Hi all,
Thanks for your help. I really appreciate it. It's very valuable
information. I hope someone else also find it useful.
Howard Chu wrote:
Try it with -d7 and see what kind of network traffic shows up. It will
also show you the SSL handshake, if the server actually answered.
Well this gave me a clue that the server is not correctly configured:
"TLS: peer cert untrusted or revoked (0x42)"
I'm guessing that means that the way the server's was configured was
either with a revoked certificate from an different (root)authority or
there is something wrong with the self-signed cert. Maybe it is not
configured as a root cert but a root (self-signed) cert.was generated?
semi-full details below...
I hope you mean "the CA cert". The server cert only needs to be on the
server.
...
You use only one or the other of TLS_CACERT or TLS_CACERTDIR, not
both. In our docs we recommend only using TLS_CACERT because scanning
a filesystem directory (TLS_CACERTDIR) is problematic in lots of
situations. (E.g., in some versions of OpenSSL there was a file
descriptor leak; it's not guaranteed to be thread safe, etc. etc. etc...)
I see. I thought that maybe both the path and the file needed to be
specified. Shows how much I know about LDAP... :(
Michael Ströder wrote:
If you haven't correctly configured the SSL server cert and the accompanying
CA cert(s) in the DC's server profile you can connect to port 636 at TCP level
but SSL handshake will fail. So use the MMC snap-in certmgr.msc and configure
the _server's_ cert store.
I'll have to look into this as someone else configured the server before
my time. All the info about server certs I can find is for Windows 2000
and 2003 - even on MS's site.
So then I should take the CA cert and install it on the client? Or is
that done automatically during the SSL conversation?
Here is most of the output of using debug level 7. I took out some parts
of the data blocks:
u...@linuxserver:~$ ldapsearch -d7 -LLL -v -E pr=200/noprompt -H
ldaps://adserver:636 -D "[email protected]" -W -b "dc=domain, dc=com" -s
sub "(cn=*)" cn mail sn
ldap_url_parse_ext(ldaps://adserver:636)
ldap_initialize( ldaps://adserver:636/??base )
ldap_create
ldap_url_parse_ext(ldaps://adserver:636/??base)
Enter LDAP Password:
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_build_search_req ATTRS: supportedSASLMechanisms
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP adserver:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.1.32:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
tls_write: want=82, written=82
0000: 16 03 02 00 4d 01 00 00 49 03 02 4b 14 69 de 3f ....M...I..K.i.?
0010: 1d da b8 25 55 a7 57 17 ed b5 98 f0 f0 d7 9d 2e ...%U.W.........
0020: 5a 6a 4e 30 0e 17 84 29 fb e5 ff 00 00 18 00 39 ZjN0...).......9
0030: 00 33 00 16 00 38 00 32 00 13 00 66 00 35 00 2f .3...8.2...f.5./
0040: 00 0a 00 05 00 04 02 01 00 00 07 00 09 00 03 02 ................
0050: 00 01 ..
tls_read: want=5, got=5
0000: 16 03 01 0a 23 ....#
tls_read: want=2595, got=2595
0000: 02 00 00 46 03 01 4b 14 6a 11 53 df a5 1c 60 34 ...F..K.j.S...`4
0010: e3 84 aa 16 01 15 56 89 da 21 8d 4d b0 37 69 ac ......V..!.M.7i.
...
09e0: 4d 69 63 72 6f 73 6f 66 74 20 52 6f 6f 74 20 43 Microsoft Root C
09f0: 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f ertificate Autho
0a00: 72 69 74 79 00 19 30 17 31 15 30 13 06 03 55 04 rity..0.1.0...U.
0a10: 03 13 0c 4e 54 20 41 55 54 48 4f 52 49 54 59 0e ...NT AUTHORITY.
0a20: 00 00 00 ...
tls_write: want=12, written=12
0000: 16 03 01 00 07 0b 00 00 03 00 00 00 ............
tls_write: want=267, written=267
0000: 16 03 01 01 06 10 00 01 02 01 00 00 12 fd cc 00 ................
0010: 6e ac d8 8f 1c e2 bb 72 1d c5 c7 18 7e 45 3e fb n......r....~E>.
...
00c0: bc 23 3c 15 2a a8 10 c1 95 da 94 c8 31 8c 9a f6 .#<.*.......1...
00d0: 5a e1 66 b6 6b 41 9b bc 99 10 9a 3e 3d 0a 3b 8e Z.f.kA.....>=.;.
00e0: d3 80 70 b0 81 6f da 63 96 ef 0f 43 41 63 58 dc ..p..o.c...CAcX.
00f0: 41 fd 68 51 41 e1 ac 42 03 6e 03 05 83 20 cc 2a A.hQA..B.n... .*
0100: fb e7 97 f9 5a 60 94 52 f9 68 5f ....Z`.R.h_
tls_write: want=6, written=6
0000: 14 03 01 00 01 01 ......
tls_write: want=277, written=277
0000: 16 03 01 01 10 34 60 e6 57 91 9c e9 ff 25 42 64 .....4`.W....%Bd
0010: fe 3e 83 e5 5f 1a d3 a9 3b 73 06 66 1d e8 bd db .>.._...;s.f....
...
00d0: b0 6d c7 06 67 98 62 f4 90 ca 0b e9 54 c8 10 df .m..g.b.....T...
00e0: cc 50 64 2d cf f8 28 72 97 f7 16 53 a0 c9 67 63 .Pd-..(r...S..gc
00f0: 02 3d d0 8a eb 99 68 62 c6 18 cb f2 0b 22 7d 8a .=....hb....."}.
0100: 54 96 69 ac d0 51 44 5e 91 c2 e4 bc 7e ed 02 cf T.i..QD^....~...
0110: db 92 5c ca 87 ..\..
tls_read: want=5, got=5
0000: 14 03 01 00 01 .....
tls_read: want=1, got=1
0000: 01 .
tls_read: want=5, got=5
0000: 16 03 01 00 30 ....0
tls_read: want=48, got=48
0000: 21 37 e5 48 47 cc 9d 75 62 72 10 1f 82 52 c7 f3 !7.HG..ubr...R..
0010: 62 a0 98 35 5e ca 43 4f c2 4a 9d 76 00 8d 82 81 b..5^.CO.J.v....
0020: bf b6 2d bc 3c 2b 17 42 20 76 7c b5 1e a6 51 42 ..-.<+.B v|...QB
TLS: peer cert untrusted or revoked (0x42)
ldap_err2string
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
u...@linuxserver:~$
