>> And just for completeness, here are the contents of my ldap.conf file >> ========== >> BASE dc=mydomain,dc=dyndns,dc=org >> URI ldap://ldap.mydomain.dyndns.org >> TLS_CIPHER_SUITE HIGH:!ADH >> TLS_CACERT /etc/ssl/certs/mydomain.dyndns.org_CA.pem >> TLS_REQCERT demand >> TLS_CRLCHECK none >> ========== >> > This is the complete content of ldap.conf on the clients ?
Those are the only uncommented lines in my ldap.conf files. >> I even tried purging slapd, reinstalling it, and re-populating it from >> scratch >> (I didn't just reload a DB backup). >> >> The fresh install worked fine as non-root until a reboot - at which point the >> problem described above returned and TLS connections fail. >> > That's strange. I thought so too. > Can you please send the output of: ldapsearch -x -ZZ -d 7 Output is attached.
ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.misumasu.dyndns.org:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 172.30.1.1:389 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush: 31 bytes to sd 3 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_write: want=31, written=31 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_result ld 0x5101e0 msgid 1 ldap_chkResponseList ld 0x5101e0 msgid 1 all 1 ldap_chkResponseList returns ld 0x5101e0 NULL wait4msg ld 0x5101e0 msgid 1 (infinite timeout) wait4msg continue ld 0x5101e0 msgid 1 all 1 ** ld 0x5101e0 Connections: * host: ldap.misumasu.dyndns.org port: 389 (default) refcnt: 2 status: Connected last used: Mon Aug 7 19:31:48 2006 ** ld 0x5101e0 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x5101e0 Response Queue: Empty ldap_chkResponseList ld 0x5101e0 msgid 1 all 1 ldap_chkResponseList returns ld 0x5101e0 NULL ldap_int_select read1msg: ld 0x5101e0 msgid 1 all 1 ber_get_next ldap_read: want=8, got=8 0000: 30 0c 02 01 01 78 07 0a 0....x.. ldap_read: want=6, got=6 0000: 01 00 04 00 04 00 ...... ber_get_next: tag 0x30 len 12 contents: read1msg: ld 0x5101e0 msgid 1 message type extended-result ber_scanf fmt ({eaa) ber: read1msg: ld 0x5101e0 0 new referrals read1msg: mark request completed, ld 0x5101e0 msgid 1 request done: ld 0x5101e0 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ber_scanf fmt ({eaa) ber: ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS trace: SSL_connect:before/connect initialization tls_write: want=118, written=118 0000: 80 74 01 03 01 00 4b 00 00 00 20 00 c0 19 00 c0 .t....K... ..... 0010: 18 00 c0 17 00 c0 14 00 c0 13 00 c0 12 00 c0 0f ................ 0020: 00 c0 0e 00 c0 0d 00 c0 0a 00 c0 09 00 c0 08 00 ................ 0030: c0 05 00 c0 04 00 c0 03 00 00 39 00 00 38 00 00 ..........9..8.. 