Send 389-users mailing list submissions to 389-users(a)lists.fedoraproject.org To subscribe or unsubscribe via the World Wide Web, visit https://admin.fedoraproject.org/mailman/listinfo/389-users or, via email, send a message with subject or body 'help' to 389-users-request(a)lists.fedoraproject.org You can reach the person managing the list at 389-users-owner(a)lists.fedoraproject.org When replying, please edit your Subject line so it is more specific than "Re: Contents of 389-users digest..." Today's Topics: 1. SSL connection with 'startTLS' problem (Karel Lang AFD) 2. Please take an action: 389 Directory Server 1.2.11.X Discontinued for EL6 (Noriko Hosoi) ---------------------------------------------------------------------- Message: 1 Date: Sat, 25 Oct 2014 00:20:59 +0200 From: Karel Lang AFD <lang(a)afd.cz&gt; To: 389-users(a)lists.fedoraproject.org Subject: [389-users] SSL connection with 'startTLS' problem Message-ID: <544AD0CB.2080201(a)afd.cz&gt; Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hi guys, please anyone could help me to decode error in access log? Problem desr.: I need to make Ricoh C3001 printer authenticate x 389 DS. The printer stubbornly tries to start TLS inside SSL connection (if i read the log file correct?) and the authentication fails, because 389 doesn't know what to make off it (i think) see: The server uses ldaps:// method of connection on 636 port (with selfsigned certificates). [20/Oct/2014:18:31:50 +0200] conn=38 fd=70 slot=70 SSL connection from 192.168.2.139 to 192.168.2.245 [20/Oct/2014:18:31:50 +0200] conn=38 SSL 256-bit AES [20/Oct/2014:18:31:50 +0200] conn=38 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [20/Oct/2014:18:31:50 +0200] conn=38 op=0 RESULT err=1 tag=120 nentries=0 etime=0 [20/Oct/2014:18:31:50 +0200] conn=38 op=1 BIND dn="RICOH2-SB$" method=128 version=3 [20/Oct/2014:18:31:50 +0200] conn=38 op=1 RESULT err=53 tag=97 nentries=0 etime=0 [20/Oct/2014:18:31:51 +0200] conn=38 op=2 UNBIND [20/Oct/2014:18:31:51 +0200] conn=38 op=2 fd=70 closed - U1 The 'err=53' means "server is unwilling to perform" and i see same message in the printer logs also, you can see the printer starts 'extended operation': EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" which i think it should not? (because it is already SSL conn from start?) different encryption (same result): [root@srv-022 slapd-srv-022]# cat access | grep conn=48 [20/Oct/2014:18:35:56 +0200] conn=48 fd=68 slot=68 SSL connection from 192.168.2.139 to 192.168.2.245 [20/Oct/2014:18:35:57 +0200] conn=48 SSL 128-bit RC4 [20/Oct/2014:18:35:57 +0200] conn=48 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [20/Oct/2014:18:35:57 +0200] conn=48 op=0 RESULT err=1 tag=120 nentries=0 etime=1 [20/Oct/2014:18:35:57 +0200] conn=48 op=1 BIND dn="RICOH2-SB$" method=128 version=3 [20/Oct/2014:18:35:57 +0200] conn=48 op=1 RESULT err=53 tag=97 nentries=0 etime=0 [20/Oct/2014:18:35:57 +0200] conn=48 op=2 UNBIND [20/Oct/2014:18:35:57 +0200] conn=48 op=2 fd=68 closed - U1 Please note the different encryption i tried to use - for eg. 128-bit RC4 and 256-bit AES etc, but all produces same result. The printer has choice for usinge of ssl: ssl 2.0 (set to 'yes) ssl 3.0 (set to 'yes') tls (i set this option to "NO" - but made no difference and result is still same) Also, the printer has only 2options: 1. use SSL/TLS - if i check this, port 636 is automatically used 2. dont use SSL/TLS - if i check this option, port 389 is used Not much else to pick on (ofc there is other LDAP things to fill up like hostname etc.) I think this looks like client problem? Or do you think i can try to tune up something on the server side? - anybody had experienced similar troubles?