On Mon, Mar 05, 2007 at 01:57:49PM +0100, Mgr. Peter Tuharsky wrote: > >What is the cn in the SSL certificate being used by the LDAP server? It > >seems odd that this would work at all with start tls, unless your SSL > >certificate was set up oddly.
> This is the beginning of the /etc/ldap/slapd-cert-ldap1.pem > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 2 (0x2) > Signature Algorithm: md5WithRSAEncryption > Issuer: C=SK, ST=Slovakia, L=Banska Bystrica, O=Mesto, > OU=Referat informatiky, CN=ldap2.misbb.sk/[EMAIL PROTECTED] > Validity > Not Before: May 2 14:13:55 2004 GMT > Not After : May 2 14:13:55 2005 GMT > Subject: C=SK, ST=Slovakia, L=Banska Bystrica, O=Mesto, > OU=Referat informatiky, CN=ldap1.misbb.sk/[EMAIL PROTECTED] > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (1024 bit) > Modulus (1024 bit): > It seems, that certificate is expired already. Right, that's at least one problem in the setup. > However, there are some questionable circumstances: > 1, it has been working alright before, few weeks ago, on Sarge That suggests a bug in the checking that was done in sarge. > 2, it works even now for samba if localhost is specified (as mentioned > before). That means the information in the certificate is being completely bypassed; whether that means the TLS negotiation has been aborted and the connection falls back to plaintext, or the TLS connection has been negotiated in the absence of a trust path, it's a bad sign. > 3, linux clients with LDAP authentication don't comply > 4, AFAIK, samba on client dosen't comply (need to prove) > 5, eGroupWare webserver with LDAP user authentication dosen't comply Comply with what? > 6, if the date of certificate was the right problem here, one would > assume that someone would complain loudly with "certificate out of date" > and end up regulary Well, one would hope so, but it depends on how well the client security has been configured. > >Hrm, odd. Are there any previous errors, possibly at a higher debug > >level? If this is on the LDAP socket, it suggests some pretty big > >brokenness. > Please, suggest the right debug level that I should use. Level 5 should be verbose enough for anything we'd need, so if you're concerned about only having one opportunity to test, please use that. Otherwise, you could start at 1 and work you way up until we find what we need. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
