# openldap + tls problem

## vtx

Hello,

I'm trying for days now to get openldap with tls support to work.

this is a part of my slapd.conf:

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 kurt Exp $

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/misc.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/nis.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral       ldap://root.openldap.org

pidfile         /var/lib/slapd.pid

argsfile        /var/lib/slapd.args

loglevel        1024

# TLS options for slapd

TLSCipherSuite          HIGH

TLSCertificateFile      /etc/ssl/slapd-cert.pem

TLSCertificateKeyFile   /etc/ssl/slapd-key.pem

TLSCACertificateFile    /ect/ssl/demoCA/cacert.pem

This is my ldap.conf(stripped down comments):

# @(#)$Id: ldap.conf,v 2.32 2002/11/15 05:01:16 lukeh Exp $

#

# This is the configuration file for the LDAP nameservice

# switch library and the LDAP PAM module.

#

# PADL Software

# http://www.padl.com

#

host 127.0.0.1

base dc=ilimburg,dc=nl

uri ldap://127.0.0.1/

uri ldaps://127.0.0.1/

port 389

scope sub

timelimit 30

pam_groupdn cn=ldap,ou=Hosts,dc=ilimburg,dc=nl

pam_member_attribute member

ssl start_tls

when i try to start slapd, this happens:

ldap ssl # /usr/lib/openldap/slapd -d 1

@(#) $OpenLDAP: slapd 2.0.27-Release (Mon Jun 16 17:48:28 CEST 2003) $

        root@ldap.ilimburg.nl:/var/tmp/portage/openldap-2.0.27/work/openldap-2.0.27/servers/slapd

daemon_init: listen on ldap:///

daemon_init: 1 listeners to open...

ldap_url_parse_ext(ldap:///)

daemon: initialized ldap:///

daemon_init: 1 listeners opened

slapd init: initiated server.

TLS: could not load verify locations (file:`/ect/ssl/demoCA/cacert.pem',dir:`').

TLS: error:02001002:system library:fopen:No such file or directory bss_file.c:104

TLS: error:2006D002:BIO routines:BIO_new_file:system lib bss_file.c:106

TLS: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib by_file.c:274

main: TLS init def ctx failed: 0

slapd shutdown: freeing system resources.

slapd stopped.

connections_destroy: nothing to destroy.

When I remove the 'TLSCACertificateFile    /ect/ssl/demoCA/cacert.pem' from my config, then slapd will start, but when I try to connect with ssh to the host, this happens:

ldap ssl # /usr/lib/openldap/slapd -d 1

@(#) $OpenLDAP: slapd 2.0.27-Release (Mon Jun 16 17:48:28 CEST 2003) $

        root@ldap.ilimburg.nl:/var/tmp/portage/openldap-2.0.27/work/openldap-2.0.27/servers/slapd

daemon_init: listen on ldap:///

daemon_init: 1 listeners to open...

ldap_url_parse_ext(ldap:///)

daemon: initialized ldap:///

daemon_init: 1 listeners opened

slapd init: initiated server.

slapd startup: initiated.

slapd starting

connection_get(9): got connid=0

connection_read(9): checking for input on id=0

ber_get_next

ber_get_next: tag 0x30 len 29 contents:

ber_get_next

ber_get_next on fd 9 failed errno=11 (Resource temporarily unavailable)

do_extended

ber_scanf fmt ({a) ber:

send_ldap_extended 0: (0)

send_ldap_response: msgid=1 tag=120 err=0

ber_flush: 14 bytes to sd 9

connection_get(9): got connid=0

connection_read(9): checking for input on id=0

TLS trace: SSL_accept:before/accept initialization

TLS trace: SSL_accept:SSLv3 read client hello A

TLS trace: SSL_accept:SSLv3 write server hello A

TLS trace: SSL_accept:SSLv3 write certificate A

TLS trace: SSL_accept:SSLv3 write server done A

TLS trace: SSL_accept:SSLv3 flush data

TLS trace: SSL_accept:error in SSLv3 read client certificate A

TLS trace: SSL_accept:error in SSLv3 read client certificate A

connection_get(9): got connid=0

connection_read(9): checking for input on id=0

TLS trace: SSL_accept:SSLv3 read client key exchange A

TLS trace: SSL_accept:SSLv3 read finished A

TLS trace: SSL_accept:SSLv3 write change cipher spec A

TLS trace: SSL_accept:SSLv3 write finished A

TLS trace: SSL_accept:SSLv3 flush data

connection_get(9): got connid=0

connection_read(9): checking for input on id=0

ber_get_next

ber_get_next: tag 0x30 len 5 contents:

ber_get_next

TLS trace: SSL3 alert read:warning:close notify

ber_get_next on fd 9 failed errno=0 (Success)

connection_read(9): input error=-2 id=0, closing.

