[Comm] OpenLDAP и SSL
Alexey Borovskoy
=?iso-8859-1?q?alexey=5Fborovskoy_=CE=C1_pochtamt=2Eru?=
Сб Апр 19 05:53:48 MSD 2003
Добрый день.
Не получается подружить openldap с openssl.
Без ssl ldap работает нормально.
Дано:
openldap-servers-2.0.27-alt5
openldap-2.0.27-alt5
openssl-0.9.6i-alt3
1. Генерю сертификат с помощью
openssl req -new -x509 -nodes -out ldap.pem -keyout ldap.pem
cn прописываю как server.intranet. В DNS все нормально.
2. Получившийся сертификат кладу в /etc/openldap/
3. В /etc/openldap/slapd.conf раскоментирую строчки
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/openldap/ldap.pem
TLSCertificateKeyFile /etc/openldap/ldap.pem
TLSCACertificateFile /etc/openldap/ldap.pem
4. Делаю service ldap start
5. Делаю netstat -tl
tcp 0 0 server.intranet:ldaps *:* LISTEN
6. Коннекчусь GQ, прописываю пароль rootdn и получаю ошибку
Can't contact LDAP server
7. Беру ldapsearch -ZZ -D "cn=ldapadmin,dc=intranet" -w secret -h
server.intranet -p 636 -n -v -d 9
получаю
ldap_init( server.intranet, 636 )
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: server.intranet
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.1.1.7:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 31 bytes to sd 3
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: server.intranet port: 636 (default)
refcnt: 2 status: Connected
last used: Sat Apr 19 14:05:27 2003
** Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
do_ldap_select
read1msg: msgid 1, all 1
ber_get_next
ber_get_next failed.
ldap_perror
ldap_start_tls: Can't contact LDAP server
В логах сервера:
Apr 19 14:18:18 server slapd[21284]: slapd startup: initiated.
Apr 19 14:18:18 server slapd[21284]: slapd starting
Apr 19 14:18:18 server slapd[21294]: daemon: added 6r
Apr 19 14:18:18 server slapd[21294]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 19 14:18:41 server slapd[21294]: daemon: activity on 1
descriptors
Apr 19 14:18:41 server slapd[21294]: daemon: new connection on 9
Apr 19 14:18:41 server slapd[21294]: daemon: conn=0 fd=9
connection from IP=10.1.1.10:32987 (IP=10.1.1.7:636) accepted.
Apr 19 14:18:41 server slapd[21294]: daemon: added 9r
Apr 19 14:18:41 server slapd[21294]: daemon: activity on:
Apr 19 14:18:41 server slapd[21294]:
Apr 19 14:18:41 server slapd[21294]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 19 14:18:41 server slapd[21294]: daemon: activity on 1
descriptors
Apr 19 14:18:41 server slapd[21294]: daemon: activity on:
Apr 19 14:18:41 server slapd[21294]: 9r
Apr 19 14:18:41 server slapd[21294]:
Apr 19 14:18:41 server slapd[21294]: daemon: read activity on 9
Apr 19 14:18:41 server slapd[21294]: connection_get(9)
Apr 19 14:18:41 server slapd[21294]: connection_get(9): got
connid=0
Apr 19 14:18:41 server slapd[21294]: connection_read(9): checking
for input on id=0
Apr 19 14:18:41 server slapd[21294]: connection_read(9): TLS
accept error error=-1 id=0, closing
Apr 19 14:18:41 server slapd[21294]: connection_closing: readying
conn=0 sd=9 for close
Apr 19 14:18:41 server slapd[21294]: connection_close: conn=0
sd=9
Apr 19 14:18:41 server slapd[21294]: daemon: removing 9
Apr 19 14:18:41 server slapd[21294]: conn=-1 fd=9 closed
Apr 19 14:18:41 server slapd[21294]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 19 14:18:41 server slapd[21294]: daemon: activity on 1
descriptors
Apr 19 14:18:41 server slapd[21294]: daemon: select: listen=6
active_threads=0 tvp=NULL
Что я делаю не так?
----
Алексей.
Подробная информация о списке рассылки community