LDAP SSL Problems (was: service script (/etc/init.d/ldap))

Daniel B. Thurman dant at cdkkt.com
Mon Nov 14 15:48:21 UTC 2005


>From: fedora-list-bounces at redhat.com
>[mailto:fedora-list-bounces at redhat.com]On Behalf Of Daniel B. Thurman
>Sent: Monday, November 14, 2005 7:28 AM
>To: For users of Fedora Core releases (E-mail)
>Subject: LDAP service script (/etc/init.d/ldap)
>
>
>
>Hi Folks,
>
>I got ldap working but I am not able to get ldaps (secure) to work.
>
>I ran some tests:
>
>Simple auth, no encryption
>====================
>ldapsearch -H ldap://hostname/ -b dc=example,dc=com -x
>
>RESULTS: WORKS!
>
>Simple auth, SSL via LDAPS
>======================
>ldapsearch -H ldaps://hostname/ -b dc=example,dc=com -x
>
>RESULTS: FAIL: ldap_bind: Can't contact LDAP server (-1)
>
> - Ran slapd -d -1 : See no error hints
> - Looked in /var/log/messages - nothing
> - netstat -a : shows listener: ldaps
>
>If anyone has any suggestions, please let me know!
>
>Also, if anyone has any really good links on getting ldap/kerberos/ssl
>working please let me know!
>
>Thanks
>Dan
>

Sorry folks about the bad subject line.  I fixed that.

I wanted to add more information:

openssl s_client -CAfile /etc/openldap/cacerts/ldapCA.pem -connect ldap.cdkkt.com:636
CONNECTED(00000003)
depth=1 /C=US/ST=Oregon/L=Beaverton/O=DBT And Associates/OU=ldap/CN=ldap.cdkkt.com/emailAddress=admin at cdkkt.com
verify return:1
depth=0 /C=US/ST=Oregon/L=Beaverton/O=DBT And Associates/OU=ldap/CN=ldap.cdkkt.com/emailAddress=admin at cdkkt.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Oregon/L=Beaverton/O=DBT And Associates/OU=ldap/CN=ldap.cdkkt.com/emailAddress=admin at cdkkt.com
   i:/C=US/ST=Oregon/L=Beaverton/O=DBT And Associates/OU=ldap/CN=ldap.cdkkt.com/emailAddress=admin at cdkkt.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID0zCCAzygAwIBAgIBATANBgkqhkiG9w0BAQQFADCBlzELMAkGA1UEBhMCVVMx
DzANBgNVBAgTBk9yZWdvbjESMBAGA1UEBxMJQmVhdmVydG9uMRswGQYDVQQKExJE
QlQgQW5kIEFzc29jaWF0ZXMxDTALBgNVBAsTBGxkYXAxFzAVBgNVBAMTDmxkYXAu
Y2Rra3QuY29tMR4wHAYJKoZIhvcNAQkBFg9hZG1pbkBjZGtrdC5jb20wHhcNMDUx
MTEzMjM1NjA4WhcNMDYxMTEzMjM1NjA4WjCBlzELMAkGA1UEBhMCVVMxDzANBgNV
BAgTBk9yZWdvbjESMBAGA1UEBxMJQmVhdmVydG9uMRswGQYDVQQKExJEQlQgQW5k
IEFzc29jaWF0ZXMxDTALBgNVBAsTBGxkYXAxFzAVBgNVBAMTDmxkYXAuY2Rra3Qu
Y29tMR4wHAYJKoZIhvcNAQkBFg9hZG1pbkBjZGtrdC5jb20wgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAO17IIZe1fv3KGrM+bACxMPeqC+Y0ncsGM7lrAObSYTw
QlQfsF4fDnBhPrEgyYS5BD7CV5ETyBdUmQfVcs/l5G5AjhAmMUF4POieBwJWsW/I
hTN+nWPn1Reu6WcqpliU1Jqz5bxy17IOT93Ah/Qnrh9KNVALZ6ZoK0iRirReINIl
AgMBAAGjggErMIIBJzAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM
IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUmpJK9I5ZX77qgL1p/RSJ
9I5MtQ8wgcwGA1UdIwSBxDCBwYAU65DeeNVXt8w3GKUqoF10LK1kf4ahgZ2kgZow
gZcxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZPcmVnb24xEjAQBgNVBAcTCUJlYXZl
cnRvbjEbMBkGA1UEChMSREJUIEFuZCBBc3NvY2lhdGVzMQ0wCwYDVQQLEwRsZGFw
MRcwFQYDVQQDEw5sZGFwLmNka2t0LmNvbTEeMBwGCSqGSIb3DQEJARYPYWRtaW5A
Y2Rra3QuY29tggkApfBH0A0Oy+kwDQYJKoZIhvcNAQEEBQADgYEAC+Y21AFYLdVB
psK+4IDVA2+rv8G0pGy+jO4FH+GbKGZbSzCFGPdKigpvDatCxGIndkw8LN58In92
4By4U95NvYLLCjdc1DtIDMxEjTNTWwkEjKy/Nkn2vblJp8lrIrHJGimcapimr4zx
ui4CfJBXtrV3bc2Zp20eaLRgVciv+fU=
-----END CERTIFICATE-----
subject=/C=US/ST=Oregon/L=Beaverton/O=DBT And Associates/OU=ldap/CN=ldap.cdkkt.com/emailAddress=admin at cdkkt.com
issuer=/C=US/ST=Oregon/L=Beaverton/O=DBT And Associates/OU=ldap/CN=ldap.cdkkt.com/emailAddress=admin at cdkkt.com
---
No client certificate CA names sent
---
SSL handshake has read 1145 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: EEEC2E025097267E2E39E129A1130FDA7921D57F86C4D8CC94CE4D7CBF712865    Session-ID-ctx:
    Master-Key: 28ACBE74CC2972246E9E1039D182643652DC2CC1F91333F68B700F22318C93CCB881A287BEF91AC498B2068C7DFAB39F
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1131983082
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

*****  HANGS HERE!!!!!

So, from the test it looks like there is a problem.  Anyone
care to comment???

Thanks!
Dan

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.362 / Virus Database: 267.13.0/167 - Release Date: 11/11/2005
 




More information about the users mailing list