On Thu, Feb 28, 2008 at 7:29 AM, Eric Covener <[EMAIL PROTECTED]> wrote:
> On Wed, Feb 27, 2008 at 9:52 PM, Harry Holt <[EMAIL PROTECTED]> wrote: > > > > > TLS accept failure error=-1 > > Are you able to connect to a secure ldap host with 'ldp.exe' or any > other MS-based tool? Have you taken any measures to add the issuer of > your LDAP servers certificate to the registry-based list mentioned by > the mod_ldap doc? Yes. I've used the Novell LDAP tool, JXplorer, and other tools for testing (as well as my own Java, .NET, and the Novell CAPI and everything works fine exception that Apache module. > A packet capture of the attempted SSL handshake might be useful, but > it seems just as likely that the LDAP SDK is blowing up internally. > I know openldap can act this same way if you point it to a malformed > CA cert -- it will actually do a tcp connection to the LDAP host, > freak out about the cert, then promptly close it without having > read/written a byte of data. > I've tried getting some packet captures at the ldap servers. Slapd shows the connection start, an attempt to start up the negotiation, but it gets rejected (apparently from the client). I've included that packet trace below for your edification. It doesn't really provide much detail that's useful. I'd start a bug report, but I have a feeling that *somebody* knows it doesn't work, and knows why... Thx... HH SLAPD Debug : -------------------------------------------------------------------------------------------------------------------------------------- Feb 27 21:47:59 myserver slapd[19490]: >>> slap_listener(ldaps://) Feb 27 21:47:59 myserver slapd[19490]: daemon: listen=7, new connection on 13 Feb 27 21:47:59 myserver slapd[19490]: daemon: added 13r (active) listener=(nil) Feb 27 21:47:59 myserver slapd[19490]: conn=0 fd=13 ACCEPT from IP= 192.168.1.53:4887 (IP=0.0.0.0:636) Feb 27 21:47:59 myserver slapd[19490]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Feb 27 21:47:59 myserver slapd[19490]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Feb 27 21:47:59 myserver slapd[19490]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Feb 27 21:47:59 myserver slapd[19490]: daemon: activity on 1 descriptor Feb 27 21:47:59 myserver slapd[19490]: daemon: activity on: Feb 27 21:47:59 myserver slapd[19490]: 13r Feb 27 21:47:59 myserver slapd[19490]: Feb 27 21:47:59 myserver slapd[19490]: daemon: read active on 13 Feb 27 21:47:59 myserver slapd[19490]: connection_get(13) Feb 27 21:47:59 myserver slapd[19490]: connection_get(13): got connid=0 Feb 27 21:47:59 myserver slapd[19490]: connection_read(13): checking for input on id=0 Feb 27 21:47:59 myserver slapd[19490]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Feb 27 21:47:59 myserver slapd[19490]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Feb 27 21:47:59 myserver slapd[19490]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Feb 27 21:47:59 myserver slapd[19490]: daemon: activity on 1 descriptor Feb 27 21:47:59 myserver slapd[19490]: daemon: activity on: Feb 27 21:47:59 myserver slapd[19490]: 13r Feb 27 21:47:59 myserver slapd[19490]: Feb 27 21:47:59 myserver slapd[19490]: daemon: read active on 13 Feb 27 21:47:59 myserver slapd[19490]: connection_get(13) Feb 27 21:47:59 myserver slapd[19490]: connection_get(13): got connid=0 Feb 27 21:47:59 myserver slapd[19490]: connection_read(13): checking for input on id=0 Feb 27 21:47:59 myserver slapd[19490]: connection_read(13): TLS accept failure error=-1 id=0, closing Feb 27 21:47:59 myserver slapd[19490]: connection_closing: readying conn=0 sd=13 for close Feb 27 21:47:59 myserver slapd[19490]: connection_close: conn=0 sd=-1 Feb 27 21:47:59 myserver slapd[19490]: daemon: removing 13 Feb 27 21:47:59 myserver slapd[19490]: conn=0 fd=13 closed (TLS negotiation failure) Feb 27 21:47:59 myserver slapd[19490]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Feb 27 21:47:59 myserver slapd[19490]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Feb 27 21:47:59 myserver slapd[19490]: daemon: epoll: listen=9 active_threads=0 tvp=NULL -- Harry Holt, PMP
