Bug#381788: [Pkg-openldap-devel] Re: Bug#381788: slapd: TLS connections fail when running as non-root

Quanah Gibson-Mount quanah at stanford.edu
Wed Aug 9 04:02:05 UTC 2006



--On Tuesday, August 08, 2006 9:52 PM -0600 "Berg, Michael" 
<michaeljberg at gmail.com> wrote:

>> This error is coming straight from the OpenSSL libraries.
>> Have you tried connecting with openssl s_client?
>
> Yes.
>
> I am running slapd listening on both ports 389 (using starttls) and port
> 636 (SSL only to support some software that doesn't support starttls).
>
> As pointed out in my original bug report, I have run
> "openssl s_client -connect 127.0.0.1:636"
> to connect to the SSL only port.
>
> When slapd is running as root, s_client successfully establishes a
> connection.  When slapd is running as non-root, I get the error messages
> ==========
> 25159:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
> failure:s3_pkt.c:1057:SSL alert number 40
> 25159:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:188:
> ==========
>
> The manual page for s_client says that the only supported keywords for the
> "-starttls <protocol>" option are currently "smtp" and "pop3", so I can't
> use s_client to test ldap port 389+starttls.
>
> But "ldapsearch -x -ZZ" (which is configured to use port 389+starttls)
> gives the following error message when slapd is running as non-root

Does it work if you use "-h localhost" (similar to what you were doing with 
the openssl command)?

Generally, you must provide the fully qualified domain name to the "-h" 
parameter for SSL/TLS to work.

For example, "-h ldap" doesn't work for me, but "-h ldap.stanford.edu" does.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html




More information about the Pkg-openldap-devel mailing list