Problem Definition:
I have following sets of files on a linux host where my server is running. Again, I am trying ldapsearch command on same linux machine. *Certificate files on Server machine:* ls -l /etc/openldap/CERTS/ -rwxrwxrwx 1 root root 1265 Jan 16 18:04 cacert.pem -rwxrwxrwx 1 root root 3604 Jan 16 18:05 servercrt.pem -rwxrwxrwx 1 root root 1664 Jan 16 18:05 serverkey.pem -------------------------------------------------------------- * * *cat ldap.conf: */etc/openldap/ldap.conf** HOST 127.0.0.1 PORT 636 TLS_CACERTDIR /etc/openldap/CERTS/ TLS_CACERT /etc/openldap/CERTS/cacert.pem TLS_REQCERT demand BASE dc=example,dc=com -------------------------------------------------------------- * * *cat slapd.conf : */etc/openldap/slapd.conf** include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/redhat/rfc822-MailMember.schema include /etc/openldap/schema/redhat/autofs.schema include /etc/openldap/schema/redhat/kerberosobject.schema access to * by self write by users read by anonymous auth TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /etc/openldap/CERTS/cacert.pem TLSCertificateFile /etc/openldap/CERTS/servercrt.pem TLSCertificateKeyFile /etc/openldap/CERTS/serverkey.pem database ldbm suffix "dc=my-domain,dc=com" rootdn "cn=Manager,dc=my-domain,dc=com" directory /var/lib/ldap index objectClass,uid,uidNumber,gidNumber,memberUid eq index cn,mail,surname,givenname eq,subinitial -------------------------------------------------------------- *Started ldap server with:* 1. /usr/sbin/slapd -f /etc/openldap/slapd.conf -d 127 -h ldaps:/// & 2. netstat shows that server is listening on port 636 netstat -antp | grep slapd tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 14512/slapd When I executed follwing command on same server machine (linux host): ldapsearch -ZZ "CERTS/cacert.pem" -h 192.168.6.146 -p 636 -b "dc=my-domain,dc=com" -d 127 It gave error logs as below: *#ldapsearch -ZZ "CERTS/cacert.pem" -h 192.168.6.146 -p 636 -b "dc=my-domain,dc=com" -d 127* ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection ldap_int_open_connection ldap_connect_to_host: 192.168.6.146 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.6.146:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_ndelay_on: 3 ldap_is_sock_ready: 3 ldap_ndelay_off: 3 ldap_open_defconn: successful ldap_send_server_request ber_flush: 31 bytes to sd 3 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_write: want=31, written=31 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_result msgid 1 ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL wait4msg (infinite timeout), msgid 1 wait4msg continue, msgid 1, all 1 ** Connections: * host: 192.168.6.146 port: 636 (default) refcnt: 2 status: Connected last used: Wed Jan 16 22:11:12 2008 ** Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** Response Queue: Empty ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL do_ldap_select read1msg: msgid 1, all 1 ber_get_next ldap_read: want=1, got=0 *ber_get_next failed.* *ldap_perror* *ldap_start_tls: Can't contact LDAP server* *TRIAL 2* *Start server with start_ssl* 1. /usr/sbin/slapd -f /etc/openldap/slapd.conf -d 127 *start_ssl* & Here netstat shows that server is listening on 389 and not 636 # netstat -antp | grep slapd tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 14529/slapd When executed following command on same linux host (where server is running) 2. #ldapsearch -Z "CERTS/cacert.pem" -h 192.168.6.146 -p 389 -b "dc=my-domain,dc=com" -d 5 It gave ldap_msgfree *ldap_interactive_sasl_bind_s: server supports: GSSAPI PLAIN LOGIN* *ldap_int_sasl_bind: GSSAPI PLAIN LOGIN* *ldap_perror* *ldap_sasl_interactive_bind_s: Local error* [EMAIL PROTECTED] openldap]# ldaps* Thanks, Digambar On Jan 16, 2008 7:09 PM, Chris G. Sellers <[EMAIL PROTECTED]> wrote: > Run your openldap server with debugging turned on (-d option) and > check the output. Read the man slapd.conf for the different values of > the -d flag and then see if you see why your connection is failing. > Post those results here if you don't see the obvious root cause. > > Sellers > > On Jan 16, 2008, at 1:37 AM, Digambar Sawant wrote: > > > Hi, > > > > I want to establish secure ldap connection. > > I have tried following: > > > > 1. ldap_init > > 2. ldap_set_option( pLdapObj, LDAP_OPT_X_TLS_CACERTFILE, "/tmp/ > > certficate.cert" > > 3. iRetCode = ldap_start_tls_s(pLdapObj, NULL, NULL); > > > > Here 3. ldap_start_tls_s failed with error: "Can't contact LDAP > > server". > > > > What is wrong here? Are there any more steps to make it work? > > Please help me. > > > > Thanks, > > Digambar > > > > > ______________________________________________ > Chris G. Sellers | NITLE Technology > 734.661.2318 | [EMAIL PROTECTED] > AIM: imthewherd | GTalk: [EMAIL PROTECTED] > > >