connection_closing: readying conn=0 sd=9 for close

connection_close: deferring conn=0 sd=9

do_unbind

connection_resched: attempting closing conn=0 sd=9

connection_close: conn=0 sd=9

TLS trace: SSL3 alert write:warning:close notify

connection_get(9): got connid=1

connection_read(9): checking for input on id=1

ber_get_next

ber_get_next: tag 0x30 len 29 contents:

ber_get_next

ber_get_next on fd 9 failed errno=11 (Resource temporarily unavailable)

do_extended

ber_scanf fmt ({a) ber:

send_ldap_extended 0: (0)

send_ldap_response: msgid=1 tag=120 err=0

ber_flush: 14 bytes to sd 9

connection_get(9): got connid=1

connection_read(9): checking for input on id=1

TLS trace: SSL_accept:before/accept initialization

TLS trace: SSL_accept:SSLv3 read client hello A

TLS trace: SSL_accept:SSLv3 write server hello A

TLS trace: SSL_accept:SSLv3 write certificate A

TLS trace: SSL_accept:SSLv3 write server done A

TLS trace: SSL_accept:SSLv3 flush data

TLS trace: SSL_accept:error in SSLv3 read client certificate A

TLS trace: SSL_accept:error in SSLv3 read client certificate A

connection_get(9): got connid=1

connection_read(9): checking for input on id=1

TLS trace: SSL_accept:SSLv3 read client key exchange A

TLS trace: SSL_accept:SSLv3 read finished A

TLS trace: SSL_accept:SSLv3 write change cipher spec A

TLS trace: SSL_accept:SSLv3 write finished A

TLS trace: SSL_accept:SSLv3 flush data

connection_get(10): got connid=2

connection_read(10): checking for input on id=2

ber_get_next

ber_get_next: tag 0x30 len 29 contents:

ber_get_next

ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)

do_extended

ber_scanf fmt ({a) ber:

send_ldap_extended 0: (0)

send_ldap_response: msgid=1 tag=120 err=0

ber_flush: 14 bytes to sd 10

connection_get(10): got connid=2

connection_read(10): checking for input on id=2

TLS trace: SSL_accept:before/accept initialization

TLS trace: SSL_accept:SSLv3 read client hello A

TLS trace: SSL_accept:SSLv3 write server hello A

TLS trace: SSL_accept:SSLv3 write certificate A

TLS trace: SSL_accept:SSLv3 write server done A

TLS trace: SSL_accept:SSLv3 flush data

TLS trace: SSL_accept:error in SSLv3 read client certificate A

TLS trace: SSL_accept:error in SSLv3 read client certificate A

connection_get(10): got connid=2

connection_read(10): checking for input on id=2

TLS trace: SSL_accept:SSLv3 read client key exchange A

TLS trace: SSL_accept:SSLv3 read finished A

TLS trace: SSL_accept:SSLv3 write change cipher spec A

TLS trace: SSL_accept:SSLv3 write finished A

TLS trace: SSL_accept:SSLv3 flush data

connection_get(10): got connid=2

connection_read(10): checking for input on id=2

ber_get_next

ber_get_next: tag 0x30 len 5 contents:

do_unbind

ber_get_next

TLS trace: SSL3 alert read:warning:close notify

ber_get_next on fd 10 failed errno=0 (Success)

connection_read(10): input error=-2 id=2, closing.