0040: 35 00 00 33 00 00 32 00 00 2f 00 00 16 00 00 13 5..3..2../...... 0050: 00 00 0a 07 00 c0 8d 7f 9d 7d 45 b3 0c e1 2b 10 .........}E...+. 0060: 27 1d 46 9c 0d d5 80 a2 04 56 de 71 e5 6b 1f 41 '.F......V.q.k.A 0070: 0b 2c 15 18 a8 86 .,.... TLS trace: SSL_connect:SSLv2/v3 write client hello A tls_read: want=7, got=7 0000: 16 03 01 00 4a 02 00 ....J.. tls_read: want=72, got=72 0000: 00 46 03 01 44 d7 e9 84 26 c1 84 5c 39 64 71 f4 .F..D...&..\9dq. 0010: da 78 00 9a 6d 68 6b be 33 b3 6f 8a 0c 93 4a 41 .x..mhk.3.o...JA 0020: ca c0 53 c5 20 3c ab 22 1d 54 70 7b a0 e1 95 4e ..S. <.".Tp{...N 0030: 3f 2d 1d 07 69 18 ac 14 8c 9d 94 0b 58 22 8c 18 ?-..i.......X".. 0040: 13 59 66 85 d6 00 35 00 .Yf...5. TLS trace: SSL_connect:SSLv3 read server hello A tls_read: want=5, got=5 0000: 16 03 01 06 28 ....( tls_read: want=1576, got=1576 0000: 0b 00 06 24 00 06 21 00 03 1b 30 82 03 17 30 82 ...$..!...0...0. 0010: 02 82 a0 03 02 01 02 02 01 02 30 0b 06 09 2a 86 ..........0...*. 0020: 48 86 f7 0d 01 01 05 30 81 89 31 0b 30 09 06 03 H......0..1.0... 0030: 55 04 06 13 02 55 53 31 11 30 0f 06 03 55 04 0a U....US1.0...U.. 0040: 13 08 6d 69 73 75 6d 61 73 75 31 1e 30 1c 06 03 ..misumasu1.0... 0050: 55 04 0b 13 15 43 65 72 74 69 66 69 63 61 74 65 U....Certificate 0060: 20 41 75 74 68 6f 72 69 74 79 31 14 30 12 06 03 Authority1.0... 0070: 55 04 07 13 0b 41 6c 62 75 71 75 65 72 71 75 65 U....Albuquerque 0080: 31 13 30 11 06 03 55 04 08 13 0a 4e 65 77 20 4d 1.0...U....New M 0090: 65 78 69 63 6f 31 1c 30 1a 06 03 55 04 03 13 13 exico1.0...U.... 00a0: 6d 69 73 75 6d 61 73 75 2e 64 79 6e 64 6e 73 2e misumasu.dyndns. 00b0: 6f 72 67 30 1e 17 0d 30 36 30 31 32 32 31 38 30 org0...060122180 00c0: 32 35 39 5a 17 0d 31 36 30 31 32 30 31 38 30 32 259Z..1601201802 00d0: 35 39 5a 30 81 84 31 0b 30 09 06 03 55 04 06 13 59Z0..1.0...U... 00e0: 02 55 53 31 11 30 0f 06 03 55 04 0a 13 08 6d 69 .US1.0...U....mi 00f0: 73 75 6d 61 73 75 31 14 30 12 06 03 55 04 0b 13 sumasu1.0...U... 0100: 0b 4c 44 41 50 20 53 65 72 76 65 72 31 14 30 12 .LDAP Server1.0. 0110: 06 03 55 04 07 13 0b 41 6c 62 75 71 75 65 72 71 ..U....Albuquerq 0120: 75 65 31 13 30 11 06 03 55 04 08 13 0a 4e 65 77 ue1.0...U....New 0130: 20 4d 65 78 69 63 6f 31 21 30 1f 06 03 55 04 03 Mexico1!0...U.. 0140: 13 18 6c 64 61 70 2e 6d 69 73 75 6d 61 73 75 2e ..ldap.misumasu. 0150: 64 79 6e 64 6e 73 2e 6f 72 67 30 81 9c 30 0b 06 dyndns.org0..0.. 0160: 09 2a 86 48 86 f7 0d 01 01 01 03 81 8c 00 30 81 .*.H..........0. 0170: 88 02 81 80 b6 32 ef 73 0e 50 9a 1a dd 7f 72 c8 .....2.s.P....r. 0180: 59 dc fa 1e 6f 5f 7b ab 19 98 58 f2 3a 0c 91 ac Y...o_{...X.:... 