Hi,
Any idea please?
cheers
--- fatima riadi <[EMAIL PROTECTED]> a �crit :
> Hello all,
>
> Here are my configuration files (I deleted
> comments).
> You would have any remarq, please let me know.
>
> ====================================================
> /etc/openldap/slapd.conf
> ------------------------
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include
> /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/nis.schema
> include /etc/openldap/schema/samba.schema
> include /etc/openldap/schema/misc.schema
> include
> /etc/openldap/schema/openldap.schema
> #include
> /etc/openldap/schema/redhat/rfc822-MailMember.schema
> include
> /etc/openldap/schema/redhat/autofs.schema
>
> allow bind_v2
>
> pidfile /var/run/slapd.pid
> #argsfile //var/run/slapd.args
>
> TLSCertPath /path/to/certs
> TLSCACertificateFile /path/to/certs/ca.pem
> TLSCertificateFile
> /path/to/certs/ldap.example.com.pem
> TLSCertificateKeyFile
> /path/to/keys/ldap.example.com.key
>
> #I set these ACLs just for testing, I'll change
> them
> later!
> access to *
> by * write
> by * read
>
>
>
> #######################################
> # ldbm and/or bdb database definitions
> #######################################
>
>
>
> database ldbm
> suffix "dc=example,dc=com"
> rootdn "cn=Manager,dc=example,dc=com"
> rootpw {SSHA}rootdn_hashed_password
>
>
>
> # The database directory MUST exist prior to
> running
> slapd AND
> # should only be accessible by the slapd and slap
>
> tools.
> # Mode 700 recommended.
> directory /var/lib/ldap
>
>
>
> # Indices to maintain for this database
> index objectClass eq,pres
> index ou,cn,mail,surname,givenname eq,pres,sub
> index uidNumber,gidNumber,loginShell eq,pres
> index uid,memberUid
> eq,pres,sub
> index nisMapName,nisMapEntry
> eq,pres,sub
> index
> sambaSID,sambaDomainName,sambaPrimaryGroupSID
> eq
>
> ===================================================
> The ldap client conf file (/etc/openldap/ldap.conf):
> ---------------------------------------------------
> HOST ldap.example.com
> BASE dc=examlpe,dc=com
> TLS_CACERT /path/to/certs/ca.pem
> TLS_CACERTDIR /path/to/certs
>
> ====================================================
> The /etc/ldap.conf file:
> -----------------------
> host ldap.example.com
>
> base dc=example,dc=com
>
> binddn cn=nssldap,ou=DSA,dc=example,dc=com
>
> bindpw clear_text_nssldap_pwd
>
>
>
> rootbinddn cn=Manager,dc=example,dc=com
>
>
>
> #port 389
>
>
>
> nss_base_passwd dc=example,dc=com?sub
> nss_base_shadow dc=example,dc=com?sub
> nss_base_group
> ou=groups,dc=example,dc=com?one
>
>
>
> ssl start_tls
>
>
>
> #ssl on
>
>
>
> tls_checkpeer yes
>
>
>
>
>
> tls_cacertfile /path/to/certs/ca.pem
> tls_cacertdir /path/to/certs
>
>
>
> # SSL cipher suite
> #tls_ciphers ALL
> pam_password md5
> ==================================================
>
> I actually tryed to follow steps given on the
> "smbldap-tools howto" document. I also reffered to
> "OpenLDAP SSL/TLS how-to, D. Kent Soper" and many
> other docs.
>
> s_client to s_server works. Also ldapsearch to
> s_server works.
> But s_client to my slapd server does not work.
>
> Now, if I try to connect the s_client to the slapd
> server through the 636 port, the server returns the
> following:
> TLS trace: SSL_accept:error in SSLv3 read client
> hello B
> TLS: can't accept.
> TLS: error:1408A0C1:SSL
> routines:SSL3_GET_CLIENT_HELLO:no shared cipher
> s3_srvr.c:882
>
> I tryed to run s_client with many values of the
> -cipher option (also with -ssl3 or -tls1 options)
> but
> the situation didn't improve.
> =======================================
>
> ldapsearch against slapd server returns:
> ldap_start_tls: Can't contact LDAP server (81)
> additional info: error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> handshake
> failure
> ldap_sasl_interactive_bind_s: Can't contact LDAP
> server (81)
> additional info: error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> handshake
> failure
>
> I really would like to have any help.
>
> Thanks.
>
> --- fatima riadi <[EMAIL PROTECTED]> a �crit :
> > Date: Thu, 24 Mar 2005 12:50:48 +0100 (CET)
> > De: fatima riadi <[EMAIL PROTECTED]>
> > Objet: Fwd: Re: TLS secure connection to an LDAP
> > server
> > �: [EMAIL PROTECTED], "Kurt D.
> > Zeilenga" <[EMAIL PROTECTED]>,
> > [EMAIL PROTECTED], [email protected]
> >
> > Ldapsearch (ldapsearch -d3 -x -H
> > ldaps://ldap_srv.domain.com:636) to s_server
> > (openssl
> > s_server -debug -accept 636 -state -cert
> > /path/to/ldap_srv_cert.pem -key
> > /path/to/ldap_srv_key.key -CAfile /path/to/ca.pem
> > ) works fine.
> > But, when I run my ldap server (slapd -d5 -h
> > "ldap:///
> > ldaps:///") and I try testing s_client connection
> to
> > it, I get this error messages:
> >
> > From the s_client output:
> > ------------------------
> > SSL_connect:SSLv2/v3 write client hello A
> > ...
> > ...