connection_closing: readying conn=2 sd=10 for close

connection_close: deferring conn=2 sd=10

connection_resched: reaquiring locks conn=2 sd=10

connection_resched: attempting closing conn=2 sd=10

connection_close: conn=2 sd=10

TLS trace: SSL3 alert write:warning:close notify

connection_get(11): got connid=3

connection_read(11): checking for input on id=3

ber_get_next

ber_get_next: tag 0x30 len 29 contents:

do_extended

ber_scanf fmt ({a) ber:

ber_get_next

ber_get_next on fd 11 failed errno=11 (Resource temporarily unavailable)

send_ldap_extended 0: (0)

send_ldap_response: msgid=1 tag=120 err=0

ber_flush: 14 bytes to sd 11

connection_get(11): got connid=3

connection_read(11): checking for input on id=3

TLS trace: SSL_accept:before/accept initialization

TLS trace: SSL_accept:SSLv3 read client hello A

TLS trace: SSL_accept:SSLv3 write server hello A

TLS trace: SSL_accept:SSLv3 write certificate A

TLS trace: SSL_accept:SSLv3 write server done A

TLS trace: SSL_accept:SSLv3 flush data

TLS trace: SSL_accept:SSLv3 read client key exchange A

TLS trace: SSL_accept:SSLv3 read finished A

TLS trace: SSL_accept:SSLv3 write change cipher spec A

TLS trace: SSL_accept:SSLv3 write finished A

TLS trace: SSL_accept:SSLv3 flush data

connection_get(11): got connid=3

connection_read(11): checking for input on id=3

ber_get_next

ber_get_next: tag 0x30 len 5 contents:

do_unbind

ber_get_next

TLS trace: SSL3 alert read:warning:close notify

ber_get_next on fd 11 failed errno=0 (Success)

connection_read(11): input error=-2 id=3, closing.

connection_closing: readying conn=3 sd=11 for close

connection_close: deferring conn=3 sd=11

connection_resched: reaquiring locks conn=3 sd=11

connection_resched: attempting closing conn=3 sd=11

connection_close: conn=3 sd=11

TLS trace: SSL3 alert write:warning:close notify

connection_get(9): got connid=1

connection_read(9): checking for input on id=1

ber_get_next

ber_get_next: tag 0x30 len 12 contents:

ber_get_next

ber_get_next on fd 9 failed errno=11 (Resource temporarily unavailable)

do_bind

ber_scanf fmt ({iat) ber:

ber_scanf fmt (o}) ber:

do_bind: version=3 dn="" method=128

send_ldap_result: conn=1 op=1 p=3

send_ldap_response: msgid=2 tag=97 err=0

ber_flush: 14 bytes to sd 9

do_bind: v3 anonymous bind

connection_get(9): got connid=1

connection_read(9): checking for input on id=1

ber_get_next

ber_get_next: tag 0x30 len 53 contents:

do_search

ber_scanf fmt ({aiiiib) ber:

ber_scanf fmt ({oo}) ber:

ber_scanf fmt ({v}}) ber:

send_ldap_result: conn=1 op=2 p=3

send_ldap_response: msgid=3 tag=101 err=32

ber_get_next

ber_get_next on fd 9 failed errno=11 (Resource temporarily unavailable)

ber_flush: 14 bytes to sd 9

connection_get(10): got connid=4

connection_read(10): checking for input on id=4

ber_get_next

ber_get_next: tag 0x30 len 29 contents:

ber_get_next

ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)

do_extended

ber_scanf fmt ({a) ber:

send_ldap_extended 0: (0)

send_ldap_response: msgid=1 tag=120 err=0

ber_flush: 14 bytes to sd 10

connection_get(10): got connid=4

connection_read(10): checking for input on id=4

TLS trace: SSL_accept:before/accept initialization

TLS trace: SSL_accept:SSLv3 read client hello A

TLS trace: SSL_accept:SSLv3 write server hello A

TLS trace: SSL_accept:SSLv3 write certificate A

TLS trace: SSL_accept:SSLv3 write server done A

TLS trace: SSL_accept:SSLv3 flush data

TLS trace: SSL_accept:error in SSLv3 read client certificate A

TLS trace: SSL_accept:error in SSLv3 read client certificate A

connection_get(10): got connid=4

connection_read(10): checking for input on id=4

TLS trace: SSL_accept:SSLv3 read client key exchange A

TLS trace: SSL_accept:SSLv3 read finished A

TLS trace: SSL_accept:SSLv3 write change cipher spec A

TLS trace: SSL_accept:SSLv3 write finished A

TLS trace: SSL_accept:SSLv3 flush data

connection_get(10): got connid=4

connection_read(10): checking for input on id=4

ber_get_next

ber_get_next: tag 0x30 len 5 contents:

ber_get_next

TLS trace: SSL3 alert read:warning:close notify

ber_get_next on fd 10 failed errno=0 (Success)

connection_read(10): input error=-2 id=4, closing.

