[Lam-public] TLS Failure

Wed, 28 Nov 2012 17:32:01 -0800 

I'm struggling to get TLS working with LAM, though my other tools appear to
work fine. It is not a self-signed cert, and other tools appear to be using
TLS fine. The logs even appear to indicate that the TLS connection is
properly setup from slapd. I am thoroughly confused.

This is what I'm seeing in syslog when trying to use TLS with LAM:

Nov 28 19:09:33 localhost slapd[14912]: conn=1011 fd=16 ACCEPT from
IP=[2001:4801:7812:70:1d2b:54d0:ff10:2ade]:57742 (IP=[::]:389)
Nov 28 19:09:33 localhost slapd[14912]: conn=1011 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Nov 28 19:09:33 localhost slapd[14912]: conn=1011 op=0 STARTTLS
Nov 28 19:09:33 localhost slapd[14912]: conn=1011 op=0 RESULT oid= err=0
text=
Nov 28 19:09:33 localhost slapd[14912]: conn=1011 fd=16 TLS established
tls_ssf=128 ssf=128
Nov 28 19:09:33 localhost apache2: LDAP Account Manager
(3mfqugafml90phjo24jrnkv4t0 - 99.27.152.100) - ERROR: Unable to start TLS
encryption. Please check if your server certificate is valid and if the
LDAP server supports TLS at all.
Nov 28 19:09:33 localhost apache2: LDAP Account Manager
(3mfqugafml90phjo24jrnkv4t0 - 99.27.152.100) - ERROR: User
cn=billy,dc=planroomhost,dc=com (99.27.152.100) failed to log in (LDAP
error: Connect error).
Nov 28 19:09:33 localhost slapd[14912]: conn=1011 fd=16 closed (connection
lost)

And TLS appears to work just fine run via ldapsearch:
root@dc:/etc/apache2/sites-available# ldapsearch -x -ZZ '(uid=testuser)'
# extended LDIF
#
# LDAPv3
# base <dc=planroomhost,dc=com> (default) with scope subtree
# filter: (uid=testuser)
# requesting: ALL
#

# search result
search: 3
result: 0 Success

# numResponses: 1

Here is the ldap.conf if it helps
root@dc:/etc/apache2/sites-available# cat /etc/ldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=planroomhost,dc=com
URI     ldap://dc.planroomhost.com

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT  /etc/ssl/certs/ca-certificates.crt
LDAPTLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT allow

------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
VERIFY Test and improve your parallel project with help from experts 
and peers. http://goparallel.sourceforge.net
_______________________________________________
Lam-public mailing list
Lam-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lam-public

Reply via email to