Hi list, problem is solved. 1. i had to create real user with pw to search through the ldap because i tried to use machine printer acc at first, but ldap server wont allow user without pw doing bind ops more info https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.1/h...

2. i had to specify username with full DN patch on the printer (not just 'username' e.g. 'smith' alone) after specifying uid=smith,ou=users,dc=example,dc=com in the ldap printer settings, printer started finally getting users authorized x 389ds.

3. The 'startTLS' inside SSL is probably a minor problem, because the 389ds can handle it (discard it) and then continue with regular user/pw authentication.

very usefull were : https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.1/h...

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.1/h...

to debug the 389ds log messages

cheers,

On 10/25/2014 02:00 PM, 389-users-request@lists.fedoraproject.org wrote:

Send 389-users mailing list submissions to 389-users@lists.fedoraproject.org

To subscribe or unsubscribe via the World Wide Web, visit https://admin.fedoraproject.org/mailman/listinfo/389-users or, via email, send a message with subject or body 'help' to 389-users-request@lists.fedoraproject.org

You can reach the person managing the list at 389-users-owner@lists.fedoraproject.org

When replying, please edit your Subject line so it is more specific than "Re: Contents of 389-users digest..."

Today's Topics:

1. SSL connection with 'startTLS' problem (Karel Lang AFD)
2. Please take an action: 389 Directory Server 1.2.11.X
   Discontinued for EL6 (Noriko Hosoi)

---

Message: 1 Date: Sat, 25 Oct 2014 00:20:59 +0200 From: Karel Lang AFD lang@afd.cz To: 389-users@lists.fedoraproject.org Subject: [389-users] SSL connection with 'startTLS' problem Message-ID: 544AD0CB.2080201@afd.cz Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Hi guys, please anyone could help me to decode error in access log?

Problem desr.: I need to make Ricoh C3001 printer authenticate x 389 DS.

The printer stubbornly tries to start TLS inside SSL connection (if i read the log file correct?) and the authentication fails, because 389 doesn't know what to make off it (i think) see:

The server uses ldaps:// method of connection on 636 port (with selfsigned certificates).

[20/Oct/2014:18:31:50 +0200] conn=38 fd=70 slot=70 SSL connection from 192.168.2.139 to 192.168.2.245 [20/Oct/2014:18:31:50 +0200] conn=38 SSL 256-bit AES [20/Oct/2014:18:31:50 +0200] conn=38 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [20/Oct/2014:18:31:50 +0200] conn=38 op=0 RESULT err=1 tag=120 nentries=0 etime=0 [20/Oct/2014:18:31:50 +0200] conn=38 op=1 BIND dn="RICOH2-SB$" method=128 version=3 [20/Oct/2014:18:31:50 +0200] conn=38 op=1 RESULT err=53 tag=97 nentries=0 etime=0 [20/Oct/2014:18:31:51 +0200] conn=38 op=2 UNBIND [20/Oct/2014:18:31:51 +0200] conn=38 op=2 fd=70 closed - U1

The 'err=53' means "server is unwilling to perform" and i see same message in the printer logs

also, you can see the printer starts 'extended operation': EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" which i think it should not? (because it is already SSL conn from start?)

different encryption (same result): [root@srv-022 slapd-srv-022]# cat access | grep conn=48 [20/Oct/2014:18:35:56 +0200] conn=48 fd=68 slot=68 SSL connection from 192.168.2.139 to 192.168.2.245 [20/Oct/2014:18:35:57 +0200] conn=48 SSL 128-bit RC4 [20/Oct/2014:18:35:57 +0200] conn=48 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [20/Oct/2014:18:35:57 +0200] conn=48 op=0 RESULT err=1 tag=120 nentries=0 etime=1 [20/Oct/2014:18:35:57 +0200] conn=48 op=1 BIND dn="RICOH2-SB$" method=128 version=3 [20/Oct/2014:18:35:57 +0200] conn=48 op=1 RESULT err=53 tag=97 nentries=0 etime=0 [20/Oct/2014:18:35:57 +0200] conn=48 op=2 UNBIND [20/Oct/2014:18:35:57 +0200] conn=48 op=2 fd=68 closed - U1

Please note the different encryption i tried to use - for eg. 128-bit RC4 and 256-bit AES etc, but all produces same result.

The printer has choice for usinge of ssl: ssl 2.0 (set to 'yes) ssl 3.0 (set to 'yes') tls (i set this option to "NO" - but made no difference and result is still same)

Also, the printer has only 2options:

use SSL/TLS - if i check this, port 636 is automatically used

dont use SSL/TLS - if i check this option, port 389 is used

Not much else to pick on (ofc there is other LDAP things to fill up like hostname etc.)

I think this looks like client problem? Or do you think i can try to tune up something on the server side? - anybody had experienced similar troubles?