Hello all, I hope someone could help me -- I'm trying for almost one whole day already and couldn't get LDAP over SSL to work, without success.
The objective is to setup a development box for testing purposes, so, the simpler the better, however, it must be as simple as needed only. I've followed this tutorial: http://islandlinux.org/howto/installing-secure-ldap-openldap-ssl-ubuntu-using-self-signed-certificate. I'm on Mac OSX Snow Leopard, though. slapd version: @(#) $OpenLDAP: slapd 2.4.11 (Feb 11 2010 02:23:14) //Installed from MacPorts I have generated a self-signed certificate using this command: sudo openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650 I've set the Common Name to "localhost". The configuration files look like this (non-relevanted parts snipped): slapd.conf: TLSCipherSuite HIGH:MEDIUM:-SSLv2 TLSCACertificateFile /Users/myuser/Sandbox/server.pem TLSCertificateFile /Users/myuser/Sandbox/server.pem TLSCertificateKeyFile /Users/myuser/Sandbox/server.pem TLSVerifyUser never ldap.conf BASE dc=mycompany,dc=com URI ldaps://localhost/ TLS_REQCERT never I'm starting slapd with the following command: sudo /usr/libexec/slapd -f /opt/local/etc/openldap/slapd.conf -d1 -h "ldaps:///" And testing the connection with the following: ldapsearch -H ldaps://localhost -d255 When running ldapsearch, I get the following as output: ldap_create > ldap_url_parse_ext(ldaps://localhost) > ldap_pvt_sasl_getmech > ldap_search > put_filter: "(objectclass=*)" > put_filter: simple > put_simple_filter: "objectclass=*" > ldap_build_search_req ATTRS: > supportedSASLMechanisms > ldap_send_initial_request > ldap_new_connection 1 1 0 > ldap_int_open_connection > ldap_connect_to_host: TCP localhost:636 > ldap_new_socket: 3 > ldap_prepare_socket: 3 > ldap_connect_to_host: Trying ::1 636 > ldap_connect_timeout: fd: 3 tm: -1 async: 0 > TLS trace: SSL_connect:before/connect initialization > tls_write: want=124, written=124 > 0000: 80 7a 01 03 01 00 51 00 00 00 20 00 00 39 00 00 .z....Q... > ..9.. > 0010: 38 00 00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 > 8..5............ > 0020: 00 00 33 00 00 32 00 00 2f 00 00 07 05 00 80 03 > ..3..2../....... > 0030: 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00 > ................ > 0040: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 > ......@......... > 0050: 00 00 06 04 00 80 00 00 03 02 00 80 0c e4 9d 98 > ................ > 0060: c1 ad 36 d0 88 fb 6b 92 32 a0 ce 22 63 82 99 3b > ..6...k.2.."c..; > 0070: 3b 3d 03 03 38 05 d0 a1 30 2d 9f d2 > ;=..8...0-.. > TLS trace: SSL_connect:SSLv2/v3 write client hello A > tls_read: want=7, got=0 > > TLS: can't connect. > ldap_perror > ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) > As you can see, it fails with the "TLS: can't connect" error message. Not that obvious. I then switch to the terminal that has slapd running on the fg, and I see the following: (snip) connection_get(13): got connid=0 connection_read(13): checking for input on id=0 *connection_read(13): TLS accept failure error=-1 id=0, closing* connection_closing: readying conn=0 sd=13 for close connection_close: conn=0 sd=13 What I don't understand is why it is failing if I've set both sides to ignore certificates. What am I doing wrong? Marcelo.
