Hi,I am using openldap-2.4.26 on one machine, and pam_ldap-186 and nss_ldap-265 on another machine, both machines running Fedora-10. I am trying for a secure communication using TLS/SSL. when I try to connect to the LDAP client machine using SSH, after authentication success the shell prompt is returned after 3 min or 4 mins. I don't know why it is taking so much time. This is happening for the users which are present only in LDAP database i.e. this user is not created on the client machine. At the server side I am getting following errors. TLS: can't accept: (unknown).connection_read(18): TLS accept failure error=-1 id=1068, closingconnection_closing: readying conn=1068 sd=18 for closeconnection_close: conn=1068 sd=18daemon: removing 18conn=1068 fd=18 closed (TLS negotiation failure)daemon: epoll: listen=7 active_threads=0 tvp=NULLdaemon: activity on 1 descriptordaemon: activity on:daemon: epoll: listen=7 active_threads=0 tvp=NULL I have created the CA certificate with CA.sh script. I followed the procedure given below.http://octaldream.com/~scottm/talks/ssl/opensslca.html I copied the same cacert.pem file from server to the client machine afte running the above procedure on server machine. The configuration files are as follows.slapd.conf include /usr/local/etc/openldap/schema/core.schemainclude /usr/local/etc/openldap/schema/cosine.schemainclude /usr/local/etc/openldap/schema/inetorgperson.schemainclude /usr/local/etc/openldap/schema/nis.schema LSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSATLSCACertificateFile /etc/pki/CA/cacert.pemTLSCertificateFile /etc/pki/tls/misc/newcert.pemTLSCertificateKeyFile /etc/pki/tls/misc/newkey.pemTLSVerifyClient allow pidfile /usr/local/var/run/slapd.pidargsfile /usr/local/var/run/slapd.args access to attrs=userPassword by self write by anonymous auth by * none access to * by * read######################################################################## BDB database definitions####################################################################### database bdbsuffix "dc=samsung,dc=com"rootdn "cn=Manager,dc=samsung,dc=com"# Cleartext passwords, especially for the rootdn, should# be avoid. See slappasswd(8) and slapd.conf(5) for details.# Use of strong authentication encouraged.rootpw 123qwe# The database directory MUST exist prior to running slapd AND# should only be accessible by the slapd and slap tools.# Mode 700 recommended.directory /usr/local/var/openldap-data# Indices to maintain#unique! id so equality match onlyindex uid eqindex userPassword eq#allows general searching on commonname,givenname and mailindex cn,gn,sn,ou,o,mail eq,subindex objectClass eq
and ldap.conf has the following configuration base dc=samsung,dc=comuri ldaps://localhost.localdomain/tls_cacertfile /etc/pki/CA/cacert.pempam_password md5nss_map_attribute gecos description Please let me know where I am making mistake? how to fix this problem. Warm RegardsVijay S.
