Dear Buchan,
Thanks for helping me.
Here is what I tried and it worked.
During certificate creation, I used ip address instead of hostname.
That is why output of following command shows Ip address i.e. 192.168.4.146
$ openssl x509 -noout -subject -in /etc/openldap/CERTS/servercrt.pem
Everything worked properly, when I tried following command:
$ ldapsearch -x -H ldaps://192.168.4.146:636 -b "dc=my-domain, dc=com"
However, this is one option.
I dont know why it is failing for other option i.e.
1. ldap_init
2. set ldap options
3. start_tls
All this is done in C program.
The error says Can't contact to Ldap server.
Thanks,
Digambar
On 1/17/08, Buchan Milne <[EMAIL PROTECTED]> wrote:
>
> On Wednesday 16 January 2008 16:06:38 Digambar Sawant wrote:
> > Problem Definition:
> >
> > I have following sets of files on a linux host where my server is
> running.
> > Again, I am trying ldapsearch command on same linux machine.
> >
> > *Certificate files on Server machine:*
> > ls -l /etc/openldap/CERTS/
> > -rwxrwxrwx 1 root root 1265 Jan 16 18:04 cacert.pem
> > -rwxrwxrwx 1 root root 3604 Jan 16 18:05 servercrt.pem
> > -rwxrwxrwx 1 root root 1664 Jan 16 18:05 serverkey.pem
> >
> > --------------------------------------------------------------
> > *cat ldap.conf: */etc/openldap/ldap.conf**
> > HOST 127.0.0.1
>
> You can save typing by setting this, or URI, correctly.
>
> > PORT 636
>
> This isn't going to do much for you ^^^. You may rather want to set URI.
> Please see the man page ('man ldap.conf').
>
> > TLS_CACERTDIR /etc/openldap/CERTS/
> > TLS_CACERT /etc/openldap/CERTS/cacert.pem
>
> I would recommend you use only one of the above two options, to reduce
> confusion.
>
> > TLS_REQCERT demand
> > BASE dc=example,dc=com
>
> [...]
>
> > TLSCACertificateFile /etc/openldap/CERTS/cacert.pem
> > TLSCertificateFile /etc/openldap/CERTS/servercrt.pem
> > TLSCertificateKeyFile /etc/openldap/CERTS/serverkey.pem
>
> [...]
>
> > database ldbm
>
> Bad idea ^^^.
>
> > suffix "dc=my-domain,dc=com"
> > rootdn "cn=Manager,dc=my-domain,dc=com"
> > directory /var/lib/ldap
> > index objectClass,uid,uidNumber,gidNumber,memberUid eq
> > index cn,mail,surname,givenname eq,subinitial
>
> [...]
>
> > *Started ldap server with:*
> > 1. /usr/sbin/slapd -f /etc/openldap/slapd.conf -d 127 -h ldaps:/// &
> > 2. netstat shows that server is listening on port 636
> > netstat -antp | grep slapd
> > tcp 0 0 0.0.0.0:636 0.0.0.0:*
> LISTEN
> > 14512/slapd
> >
> > When I executed follwing command on same server machine (linux host):
> >
> > ldapsearch -ZZ "CERTS/cacert.pem" -h 192.168.6.146 -p 636 -b
> > "dc=my-domain,dc=com" -d 127
>
> 1)Under your current configuration, this requires that the server has a
> certificate with the subject's CN=192.168.6.146, or that this IP is in the
> subjAltName extension on the certificate. If, instead, there is a hostname
> as
> the CN, then you should use the hostname wherever you want to specify a
> connection, and ensure your name resolution takes care of connecting to
> the
> correct IP address.
>
> Please show the output from:
>
> $ openssl x509 -noout -subject -in /etc/openldap/CERTS/servercrt.pem
>
> It should match whatever you use after -h or -H ldaps://
>
> 2)You shouldn't use -Z (or -ZZ) on a port already running SSL/TLS. Instead
> use
> an ldaps URI (-H ldaps://name.on.cert).
>
> 3)"CERTS/cacert.pem" must be removed, you can't specify and certificate
> filenames via commandline options.
>
> > It gave error logs as below:
> >
> > #ldapsearch -ZZ "CERTS/cacert.pem" -h 192.168.6.146 -p 636 -b
> > "dc=my-domain,dc=com" -d 127*
> > *ldap_start_tls: Can't contact LDAP server*
>
> This is the correct behaviour ...
>
> > *TRIAL 2*
> >
> > *Start server with start_ssl*
> >
> > 1. /usr/sbin/slapd -f /etc/openldap/slapd.conf -d 127 *start_ssl* &
>
> ?????
>
> There should be no *start_ssl* in your commandline. If slapd has been
> configured with SSL certificates correctly, starting it up without any
> specific options will enable START_TLS.
>
>
> > Here netstat shows that server is listening on 389 and not 636
> > # netstat -antp | grep slapd
> >
> > tcp 0 0 0.0.0.0:389 0.0.0.0:*
> LISTEN
> > 14529/slapd
>
> You can have both in fact ... but listening on 389 does not confirm the
> START_TLS is configured correctly.
>
> > When executed following command on same linux host (where server is
> > running)
> >
> > 2. #ldapsearch -Z "CERTS/cacert.pem" -h 192.168.6.146 -p 389 -b
> > "dc=my-domain,dc=com" -d 5
>
> 1)Same issue as above with certificate's subjectDN and hostname etc.
> 2)Same issue regarding "CERTS/cacert.pem".
>
> > *ldap_interactive_sasl_bind_s: server supports: GSSAPI PLAIN LOGIN*
> > *ldap_int_sasl_bind: GSSAPI PLAIN LOGIN*
> > *ldap_perror*
> > *ldap_sasl_interactive_bind_s: Local error*
> > [EMAIL PROTECTED] openldap]# ldaps*
>
> You forgot -x.
>
>
> Regards,
> Buchan
>
