Re: SSL connection with 'startTLS' problem [solved]

[Karel Lang AFD <lang@xxxxxx>]

Hi list,
problem is solved.
1.
i had to create real user with pw to search through the ldap because i 
tried to use machine printer acc at first, but ldap server wont allow 
user without pw doing bind ops
more info
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.1/html/Administration_Guide/unauthenticated-binds.html


2.
i had to specify username with full DN patch on the printer (not just 
'username' e.g. 'smith' alone)
after specifying uid=smith,ou=users,dc=example,dc=com in the ldap 
printer settings, printer started finally getting users authorized x 389ds.


3.
The 'startTLS' inside SSL is probably a minor problem, because the 389ds 
can handle it (discard it) and then continue with regular user/pw 
authentication.

very usefull were :
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.1/html/Configuration_and_Command_Reference/Configuration_Command_File_Reference-Access_Log_and_Connection_Code_Reference-LDAP_Result_Codes.html

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.1/html/Configuration_and_Command_Reference/logs-reference.html


to debug the 389ds log messages

cheers,


On 10/25/2014 02:00 PM, 389-users-request@xxxxxxxxxxxxxxxxxxxxxxx wrote:
> Send 389-users mailing list submissions to
> 	389-users@xxxxxxxxxxxxxxxxxxxxxxx
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://admin.fedoraproject.org/mailman/listinfo/389-users
> or, via email, send a message with subject or body 'help' to
> 	389-users-request@xxxxxxxxxxxxxxxxxxxxxxx
>
> You can reach the person managing the list at
> 	389-users-owner@xxxxxxxxxxxxxxxxxxxxxxx
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of 389-users digest..."
>
>
> Today's Topics:
>
>     1. SSL connection with 'startTLS' problem (Karel Lang AFD)
>     2. Please take an action: 389 Directory Server 1.2.11.X
>        Discontinued for EL6 (Noriko Hosoi)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 25 Oct 2014 00:20:59 +0200
> From: Karel Lang AFD <lang@xxxxxx>
> To: 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> Subject:  SSL connection with 'startTLS' problem
> Message-ID: <544AD0CB.2080201@xxxxxx>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Hi guys,
> please anyone could help me to decode error in access log?
>
> Problem desr.:
> I need to make Ricoh C3001 printer authenticate x 389 DS.
>
> The printer stubbornly tries to start TLS inside SSL connection (if i
> read the log file correct?) and the authentication fails, because 389
> doesn't know what to make off it (i think) see:
>
> The server uses ldaps:// method of connection on 636 port (with
> selfsigned certificates).
>
> [20/Oct/2014:18:31:50 +0200] conn=38 fd=70 slot=70 SSL connection from
> 192.168.2.139 to 192.168.2.245
> [20/Oct/2014:18:31:50 +0200] conn=38 SSL 256-bit AES
> [20/Oct/2014:18:31:50 +0200] conn=38 op=0 EXT
> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
> [20/Oct/2014:18:31:50 +0200] conn=38 op=0 RESULT err=1 tag=120
> nentries=0 etime=0
> [20/Oct/2014:18:31:50 +0200] conn=38 op=1 BIND dn="RICOH2-SB$"
> method=128 version=3
> [20/Oct/2014:18:31:50 +0200] conn=38 op=1 RESULT err=53 tag=97
> nentries=0 etime=0
> [20/Oct/2014:18:31:51 +0200] conn=38 op=2 UNBIND
> [20/Oct/2014:18:31:51 +0200] conn=38 op=2 fd=70 closed - U1
>
> The 'err=53' means "server is unwilling to perform" and i see same
> message in the printer logs
>
> also, you can see the printer starts 'extended operation':
>    EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS"
> which i think it should not? (because it is already SSL conn from start?)
>
> different encryption (same result):
> [root@srv-022 slapd-srv-022]# cat access | grep conn=48
> [20/Oct/2014:18:35:56 +0200] conn=48 fd=68 slot=68 SSL connection from
> 192.168.2.139 to 192.168.2.245
> [20/Oct/2014:18:35:57 +0200] conn=48 SSL 128-bit RC4
> [20/Oct/2014:18:35:57 +0200] conn=48 op=0 EXT
> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
> [20/Oct/2014:18:35:57 +0200] conn=48 op=0 RESULT err=1 tag=120
> nentries=0 etime=1
> [20/Oct/2014:18:35:57 +0200] conn=48 op=1 BIND dn="RICOH2-SB$"
> method=128 version=3
> [20/Oct/2014:18:35:57 +0200] conn=48 op=1 RESULT err=53 tag=97
> nentries=0 etime=0
> [20/Oct/2014:18:35:57 +0200] conn=48 op=2 UNBIND
> [20/Oct/2014:18:35:57 +0200] conn=48 op=2 fd=68 closed - U1
>
>
> Please note the different encryption i tried to use - for eg. 128-bit
> RC4 and 256-bit AES etc, but all produces same result.
>
>
> The printer has choice for usinge of ssl:
> ssl 2.0 (set to 'yes)
> ssl 3.0 (set to 'yes')
> tls (i set this option to "NO" - but made no difference and result is
> still same)
>
> Also, the printer has only 2options:
> 1.
> use SSL/TLS - if i check this, port 636 is automatically used
>
> 2.
> dont use SSL/TLS - if i check this option, port 389 is used
>
> Not much else to pick on (ofc there is other LDAP things to fill up like
> hostname etc.)
>
> I think this looks like client problem? Or do you think i can try to
> tune up something on the server side? - anybody had experienced similar
> troubles?


--
*Karel Lang*
*Unix/Linux Administration*
lang@xxxxxx | +420 731 13 40 40
AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users