try calling PR_GetError() right after it fails and see if NSPR/NSS
indicate some error condition there, see for more details :
http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html
Stephen wrote:
> Hi,
>
> I have had a problem with connecting to my ldap server using SSL.
>
> I use a test tool called ldapbrowser to test connectivity whenever I do
> anything with LDAP, connecting to port 389, this is not a problem, using the
> same DN etc. I can also connect to port 636 securely to both my ldap servers
> by importing the certificates into the keystore using the keytool.
>
> I am currently using:
>
> ldapcsdk-6.02-SunOS5.10_sparc_OPT
>
> and:
>
> ldapcsdk5.08-SunOS5.6_OPT.OBJ
>
> i can connect using port 389 and make a successful bind, but if i try to
> connect to port 636 i get the following error:
>
> Error - ldap_simple_bind_s
>
> the return value is:
>
> 51
>
> or
>
> 81 Decimal
>
> I haven't checked for any LDAP Server debug log as I assumed it was all ok
> as ldapbrowser seems to connect fine. I generated my certificates in the
> following way:
>
> 1. created a CA
> 2. created a server certificate signed with the CA
> 3. imported into a cert7.db and key3.db
>
> this is what I used to setup a Sun One LDAP Server, further details:
>
> nss-3.4.2.tar.gz
>
> nspr-4.2.2.tar.gz
>
> untar'd both nss-3.4.2.tar.gz and nspr-4.2.2.tar.gz to the same folder
>
> /usr/tmp/combind/certutil -N -d /tmp/cert7/
>
> /usr/tmp/combine/certutil -A -n CAcert -t "PTCu,PTCu,PTCu" -i
> /tmp/CAcert.cert -d /tmp/cert7/
>
> /usr/sfw/bin/certutil -A -n Servercert -t
> "PTCu,PTCu,PTCu" -i/tmp/Servercert.cert -d /tmp/cert7/
>
>
>
> then I use the following client code:
>
> #include <stdio.h>
> #include <stdlib.h>
> #include <sys/time.h>
> #include <time.h>
> #include "ldap.h"
> #include "ldap_ssl.h"
>
> #define BIND_DN
> "uid=sbrown,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot"
> #define BIND_PW "password"
> #define MY_CERTDB_PATH "/tmp/ssl"
> #define MY_KEYDB_PATH "/tmp/ssl"
>
> #define DEBUG_LOG "/tmp/ssl/ssl.log"
> #define HOSTNAME "hostname"
> #define SSL_PORT_NUMBER 636
> #define PORTNUMBER 389
>
> int ldap_ssl_validate(char *username, char *password);
> int log(char *message);
>
> int main(){
>
> int rc = 0;
>
> rc = ldap_ssl_validate("sbrown", "password");
> if (rc != 0){
> printf("The Error code returned is HEX VALUE: %x and DEC
> VALUE: %d\n", rc, rc);
> }
> else{
> printf("No Error Occurred!\n");
>
> }
>
> return 0;
> }
>
>
> int ldap_ssl_validate(char * username, char * password)
> {
> LDAP *ld;
> LDAPMessage *result, *e, *res;
> int rc,version;
> int max_ret;
>
> char dn[512] = {'\0'};
>
> /* Initialize the client */
> if ( rc = ldapssl_clientauth_init( MY_CERTDB_PATH, NULL, 1,
> MY_KEYDB_PATH, NULL ) < 0 ) {
> log("Error - ldapssl_client_init");
> perror( "ldapssl_client_init" );
> return( rc );
> }
> printf("> ldap_client_init - Success!\n");
>
>
>
> if ( (ld = ldapssl_init( HOSTNAME, SSL_PORT_NUMBER, 1 )) == NULL ) {
> perror( "ldap_init" );
> return( -1 );
> }
>
> printf("> ldapssl_init - Success! \n");
>
>
> version = LDAP_VERSION3;
>
> if ( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version ) < 0 )
> {
> ldap_perror( ld, "ldap_set_option LDAPv3" );
> ldap_unbind( ld );
> return( -1 );
> }
>
>
> rc = ldap_simple_bind_s( ld, BIND_DN, password );
>
>
> if ( rc != LDAP_SUCCESS ) {
> log("Error - ldap_simple_bind_s");
> printf("Error - ldap_simple_bind_s\n");
> return( rc );
> }
>
>
> /* STEP 3: Disconnect from the server. */
> ldap_unbind( ld );
>
> log("Success - ldap_simple_bind_s");
> return( 1 );
> }
>
> int log(char *message)
> {
> FILE *fp;
> time_t rawtime;
> int err;
>
> fp = fopen(DEBUG_LOG, "wt");
> fprintf(fp, "%s > %s\n", ctime(&rawtime), message);
>
> fclose(fp);
> return 0;
> }
>
>
> the following truss ouput from the application using:
>
> ldapcsdk-6.02-SunOS5.10_sparc_OPT
>
> <SNIP>
>
> stat("/lib/libatomic.so", 0xFFBFF380) Err#2 ENOENT
> stat("/usr/lib/libatomic.so", 0xFFBFF380) Err#2 ENOENT
