeyFile /0/CA/newcert.pem

As far as I know SSL, a certificate file and the appropriate key file
are always different, for one contains a public key and the other a
private key. You always need both for communication, at least on the
server side (the side one connects to). And since you use the same file
in both options...

Adios
Oliver

--
Oliver Kuka
Hochschulrechenzentrum
Paedagogische Hochschule Ludwigsburg
Reuteallee 46
71634 Ludwigsburg

fon: (+49) 7141 - 140 - 386
fax: (+49) 7141 - 140 - 435
Gebaeude LSB, Raum 305
E-Mail: ***@ph-ludwigsburg.de

Besuchen Sie uns im Internet:
http://www.ph-ludwigsburg.de/rz