openldap SSL problem
3 Attachment(s)
Hello,
I am attempting to setup openldap using SSL connections. I've used the following tutorial, which seemed pretty straightforward. http://easylinuxtutorials.blogspot.c...ap-server.html But when I go to use client side tools (on the same host as the ldap server) I get the following error: Code:
[root@puppet:/etc/puppet] #ldapsearch -x -h ldap -b "dc=mydomain,dc=com" sub "objectclass=*" Code:
TLSCACertificateFile /etc/pki/CA/certs/ca.crt Code:
# Also I don't see a problem with the ca cert or the ldap.crt in the config. I've included text file versions of my slapd.conf olcDatabase, and output of openssl x509 -in $certfile -noout -text commands for both certs as text files. |
I'm not an expert on LDAP but have you tried testing the connectivity to the LDAP server using telnet or openssl? You can use openssl to verify the certificates as well.
Code:
telnet puppet.mydomain.com 636 View the certificate information on that port as well.... Code:
timeout 3 openssl s_client -connect puppet.mydomain.com:636 < /dev/null | openssl x509 -text | less Also, by providing your certificate you have provided the name of your server. Perhaps you'll want to edit that (the same could be said about your other attachments)? Assuming your host is what is in your certificate you have many ports open but the ldapssl port 636 is not one of them. If you're using your LDAP command as you describe perhaps doing the following command. Code:
ldapsearch -x -H 'ldaps://puppet.mydomain.com' -b "dc=mydomain,dc=com" sub "objectclass=*" |
openladp ssl problem
Quote:
Code:
[bluethundr@vbox:~] #telnet puppet.mydomain.com 636 First I tried pointing it at the directory where the cert is located: Code:
[bluethundr@vbox:~] #timeout 3 openssl s_client -CApath /etc/pki/CA/certs -servername puppet.mydomain.com -connect puppet.mydomain.com:636 And it failes as above. The command also fails when I give it the full path to the cert: Code:
[bluethundr@vbox:~] #timeout 3 openssl s_client -CApath /etc/pki/CA/certs/ca.crt -servername puppet.jokefire.com -connect puppet.mydomain.com:636 Quote:
Code:
[bluethundr@vbox:~] #timeout 3 openssl s_client -connect puppet.mydomain.com:636 < /dev/null | openssl x509 -text | less Quote:
Quote:
Code:
[root@puppet:/etc/puppet] #ldapsearch -x -H 'ldaps://puppet.mydomain.com' -b "dc=mydomain,dc=com" sub "objectclass=*" Code:
Create CA key This is puzzling also in light of the fact that other apache related certs I have created this way work just fine. But I suppose one thing I need to try is to recreate the cert. I'll give that a shot and let the thread know how it goes. |
Ok, so I gave recreateing the cert pair a shot, and without any luck. As mentioned the ca cert pair is one I've used successfully before with apache certs. Here are the steps I took:
Code:
1077 openssl genrsa -des3 -out ldap.key 4096 Code:
[root@puppet:~/ldap-cert] #ls -l /etc/pki/*/* | grep ldap still getting no joy at all: Code:
[root@puppet:~/ldap-cert] #ldapsearch -x -b "dc=mydomain,dc=com" -H ldaps://puppet.mydomain.com Thanks |
telnet can't negotiate SSL. I gave you that command to test connectivity only. If you wish to speak raw protocol then you can think of openssl s_client as telnet for SSL. In any case, are you sure your client has the certificate authority cert installed on the client? The -CApath arg of s_client can be pointed anywhere so if you have a directory for the cert you can point it there instead. In any case, can't contact LDAP server is not a very descriptive error.
I doubt your current problem is related to SSL. You would see error messages like described in this thread. It still sounds like a connectivity problem. Try using strace or turning up the verbosity of the client. Use tail -f on the server logs while you're connecting to see if the server is logging a connection at all. |
All times are GMT -5. The time now is 03:19 PM. |