> > SSL3 alert read:fatal:handshake failure
> > SSL_connect:error in SSLv2/v3 read server hello
> A
> > 2151:error:14077410:SSL
> > routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> > handshake
> > failure:s23_clnt.c:470:
> >
> > From the slapd debug output:
> > ---------------------------
> > TLS trace: SSL_accept:before/accept
> initialization
> > TLS trace: SSL3 alert write:fatal:handshake
> > failure
> > TLS trace: SSL_accept:error in SSLv3 read client
> > hello B
> > TLS trace: SSL_accept:error in SSLv3 read client
> > hello B
> > TLS: can't accept.
> > TLS: error:1408A0C1:SSL
> > routines:SSL3_GET_CLIENT_HELLO:no shared cipher
> > s3_srvr.c:882
> > connection_read(8): TLS accept error error=-1
> > id=0,
> > closing
> > connection_closing: readying conn=0 sd=8 for
> close
> > connection_close: conn=0 sd=8
> >
> > Ldapsearch to slapd:
> > -------------------
> > When I run "ldapsearch -d3 -x -H
> > ldaps://ldap_srv.domain.com:636" I get:
> >
> > TLS trace: SSL_connect:SSLv2/v3 write client
> hello
> > A
> > tls_read: want=7, got=7
> > .....
> > TLS trace: SSL3 alert read:fatal:handshake
> failure
> > TLS trace: SSL_connect:error in SSLv2/v3 read
> > server
> > hello A
> > TLS: can't connect.
> > ldap_perror
> > ldap_bind: Can't contact LDAP server (81)
> > additional info: error:14077410:SSL
> > routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> > handshake
> > failure
> >
> ====================================================
> >
> > I didn't set any TLSCipherSuite into the
> slapd.conf
> > file. I also didn't set any value to the
> tls_ciphers
> > into the /etc/ldap.conf file.
> >
> > I would appriciate any suggestion.
> > Thanks for you all.
> >
> > --- fatima riadi <[EMAIL PROTECTED]> wrote:
> > > Hi all,
> > >
> > > --- "Kurt D. Zeilenga" <[EMAIL PROTECTED]>
> wrote:
> > > > Have you gotten s_client to work with
> s_server?
> > > If
> > > > not,
> > > > there is no reason to expect OpenLDAP Software
> > to
> > > > work.
> > >
> > > I've gotten s_client to work with s_server.
> > >
> > > Here is a sample of my s_server debug output:
> > >
> > > Using default temp DH parameters
> > > ACCEPT
> > > SSL_accept:before/accept initialization
> > > ....
> > > SSL_accept:SSLv3 read client hello A
> > > ....
> > > SSL_accept:SSLv3 write server hello A
> > > ....
> > > SSL_accept:SSLv3 write key exchange A
> > > ....
> > > SSL_accept:SSLv3 write server done A
> > > SSL_accept:SSLv3 flush data
> > > ....
> > > SSL_accept:SSLv3 write finished A
> > > SSL_accept:SSLv3 flush data
> > > ....
> > >
> > >
> >
>
======================================================
> > > And this is a part of my s_client output:
> > >
> > > SSL_connect:SSLv3 read server certificate A
> > > SSL_connect:SSLv3 read server key exchange A
> > > SSL_connect:SSLv3 read server done A
> > > SSL_connect:SSLv3 write client key exchange A
> > > SSL_connect:SSLv3 write change cipher spec A
> > > SSL_connect:SSLv3 write finished A
> > > SSL_connect:SSLv3 flush data
> > > SSL_connect:SSLv3 read finished A
> > > ---
> > > Certificate chain
> > > ...
> > > ...
> > > ...
> > > -----END CERTIFICATE-----
> > > ---
> > > Server certificate
> > > ---
> > > No client certificate CA names sent
> > > ---
> > > SSL handshake has read 2043 bytes and written
> > 276
> > > bytes
> > > ---
> > > New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> > > Server public key is 1024 bit
> > > SSL-Session:
> > > Protocol : TLSv1
> > > Cipher : DHE-RSA-AES256-SHA
> > > Session-ID: xxxxxxxxxxxxxxxxxx
> > > Session-ID-ctx:
> > > Master-Key: xxxxxxxxxxxxxxx
> > > Key-Arg : None
> > > Krb5 Principal: None
> > > Start Time: 1111619531
> > > Timeout : 300 (sec)
> > > Verify return code: 0 (ok)
> > > ---
> > >
> >
> ====================================================
> > > However, s_client's connection to my ldap server
> > > still
> > > failes.
> > >
> > > What may I do to solve this problem please?
> > >
> > > Thanks
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
>
__________________________________________________________________
> > > D�couvrez le nouveau Yahoo! Mail : 250 Mo
> d'espace
> > > de stockage pour vos mails !
> > > Cr�ez votre Yahoo! Mail sur
> > > http://fr.mail.yahoo.com/
> > >
> >
> >
> >
> >
> >
> >
> >
>
__________________________________________________________________
> > D�couvrez le nouveau Yahoo! Mail : 250 Mo d'espace
> > de stockage pour vos mails !
> > Cr�ez votre Yahoo! Mail sur
> > http://fr.mail.yahoo.com/
> >
>
>
>
>
>
>
>
__________________________________________________________________
> D�couvrez le nouveau Yahoo! Mail : 250 Mo d'espace
> de stockage pour vos mails !
> Cr�ez votre Yahoo! Mail sur
> http://fr.mail.yahoo.com/
>
__________________________________________________________________
D�couvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails !
Cr�ez votre Yahoo! Mail sur http://fr.mail.yahoo.com/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