0190: f3 06 18 a0 10 b4 d7 3e 69 94 ae 5d 24 62 9d e0 .......>i..]$b.. 01a0: 3d 53 1b 9e c3 ef 4a 24 aa 9c 0d ae 5a ba 3b 5c =S....J$....Z.;\ 01b0: a6 6f ab 1b f6 08 af 12 5c 4e 9e cd 4a 4d a2 f6 .o......\N..JM.. 01c0: 7f fe 27 6f b1 be 87 c8 4a bc 57 80 e1 e2 67 c3 ..'o....J.W...g. 01d0: e5 76 c5 97 73 4c 25 19 77 1d 6f 49 38 ac a4 3b .v..sL%.w.oI8..; 01e0: 4d fb aa 80 fe 36 14 c7 94 e2 47 3b dd 25 f5 79 M....6....G;.%.y 01f0: 8d 44 7e cb 02 03 01 00 01 a3 81 98 30 81 95 30 .D~.........0..0 0200: 0c 06 03 55 1d 13 01 01 ff 04 02 30 00 30 0f 06 ...U.......0.0.. 0210: 03 55 1d 0f 01 01 ff 04 05 03 03 07 a0 00 30 1d .U............0. 0220: 06 03 55 1d 0e 04 16 04 14 a6 48 7b 6c 98 61 44 ..U.......H{l.aD 0230: ba 45 00 97 58 a1 bb 2c a2 b6 8a 5e 83 30 1f 06 .E..X..,...^.0.. 0240: 03 55 1d 23 04 18 30 16 80 14 c2 af 43 48 07 fb .U.#..0.....CH.. 0250: 8b 76 14 9a ab 17 f7 b1 0e a5 28 4b df 9f 30 34 .v........(K..04 0260: 06 03 55 1d 1f 04 2d 30 2b 30 29 a0 27 a0 25 86 ..U...-0+0).'.%. 0270: 23 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 69 73 75 #http://www.misu 0280: 6d 61 73 75 2e 64 79 6e 64 6e 73 2e 6f 72 67 2f masu.dyndns.org/ 0290: 63 72 6c 2f 30 0b 06 09 2a 86 48 86 f7 0d 01 01 crl/0...*.H..... 02a0: 05 03 81 81 00 21 9c 74 35 1c 11 eb 15 4b 1d cd .....!.t5....K.. 02b0: c4 2d 9e 37 f5 3e 6c e8 b6 b1 b6 41 46 1d a4 94 .-.7.>l....AF... 02c0: d3 aa d8 98 8a 50 48 75 e8 84 ce 2f c3 d6 5c 0c .....PHu.../..\. 02d0: 70 8a 27 87 08 e3 61 7f a0 b4 dc a6 af 36 82 cb p.'...a......6.. 02e0: 63 cb 31 db fc b8 ba 47 f7 23 c8 83 84 9c a1 cd c.1....G.#...... 02f0: 7c 61 cd 6e 77 99 34 c7 e3 3e fe 7f 6a ee 89 9e |a.nw.4..>..j... 0300: 90 3d 51 58 23 8e c9 ad 47 99 e8 35 78 cd 1c ea .=QX#...G..5x... 0310: 3e 13 52 ff ff 7e 12 26 64 c6 f0 f2 88 bb 3f fe >.R..~.&d.....?. 0320: 09 99 7a ce 46 00 03 00 30 82 02 fc 30 82 02 67 ..z.F...0...0..g 0330: a0 03 02 01 02 02 01 01 30 0b 06 09 2a 86 48 86 ........0...*.H. 0340: f7 0d 01 01 05 30 81 89 31 0b 30 09 06 03 55 04 .....0..1.0...U. 0350: 06 13 02 55 53 31 11 30 0f 06 03 55 04 0a 13 08 ...US1.0...U.... 0360: 6d 69 73 75 6d 61 73 75 31 1e 30 1c 06 03 55 04 misumasu1.0...U. 0370: 0b 13 15 43 65 72 74 69 66 69 63 61 74 65 20 41 ...Certificate A 0380: 75 74 68 6f 72 69 74 79 31 14 30 12 06 03 55 04 uthority1.0...U. 0390: 07 13 0b 41 6c 62 75 71 75 65 72 71 75 65 31 13 ...Albuquerque1. 