[389-users] SSL connection with 'startTLS' problem

Karel Lang AFD lang at afd.cz
Fri Oct 24 22:20:59 UTC 2014 

Hi guys,
please anyone could help me to decode error in access log?

Problem desr.:
I need to make Ricoh C3001 printer authenticate x 389 DS.

The printer stubbornly tries to start TLS inside SSL connection (if i 
read the log file correct?) and the authentication fails, because 389 
doesn't know what to make off it (i think) see:

The server uses ldaps:// method of connection on 636 port (with 
selfsigned certificates).

[20/Oct/2014:18:31:50 +0200] conn=38 fd=70 slot=70 SSL connection from 
192.168.2.139 to 192.168.2.245
[20/Oct/2014:18:31:50 +0200] conn=38 SSL 256-bit AES
[20/Oct/2014:18:31:50 +0200] conn=38 op=0 EXT 
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[20/Oct/2014:18:31:50 +0200] conn=38 op=0 RESULT err=1 tag=120 
nentries=0 etime=0
[20/Oct/2014:18:31:50 +0200] conn=38 op=1 BIND dn="RICOH2-SB$" 
method=128 version=3
[20/Oct/2014:18:31:50 +0200] conn=38 op=1 RESULT err=53 tag=97 
nentries=0 etime=0
[20/Oct/2014:18:31:51 +0200] conn=38 op=2 UNBIND
[20/Oct/2014:18:31:51 +0200] conn=38 op=2 fd=70 closed - U1

The 'err=53' means "server is unwilling to perform" and i see same 
message in the printer logs

also, you can see the printer starts 'extended operation':
  EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS"
which i think it should not? (because it is already SSL conn from start?)

different encryption (same result):
[root at srv-022 slapd-srv-022]# cat access | grep conn=48
[20/Oct/2014:18:35:56 +0200] conn=48 fd=68 slot=68 SSL connection from 
192.168.2.139 to 192.168.2.245
[20/Oct/2014:18:35:57 +0200] conn=48 SSL 128-bit RC4
[20/Oct/2014:18:35:57 +0200] conn=48 op=0 EXT 
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[20/Oct/2014:18:35:57 +0200] conn=48 op=0 RESULT err=1 tag=120 
nentries=0 etime=1
[20/Oct/2014:18:35:57 +0200] conn=48 op=1 BIND dn="RICOH2-SB$" 
method=128 version=3
[20/Oct/2014:18:35:57 +0200] conn=48 op=1 RESULT err=53 tag=97 
nentries=0 etime=0
[20/Oct/2014:18:35:57 +0200] conn=48 op=2 UNBIND
[20/Oct/2014:18:35:57 +0200] conn=48 op=2 fd=68 closed - U1


Please note the different encryption i tried to use - for eg. 128-bit 
RC4 and 256-bit AES etc, but all produces same result.


The printer has choice for usinge of ssl:
ssl 2.0 (set to 'yes)
ssl 3.0 (set to 'yes')
tls (i set this option to "NO" - but made no difference and result is 
still same)

Also, the printer has only 2options:
1.
use SSL/TLS - if i check this, port 636 is automatically used

2.
dont use SSL/TLS - if i check this option, port 389 is used

Not much else to pick on (ofc there is other LDAP things to fill up like 
hostname etc.)

I think this looks like client problem? Or do you think i can try to 
tune up something on the server side? - anybody had experienced similar 
troubles?


-- 
*Karel Lang*

More information about the 389-users mailing list