> stat("/usr/local/lib/libatomic.so", 0xFFBFF380) Err#2 ENOENT
> stat("/usr/lib/secure/libatomic.so", 0xFFBFF380) Err#2 ENOENT
> write(1, " > l d a p s s l _ i n".., 27) = 27
> brk(0x000557C0) = 0
> brk(0x000577C0) = 0
> open("/etc/netconfig", O_RDONLY|O_LARGEFILE) = 5
> fcntl(5, F_DUPFD, 0x00000100) = 256
> close(5) = 0
> read(256, " # p r a g m a i d e n".., 1024) = 1024
> read(256, " t s t p i _ c".., 1024) = 215
> read(256, 0x000551F8, 1024) = 0
> lseek(256, 0, SEEK_SET) = 0
> read(256, " # p r a g m a i d e n".., 1024) = 1024
> read(256, " t s t p i _ c".., 1024) = 215
> read(256, 0x000551F8, 1024) = 0
> close(256) = 0
> open("/dev/udp", O_RDONLY) = 5
> ioctl(5, SIOCGLIFNUM, 0xFFBFED14) = 0
> close(5) = 0
> brk(0x000577C0) = 0
> brk(0x000597C0) = 0
> open64("/var/run/name_service_door", O_RDONLY) = 5
> fcntl(5, F_SETFD, 0x00000001) = 0
> door_info(5, 0xFEE6F7E8) = 0
> door_call(5, 0xFFBFCC78) = 0
> door_info(5, 0xFFBFCC90) = 0
> door_call(5, 0xFFBFCC78) = 0
> brk(0x000597C0) = 0
> brk(0x0005B7C0) = 0
> open("/etc/default/nss", O_RDONLY|O_LARGEFILE) = 6
> fcntl(6, F_DUPFD, 0x00000100) = 256
> close(6) = 0
> read(256, " # i d e n t\t " @ ( #".., 1024) = 1024
> read(256, " y t h o s e\n # f u n".., 1024) = 211
> read(256, 0x000551F8, 1024) = 0
> close(256) = 0
> so_socket(PF_INET, SOCK_STREAM, IPPROTO_IP, "", SOV_DEFAULT) = 6
> fcntl(6, F_GETFL) = 2
> fcntl(6, F_SETFL, FWRITE|FNONBLOCK) = 0
> connect(6, 0xFFBFF5B8, 16, SOV_DEFAULT) Err#150 EINPROGRESS
> pollsys(0xFFBFF2F0, 1, 0xFFBFF278, 0x00000000) = 1
> getsockopt(6, SOL_SOCKET, SO_ERROR, 0xFFBFF218, 0xFFBFF21C, SOV_DEFAULT) = 0
> brk(0x0005B7C0) = 0
> brk(0x0005F7C0) = 0
> brk(0x0005F7C0) = 0
> brk(0x000637C0) = 0
> getpeername(6, 0xFFBFF5C8, 0xFFBFF564, SOV_DEFAULT) = 0
> time() = 1201294867
> getpeername(6, 0xFFBFF4F8, 0xFFBFF494, SOV_DEFAULT) = 0
> time() = 1201294867
> brk(0x000637C0) = 0
> brk(0x000677C0) = 0
> write(6, "80 4010301\01B\0\0\010\0".., 54) = 54
> read(6, "160301", 3) = 3
> read(6, "07D7", 2) = 2
> brk(0x000677C0) = 0
> brk(0x0006B7C0) = 0
> read(6, "02\0\0 F0301\0\0 k mE2 A".., 2007) = 2007
> brk(0x0006B7C0) = 0
> brk(0x0006D7C0) = 0
> brk(0x0006D7C0) = 0
> brk(0x0006F7C0) = 0
> lseek(3, 16384, SEEK_SET) = 16384
> read(3, "\0\0\0\0\0\0\0\0\0\0\0\0".., 8192) = 8192
> brk(0x0006F7C0) = 0
> brk(0x000717C0) = 0
> brk(0x000717C0) = 0
> brk(0x000737C0) = 0
> brk(0x000737C0) = 0
> brk(0x000757C0) = 0
> brk(0x000757C0) = 0
> brk(0x000777C0) = 0
> write(6, "150301\00202 0", 7) = 7
> time() = 1201294867
> open("/tmp/ssl/ssl.log", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 7
> brk(0x000777C0) = 0
> brk(0x000797C0) = 0
> open("/usr/share/lib/zoneinfo/GB", O_RDONLY) = 8
> fstat64(8, 0xFFBFF788) = 0
> read(8, " T Z i f\0\0\0\0\0\0\0\0".., 1323) = 1323
> close(8) = 0
> fstat64(7, 0xFFBFEBD0) = 0
> brk(0x000797C0) = 0
> brk(0x0007B7C0) = 0
> fstat64(7, 0xFFBFEA78) = 0
> ioctl(7, TCGETA, 0xFFBFEB5C) Err#25 ENOTTY
> write(7, " T h u J a n 1 0".., 55) = 55
> close(7) = 0
> write(1, " E r r o r - l d a p".., 27) = 27
> write(1, " T h e E r r o r c o".., 59) = 59
> _exit(0)
>
>
> </SNIP>
>
> thats not all of it, just the bottom end,
>
> there are libatomic.so errors throughout, I had a problem earlier compiling
> the Mozilla LDAP SDK with a libatomic.so error, which I didn't overcome as I
> used the 6.02 binaries, it has something to do with NSPR which i assumed got
> compiled ok when I compiled the NSS source that included it.
>
> I also have a fear that its certificate related even though the Sun One
> Server recognises the certifcates in the Sun One Management console and
> ldapbrowser can connect i think that it may not be right for the client SDK,
>
> any ideas or analysis on this would be most appreciated,
>
> regards
>
> Stephen
>
>
>
>
>
> _______________________________________________
> dev-tech-ldap mailing list
> [email protected]
> https://lists.mozilla.org/listinfo/dev-tech-ldap
_______________________________________________
dev-tech-ldap mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-ldap