03a0: 30 11 06 03 55 04 08 13 0a 4e 65 77 20 4d 65 78 0...U....New Mex 03b0: 69 63 6f 31 1c 30 1a 06 03 55 04 03 13 13 6d 69 ico1.0...U....mi 03c0: 73 75 6d 61 73 75 2e 64 79 6e 64 6e 73 2e 6f 72 sumasu.dyndns.or 03d0: 67 30 1e 17 0d 30 36 30 31 32 32 31 37 34 35 30 g0...06012217450 03e0: 38 5a 17 0d 31 36 30 31 32 32 31 37 34 35 30 38 8Z..160122174508 03f0: 5a 30 81 89 31 0b 30 09 06 03 55 04 06 13 02 55 Z0..1.0...U....U 0400: 53 31 11 30 0f 06 03 55 04 0a 13 08 6d 69 73 75 S1.0...U....misu 0410: 6d 61 73 75 31 1e 30 1c 06 03 55 04 0b 13 15 43 masu1.0...U....C 0420: 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f ertificate Autho 0430: 72 69 74 79 31 14 30 12 06 03 55 04 07 13 0b 41 rity1.0...U....A 0440: 6c 62 75 71 75 65 72 71 75 65 31 13 30 11 06 03 lbuquerque1.0... 0450: 55 04 08 13 0a 4e 65 77 20 4d 65 78 69 63 6f 31 U....New Mexico1 0460: 1c 30 1a 06 03 55 04 03 13 13 6d 69 73 75 6d 61 .0...U....misuma 0470: 73 75 2e 64 79 6e 64 6e 73 2e 6f 72 67 30 81 9c su.dyndns.org0.. 0480: 30 0b 06 09 2a 86 48 86 f7 0d 01 01 01 03 81 8c 0...*.H......... 0490: 00 30 81 88 02 81 80 e0 23 40 8e 3b 60 e9 4a 8f [EMAIL PROTECTED];`.J. 04a0: 27 74 47 a6 d4 53 73 d7 7d 2b e7 11 10 f2 db 58 'tG..Ss.}+.....X 04b0: e2 09 fe 37 17 29 97 d2 93 76 8a 7b fa db c2 2b ...7.)...v.{...+ 04c0: 96 bb f9 10 af eb 3e 67 c5 78 aa 96 b7 36 3c e1 ......>g.x...6<. 04d0: 3c e5 25 8b c7 bf e6 1c 8b 5a 85 bb f0 a1 5b 94 <.%......Z....[. 04e0: 9d 3b 45 34 c4 96 16 1f e5 5c 69 d4 59 95 7f 80 .;E4.....\i.Y... 04f0: 75 ae b1 65 ae d2 5b 7b 59 02 68 7e 2f 25 1a 93 u..e..[{Y.h~/%.. 0500: a5 56 e3 09 2d 17 f1 c0 44 72 34 56 da ca 95 0e .V..-...Dr4V.... 0510: e3 a1 52 25 8b 2f 63 02 03 01 00 01 a3 79 30 77 ..R%./c......y0w 0520: 30 0f 06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 0...U.......0... 0530: ff 30 0f 06 03 55 1d 0f 01 01 ff 04 05 03 03 07 .0...U.......... 0540: 06 00 30 1d 06 03 55 1d 0e 04 16 04 14 c2 af 43 ..0...U........C 0550: 48 07 fb 8b 76 14 9a ab 17 f7 b1 0e a5 28 4b df H...v........(K. 0560: 9f 30 34 06 03 55 1d 1f 04 2d 30 2b 30 29 a0 27 .04..U...-0+0).' 0570: a0 25 86 23 68 74 74 70 3a 2f 2f 77 77 77 2e 6d .%.#http://www.m 0580: 69 73 75 6d 61 73 75 2e 64 79 6e 64 6e 73 2e 6f isumasu.dyndns.o 0590: 72 67 2f 63 72 6c 2f 30 0b 06 09 2a 86 48 86 f7 rg/crl/0...*.H.. 05a0: 0d 01 01 05 03 81 81 00 13 4b 65 88 1a 74 79 11 .........Ke..ty. 05b0: 3f 3b ff a8 90 33 95 11 62 56 98 73 cb d5 2f a0 ?;...3..bV.s../. 05c0: ef be c7 ea a6 36 13 db 80 45 1f 5e a8 aa c2 d4 .....6...E.^.... 05d0: cf bd 50 5a 4c ab 67 99 23 77 74 00 e4 2a 3c 47 ..PZL.g.#wt..*<G 05e0: ea c4 e3 e9 3a 07 fb 7e c1 1a 12 30 97 25 58 9f ....:..~...0.%X. 05f0: 8c 0f a2 59 76 3b cd 10 96 c8 c5 f1 0c c4 04 a3 ...Yv;.......... 0600: a6 c4 81 fd 5e 19 00 5c 69 3b f6 de 0f 44 5a 5e ....^..\i;...DZ^ 0610: ea 64 58 62 0f 87 64 1c e1 e5 35 34 70 34 89 5b .dXb..d...54p4.