Re: SSL LDAP Connections on Win32

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: users@xxxxxxxxxxxxxxxx
Subject: Re: SSL LDAP Connections on Win32
From: "Harry Holt" <harryholt@xxxxxxxxx>
Date: Thu, 28 Feb 2008 08:30:08 -0500
In-reply-to: <1404e5910802280429u6a5f8d2cy30ab2544b7ba2ce5@xxxxxxxxxxxxxx>
Reply-to: users@xxxxxxxxxxxxxxxx

On Thu, Feb 28, 2008 at 7:29 AM, Eric Covener <covener@xxxxxxxxx> wrote:

On Wed, Feb 27, 2008 at 9:52 PM, Harry Holt <harryholt@xxxxxxxxx> wrote:

>
> TLS accept failure error=-1

Are you able to connect to a secure ldap host with 'ldp.exe' or any
other MS-based tool? Have you taken any measures to add the issuer of
your LDAP servers certificate to the registry-based list mentioned by
the mod_ldap doc?

Yes. I've used the Novell LDAP tool, JXplorer, and other tools for testing (as well as my own Java, .NET, and the Novell CAPI and everything works fine exception that Apache module.

A packet capture of the attempted SSL handshake might be useful, but
it seems just as likely that the LDAP SDK is blowing up internally.
I know openldap can act this same way if you point it to a malformed
CA cert -- it will actually do a tcp connection to the LDAP host,
freak out about the cert, then promptly close it without having
read/written a byte of data.

I've tried getting some packet captures at the ldap servers. Slapd shows the connection start, an attempt to start up the negotiation, but it gets rejected (apparently from the client). I've included that packet trace below for your edification. It doesn't really provide much detail that's useful.

I'd start a bug report, but I have a feeling that *somebody* knows it doesn't work, and knows why...

Thx... HH

SLAPD Debug :
--------------------------------------------------------------------------------------------------------------------------------------
Feb 27 21:47:59 myserver slapd[19490]: >>> slap_listener(ldaps://)
Feb 27 21:47:59 myserver slapd[19490]: daemon: listen=7, new connection on 13
Feb 27 21:47:59 myserver slapd[19490]: daemon: added 13r (active) listener=(nil)
Feb 27 21:47:59 myserver slapd[19490]: conn=0 fd=13 ACCEPT from IP=192.168.1.53:4887 (IP=0.0.0.0:636)
Feb 27 21:47:59 myserver slapd[19490]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Feb 27 21:47:59 myserver slapd[19490]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Feb 27 21:47:59 myserver slapd[19490]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
Feb 27 21:47:59 myserver slapd[19490]: daemon: activity on 1 descriptor
Feb 27 21:47:59 myserver slapd[19490]: daemon: activity on:
Feb 27 21:47:59 myserver slapd[19490]: 13r
Feb 27 21:47:59 myserver slapd[19490]:
Feb 27 21:47:59 myserver slapd[19490]: daemon: read active on 13
Feb 27 21:47:59 myserver slapd[19490]: connection_get(13)
Feb 27 21:47:59 myserver slapd[19490]: connection_get(13): got connid=0
Feb 27 21:47:59 myserver slapd[19490]: connection_read(13): checking for input on id=0
Feb 27 21:47:59 myserver slapd[19490]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Feb 27 21:47:59 myserver slapd[19490]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Feb 27 21:47:59 myserver slapd[19490]: daemon: epoll: listen=9 active_threads=0 tvp=NULL
Feb 27 21:47:59 myserver slapd[19490]: daemon: activity on 1 descriptor
Feb 27 21:47:59 myserver slapd[19490]: daemon: activity on:
Feb 27 21:47:59 myserver slapd[19490]: 13r
Feb 27 21:47:59 myserver slapd[19490]:
Feb 27 21:47:59 myserver slapd[19490]: daemon: read active on 13
Feb 27 21:47:59 myserver slapd[19490]: connection_get(13)
Feb 27 21:47:59 myserver slapd[19490]: connection_get(13): got connid=0
Feb 27 21:47:59 myserver slapd[19490]: connection_read(13): checking for input on id=0
Feb 27 21:47:59 myserver slapd[19490]: connection_read(13): TLS accept failure error=-1 id=0, closing
Feb 27 21:47:59 myserver slapd[19490]: connection_closing: readying conn=0 sd=13 for close
Feb 27 21:47:59 myserver slapd[19490]: connection_close: conn=0 sd=-1
Feb 27 21:47:59 myserver slapd[19490]: daemon: removing 13
Feb 27 21:47:59 myserver slapd[19490]: conn=0 fd=13 closed (TLS negotiation failure)
Feb 27 21:47:59 myserver slapd[19490]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Feb 27 21:47:59 myserver slapd[19490]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Feb 27 21:47:59 myserver slapd[19490]: daemon: epoll: listen=9 active_threads=0 tvp=NULL

--
Harry Holt, PMP

Follow-Ups:
- Re: SSL LDAP Connections on Win32
  - From: Eric Covener
- Re: SSL LDAP Connections on Win32
  - From: Eric Covener

References:
- SSL LDAP Connections on Win32
  - From: Harry Holt
- Re: SSL LDAP Connections on Win32
  - From: Udo Rader
- Re: SSL LDAP Connections on Win32
  - From: Harry Holt
- Re: SSL LDAP Connections on Win32
  - From: Harry Holt
- Re: SSL LDAP Connections on Win32
  - From: Eric Covener

Prev by Date: RE: 403, no permissions, Why?
Next by Date: Roadmap for Apache webserver versions
Previous by thread: Re: SSL LDAP Connections on Win32
Next by thread: Re: SSL LDAP Connections on Win32
Index(es):
- Date
- Thread

[Index of Archives] [Open SSH Users] [Linux ACPI] [Linux Kernel] [Linux Laptop] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Squid] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper]

Powered by Linux