On Mon, 2005-11-14 at 07:48 -0800, Daniel B. Thurman wrote: > >From: fedora-list-bounces@xxxxxxxxxx > >[mailto:fedora-list-bounces@xxxxxxxxxx]On Behalf Of Daniel B. Thurman > >Sent: Monday, November 14, 2005 7:28 AM > >To: For users of Fedora Core releases (E-mail) > >Subject: LDAP service script (/etc/init.d/ldap) > > > > > > > >Hi Folks, > > > >I got ldap working but I am not able to get ldaps (secure) to work. > > > >I ran some tests: > > > >Simple auth, no encryption > >==================== > >ldapsearch -H ldap://hostname/ -b dc=example,dc=com -x > > > >RESULTS: WORKS! > > > >Simple auth, SSL via LDAPS > >====================== > >ldapsearch -H ldaps://hostname/ -b dc=example,dc=com -x > > > >RESULTS: FAIL: ldap_bind: Can't contact LDAP server (-1) > > > > - Ran slapd -d -1 : See no error hints > > - Looked in /var/log/messages - nothing > > - netstat -a : shows listener: ldaps > > > >If anyone has any suggestions, please let me know! > > > >Also, if anyone has any really good links on getting ldap/kerberos/ssl > >working please let me know! > > > >Thanks > >Dan > > > > Sorry folks about the bad subject line. I fixed that. > > I wanted to add more information: > > openssl s_client -CAfile /etc/openldap/cacerts/ldapCA.pem -connect ldap.cdkkt.com:636 > CONNECTED(00000003) > depth=1 /C=US/ST=Oregon/L=Beaverton/O=DBT And Associates/OU=ldap/CN=ldap.cdkkt.com/emailAddress=admin@xxxxxxxxx > verify return:1 > depth=0 /C=US/ST=Oregon/L=Beaverton/O=DBT And Associates/OU=ldap/CN=ldap.cdkkt.com/emailAddress=admin@xxxxxxxxx > verify return:1 > --- > Certificate chain > 0 s:/C=US/ST=Oregon/L=Beaverton/O=DBT And Associates/OU=ldap/CN=ldap.cdkkt.com/emailAddress=admin@xxxxxxxxx > i:/C=US/ST=Oregon/L=Beaverton/O=DBT And Associates/OU=ldap/CN=ldap.cdkkt.com/emailAddress=admin@xxxxxxxxx > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIID0zCCAzygAwIBAgIBATANBgkqhkiG9w0BAQQFADCBlzELMAkGA1UEBhMCVVMx > DzANBgNVBAgTBk9yZWdvbjESMBAGA1UEBxMJQmVhdmVydG9uMRswGQYDVQQKExJE > QlQgQW5kIEFzc29jaWF0ZXMxDTALBgNVBAsTBGxkYXAxFzAVBgNVBAMTDmxkYXAu > Y2Rra3QuY29tMR4wHAYJKoZIhvcNAQkBFg9hZG1pbkBjZGtrdC5jb20wHhcNMDUx > MTEzMjM1NjA4WhcNMDYxMTEzMjM1NjA4WjCBlzELMAkGA1UEBhMCVVMxDzANBgNV > BAgTBk9yZWdvbjESMBAGA1UEBxMJQmVhdmVydG9uMRswGQYDVQQKExJEQlQgQW5k > IEFzc29jaWF0ZXMxDTALBgNVBAsTBGxkYXAxFzAVBgNVBAMTDmxkYXAuY2Rra3Qu > Y29tMR4wHAYJKoZIhvcNAQkBFg9hZG1pbkBjZGtrdC5jb20wgZ8wDQYJKoZIhvcN > AQEBBQADgY0AMIGJAoGBAO17IIZe1fv3KGrM+bACxMPeqC+Y0ncsGM7lrAObSYTw > QlQfsF4fDnBhPrEgyYS5BD7CV5ETyBdUmQfVcs/l5G5AjhAmMUF4POieBwJWsW/I > hTN+nWPn1Reu6WcqpliU1Jqz5bxy17IOT93Ah/Qnrh9KNVALZ6ZoK0iRirReINIl > AgMBAAGjggErMIIBJzAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM > IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUmpJK9I5ZX77qgL1p/RSJ > 9I5MtQ8wgcwGA1UdIwSBxDCBwYAU65DeeNVXt8w3GKUqoF10LK1kf4ahgZ2kgZow > gZcxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZPcmVnb24xEjAQBgNVBAcTCUJlYXZl > cnRvbjEbMBkGA1UEChMSREJUIEFuZCBBc3NvY2lhdGVzMQ0wCwYDVQQLEwRsZGFw > MRcwFQYDVQQDEw5sZGFwLmNka2t0LmNvbTEeMBwGCSqGSIb3DQEJARYPYWRtaW5A > Y2Rra3QuY29tggkApfBH0A0Oy+kwDQYJKoZIhvcNAQEEBQADgYEAC+Y21AFYLdVB > psK+4IDVA2+rv8G0pGy+jO4FH+GbKGZbSzCFGPdKigpvDatCxGIndkw8LN58In92 > 4By4U95NvYLLCjdc1DtIDMxEjTNTWwkEjKy/Nkn2vblJp8lrIrHJGimcapimr4zx > ui4CfJBXtrV3bc2Zp20eaLRgVciv+fU= > -----END CERTIFICATE----- > subject=/C=US/ST=Oregon/L=Beaverton/O=DBT And Associates/OU=ldap/CN=ldap.cdkkt.com/emailAddress=admin@xxxxxxxxx > issuer=/C=US/ST=Oregon/L=Beaverton/O=DBT And Associates/OU=ldap/CN=ldap.cdkkt.com/emailAddress=admin@xxxxxxxxx > --- > No client certificate CA names sent > --- > SSL handshake has read 1145 bytes and written 340 bytes > --- > New, TLSv1/SSLv3, Cipher is AES256-SHA > Server public key is 1024 bit > SSL-Session: > Protocol : TLSv1 > Cipher : AES256-SHA > Session-ID: EEEC2E025097267E2E39E129A1130FDA7921D57F86C4D8CC94CE4D7CBF712865 Session-ID-ctx: > Master-Key: 28ACBE74CC2972246E9E1039D182643652DC2CC1F91333F68B700F22318C93CCB881A287BEF91AC498B2068C7DFAB39F > Key-Arg : None > Krb5 Principal: None > Start Time: 1131983082 > Timeout : 300 (sec) > Verify return code: 0 (ok) > --- > > ***** HANGS HERE!!!!! > > So, from the test it looks like there is a problem. Anyone > care to comment??? ---- guessing that you probably need some TLS_REQCERT type of entry in slapd.conf and perhaps an entry in ~/.ldaprc for user stuff Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