[ 0620: b8 79 cd fe 12 01 51 57 .y....QW TLS certificate verification: depth: 1, err: 0, subject: /C=US/O=misumasu/OU=Certificate Authority/L=Albuquerque/ST=New Mexico/CN=misumasu.dyndns.org, issuer: /C=US/O=misumasu/OU=Certificate Authority/L=Albuquerque/ST=New Mexico/CN=misumasu.dyndns.org TLS certificate verification: depth: 0, err: 0, subject: /C=US/O=misumasu/OU=LDAP Server/L=Albuquerque/ST=New Mexico/CN=ldap.misumasu.dyndns.org, issuer: /C=US/O=misumasu/OU=Certificate Authority/L=Albuquerque/ST=New Mexico/CN=misumasu.dyndns.org TLS trace: SSL_connect:SSLv3 read server certificate A tls_read: want=5, got=5 0000: 16 03 01 00 9c ..... tls_read: want=156, got=156 0000: 0d 00 00 94 03 01 02 40 00 8e 00 8c 30 81 89 31 [EMAIL PROTECTED] 0010: 0b 30 09 06 03 55 04 06 13 02 55 53 31 11 30 0f .0...U....US1.0. 0020: 06 03 55 04 0a 13 08 6d 69 73 75 6d 61 73 75 31 ..U....misumasu1 0030: 1e 30 1c 06 03 55 04 0b 13 15 43 65 72 74 69 66 .0...U....Certif 0040: 69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79 31 icate Authority1 0050: 14 30 12 06 03 55 04 07 13 0b 41 6c 62 75 71 75 .0...U....Albuqu 0060: 65 72 71 75 65 31 13 30 11 06 03 55 04 08 13 0a erque1.0...U.... 0070: 4e 65 77 20 4d 65 78 69 63 6f 31 1c 30 1a 06 03 New Mexico1.0... 0080: 55 04 03 13 13 6d 69 73 75 6d 61 73 75 2e 64 79 U....misumasu.dy 0090: 6e 64 6e 73 2e 6f 72 67 0e 00 00 00 ndns.org.... TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A tls_write: want=210, written=210 0000: 16 03 01 00 07 0b 00 00 03 00 00 00 16 03 01 00 ................ 0010: 86 10 00 00 82 00 80 6e 52 8b 76 63 08 1c 1e ba .......nR.vc.... 0020: 81 bf 6d 7d 46 52 7f 06 0a 65 db 79 38 76 fe 61 ..m}FR...e.y8v.a 0030: 37 15 cf c2 63 06 c9 c6 93 30 b8 a1 33 64 d5 ea 7...c....0..3d.. 0040: 57 84 8e 2a c6 78 83 f0 d0 f8 aa 47 43 9f df 56 W..*.x.....GC..V 0050: c2 54 b2 31 4c a8 f5 15 03 fc 09 26 1f 57 18 fb .T.1L......&.W.. 0060: 97 e3 4e 30 0a 45 09 3c 85 b7 a9 b6 72 15 06 e6 ..N0.E.<....r... 0070: ef ac 74 3a 34 ea 45 b2 ee 33 83 68 75 74 f6 e3 ..t:4.E..3.hut.. 0080: 9f e3 18 c0 2a 3d dc c9 7a 3f d3 d5 2f c3 9f 2c ....*=..z?../.., 0090: 2e 93 96 d1 14 5d da 14 03 01 00 01 01 16 03 01 .....].......... 00a0: 00 30 26 b4 12 b1 1c f9 80 0f 4c 45 92 fd a3 4c .0&.......LE...L 00b0: 28 3b 34 3b 82 b6 f6 22 3a d4 74 71 2e e6 32 7a (;4;...":.tq..2z 00c0: 14 b6 7f d7 4a 48 7c c5 f9 83 08 a0 1d 36 18 a6 ....JH|......6.. 00d0: d9 97 .. TLS trace: SSL_connect:SSLv3 flush data tls_read: want=5, got=5 0000: 15 03 01 00 02 ..... tls_read: want=2, got=2 0000: 02 28 .( TLS trace: SSL3 alert read:fatal:handshake failure TLS trace: SSL_connect:failed in SSLv3 read finished A TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure