I think you're on the right track with the comment that the startTLS
extended op is not needed if the connection is already native SSL on the
SSL port. First thing I'd try, given the printer's penchant for using
startTLS would be to tell it to connect to the non-SSL port (389 is the
default port number). If its behavior is consistent it will connect,
initiate the startTLS op, which will succeed.
On 10/24/2014 4:20 PM, Karel Lang AFD wrote:
Hi guys,
please anyone could help me to decode error in access log?
Problem desr.:
I need to make Ricoh C3001 printer authenticate x 389 DS.
The printer stubbornly tries to start TLS inside SSL connection (if i
read the log file correct?) and the authentication fails, because 389
doesn't know what to make off it (i think) see:
The server uses ldaps:// method of connection on 636 port (with
selfsigned certificates).
[20/Oct/2014:18:31:50 +0200] conn=38 fd=70 slot=70 SSL connection from
192.168.2.139 to 192.168.2.245
[20/Oct/2014:18:31:50 +0200] conn=38 SSL 256-bit AES
[20/Oct/2014:18:31:50 +0200] conn=38 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[20/Oct/2014:18:31:50 +0200] conn=38 op=0 RESULT err=1 tag=120
nentries=0 etime=0
[20/Oct/2014:18:31:50 +0200] conn=38 op=1 BIND dn="RICOH2-SB$"
method=128 version=3
[20/Oct/2014:18:31:50 +0200] conn=38 op=1 RESULT err=53 tag=97
nentries=0 etime=0
[20/Oct/2014:18:31:51 +0200] conn=38 op=2 UNBIND
[20/Oct/2014:18:31:51 +0200] conn=38 op=2 fd=70 closed - U1
The 'err=53' means "server is unwilling to perform" and i see same
message in the printer logs
also, you can see the printer starts 'extended operation':
EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS"
which i think it should not? (because it is already SSL conn from start?)
different encryption (same result):
[root@srv-022 slapd-srv-022]# cat access | grep conn=48
[20/Oct/2014:18:35:56 +0200] conn=48 fd=68 slot=68 SSL connection from
192.168.2.139 to 192.168.2.245
[20/Oct/2014:18:35:57 +0200] conn=48 SSL 128-bit RC4
[20/Oct/2014:18:35:57 +0200] conn=48 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[20/Oct/2014:18:35:57 +0200] conn=48 op=0 RESULT err=1 tag=120
nentries=0 etime=1
[20/Oct/2014:18:35:57 +0200] conn=48 op=1 BIND dn="RICOH2-SB$"
method=128 version=3
[20/Oct/2014:18:35:57 +0200] conn=48 op=1 RESULT err=53 tag=97
nentries=0 etime=0
[20/Oct/2014:18:35:57 +0200] conn=48 op=2 UNBIND
[20/Oct/2014:18:35:57 +0200] conn=48 op=2 fd=68 closed - U1
Please note the different encryption i tried to use - for eg. 128-bit
RC4 and 256-bit AES etc, but all produces same result.
The printer has choice for usinge of ssl:
ssl 2.0 (set to 'yes)
ssl 3.0 (set to 'yes')
tls (i set this option to "NO" - but made no difference and result is
still same)
Also, the printer has only 2options:
1.
use SSL/TLS - if i check this, port 636 is automatically used
2.
dont use SSL/TLS - if i check this option, port 389 is used
Not much else to pick on (ofc there is other LDAP things to fill up
like hostname etc.)
I think this looks like client problem? Or do you think i can try to
tune up something on the server side? - anybody had experienced
similar troubles?
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
