Quanah, Thank you for all your help on this!
I think this round of debugging finally found the problem!
(which looks like either a "libldap-2.3-0 vs. libldap2" or a "gnutls vs.
openssl" conflict in the Debian packages).
Here are the answers to the questions from Howard Chu.
> [13:21] Howard Chu
--On Wednesday, August 09, 2006 7:10 PM -0600 "Berg, Michael"
<[EMAIL PROTECTED]> wrote:
So right before SSL fails, the root version "writes server done" while the
openldap version "writes certificate request".
Hi Michael,
I ran this updated information by Howard Chu (primary OpenLDAP dev
> ... what does the output from "slapd -d -1" show in the following bits:
>
> (a) running as root, up until waiting for a connection
> (b) running as root, getting a problem connection
> (c) running as openldap user, up until waiting for a connection
> (d) running as openldap user, getting a probl
--On Wednesday, August 09, 2006 12:49 AM -0600 "Berg, Michael"
<[EMAIL PROTECTED]> wrote:
Okay, hm. Can you try this, preferably with daemontools:
/usr/bin/setuidgid openldap /bin/cat
for every cert you believe the server should be able to read. It really
seems like the "openldap" user/
> Okay, hm. Can you try this, preferably with daemontools:
>
> /usr/bin/setuidgid openldap /bin/cat
>
> for every cert you believe the server should be able to read. It really
> seems like the "openldap" user/group doesn't have permission to
> something that it should.
I don't have daemontool
--On Tuesday, August 08, 2006 10:28 PM -0600 "Berg, Michael"
<[EMAIL PROTECTED]> wrote:
Does it work if you use "-h localhost" (similar to what you were doing
with the openssl command)?
Generally, you must provide the fully qualified domain name to the "-h"
parameter for SSL/TLS to work.
F
> Does it work if you use "-h localhost" (similar to what you were doing
> with the openssl command)?
>
> Generally, you must provide the fully qualified domain name to the "-h"
> parameter for SSL/TLS to work.
>
> For example, "-h ldap" doesn't work for me, but "-h ldap.stanford.edu"
> does.
My
> This error is coming straight from the OpenSSL libraries.
> Have you tried connecting with openssl s_client?
Yes.
I am running slapd listening on both ports 389 (using starttls) and port
636 (SSL only to support some software that doesn't support starttls).
As pointed out in my original bug re
--On Tuesday, August 08, 2006 9:52 PM -0600 "Berg, Michael"
<[EMAIL PROTECTED]> wrote:
This error is coming straight from the OpenSSL libraries.
Have you tried connecting with openssl s_client?
Yes.
I am running slapd listening on both ports 389 (using starttls) and port
636 (SSL only to
--On Tuesday, August 08, 2006 8:23 PM -0600 "Berg, Michael"
<[EMAIL PROTECTED]> wrote:
I spent some more time debugging, and here is some additional info.
I ran slapd with debugging again ('-d 7' to match the previous ldapsearch
debug output), and this time I spotted something that I must h
I spent some more time debugging, and here is some additional info.
I ran slapd with debugging again ('-d 7' to match the previous ldapsearch
debug output), and this time I spotted something that I must have missed
before.
In the interest of space, I removed the pages-upon-pages of output
generat
On Mon, 07 Aug 2006 19:38:06 -0600
"Berg, Michael" <[EMAIL PROTECTED]> wrote:
> >> And just for completeness, here are the contents of my ldap.conf file
> >> ==
> >> BASE dc=mydomain,dc=dyndns,dc=org
> >> URIldap://ldap.mydomain.dyndns.org
> >> TLS_CIPHER_SUITE HIGH:!ADH
>
--On Tuesday, August 08, 2006 10:16 PM +0200 Matthijs Mohlmann
<[EMAIL PROTECTED]> wrote:
On Mon, 07 Aug 2006 19:38:06 -0600
"Berg, Michael" <[EMAIL PROTECTED]> wrote:
>> And just for completeness, here are the contents of my ldap.conf file
>> ==
>> BASE dc=mydomain,dc=dyndns,dc=
>> And just for completeness, here are the contents of my ldap.conf file
>> ==
>> BASE dc=mydomain,dc=dyndns,dc=org
>> URI ldap://ldap.mydomain.dyndns.org
>> TLS_CIPHER_SUITE HIGH:!ADH
>> TLS_CACERT /etc/ssl/certs/mydomain.dyndns.org_CA.pem
>> TLS_REQCERT demand
>> T
On Sun, 06 Aug 2006 17:10:24 -0600
Michael Berg <[EMAIL PROTECTED]> wrote:
> Package: slapd
> Version: 2.3.25-1
> Severity: normal
>
> I've had this problem in both slapd 2.3.24-2 and 2.3.25-1.
> When slapd is running as root, everything works perfectly. But when running
> as a non-root user (li
Package: slapd
Version: 2.3.25-1
Severity: normal
I've had this problem in both slapd 2.3.24-2 and 2.3.25-1.
When slapd is running as root, everything works perfectly. But when running
as a non-root user (like the new default "openldap"), TLS connections fail.
This effects both port 389+starttls
16 matches
Mail list logo