connection_closing: readying conn=4 sd=10 for close

connection_close: deferring conn=4 sd=10

do_unbind

connection_resched: attempting closing conn=4 sd=10

connection_close: conn=4 sd=10

TLS trace: SSL3 alert write:warning:close notify

connection_get(11): got connid=5

connection_read(11): checking for input on id=5

ber_get_next

ber_get_next: tag 0x30 len 29 contents:

ber_get_next

ber_get_next on fd 11 failed errno=11 (Resource temporarily unavailable)

do_extended

ber_scanf fmt ({a) ber:

send_ldap_extended 0: (0)

send_ldap_response: msgid=1 tag=120 err=0

ber_flush: 14 bytes to sd 11

connection_get(11): got connid=5

connection_read(11): checking for input on id=5

TLS trace: SSL_accept:before/accept initialization

TLS trace: SSL_accept:SSLv3 read client hello A

TLS trace: SSL_accept:SSLv3 write server hello A

TLS trace: SSL_accept:SSLv3 write certificate A

TLS trace: SSL_accept:SSLv3 write server done A

TLS trace: SSL_accept:SSLv3 flush data

TLS trace: SSL_accept:error in SSLv3 read client certificate A

TLS trace: SSL_accept:error in SSLv3 read client certificate A

connection_get(11): got connid=5

connection_read(11): checking for input on id=5

TLS trace: SSL_accept:SSLv3 read client key exchange A

TLS trace: SSL_accept:SSLv3 read finished A

TLS trace: SSL_accept:SSLv3 write change cipher spec A

TLS trace: SSL_accept:SSLv3 write finished A

TLS trace: SSL_accept:SSLv3 flush data

connection_get(11): got connid=5

connection_read(11): checking for input on id=5

ber_get_next

ber_get_next: tag 0x30 len 5 contents:

ber_get_next

TLS trace: SSL3 alert read:warning:close notify

ber_get_next on fd 11 failed errno=0 (Success)

connection_read(11): input error=-2 id=5, closing.

connection_closing: readying conn=5 sd=11 for close

connection_close: deferring conn=5 sd=11

do_unbind

connection_resched: attempting closing conn=5 sd=11

connection_close: conn=5 sd=11

TLS trace: SSL3 alert write:warning:close notify

I searched google for days, tried everthing I could find, Read 'LDAP System Administration' from O'reilly, but I don't get it to work.

Any help / suggestion is welcome!

----------

## vtx

Bump

Please anyone, I need this to work....

----------

## vtx

bump.....

----------

## Chris W

slapd is complaining that the file /ect/ssl/demoCA/cacert.pem does not exist.  Does it?  What are its permissions?

----------

## vtx

Well, that message is gone now, but I still have the same problem:

/usr/lib/openldap/slapd -d 1

@(#) $OpenLDAP: slapd 2.0.27-Release (Mon Jun 16 17:48:28 CEST 2003) $

        root@ldap.ilimburg.nl:/var/tmp/portage/openldap-2.0.27/work/openldap-2.0.27/servers/slapd

daemon_init: listen on ldap:///

daemon_init: 1 listeners to open...

ldap_url_parse_ext(ldap:///)

daemon: initialized ldap:///

daemon_init: 1 listeners opened

slapd init: initiated server.

slapd startup: initiated.

slapd starting

Now i start an ssh session to the host and then i get this:

connection_get(9): got connid=0

connection_read(9): checking for input on id=0

ber_get_next

ber_get_next: tag 0x30 len 29 contents:

do_extended

ber_get_next

ber_get_next on fd 9 failed errno=11 (Resource temporarily unavailable)

ber_scanf fmt ({a) ber:

send_ldap_extended 0: (0)

send_ldap_response: msgid=1 tag=120 err=0

ber_flush: 14 bytes to sd 9

connection_get(9): got connid=0

connection_read(9): checking for input on id=0

TLS trace: SSL_accept:before/accept initialization

TLS trace: SSL_accept:SSLv3 read client hello A

TLS trace: SSL_accept:SSLv3 write server hello A

TLS trace: SSL_accept:SSLv3 write certificate A

TLS trace: SSL_accept:SSLv3 write server done A

TLS trace: SSL_accept:SSLv3 flush data

TLS trace: SSL_accept:SSLv3 read client key exchange A

TLS trace: SSL_accept:SSLv3 read finished A

TLS trace: SSL_accept:SSLv3 write change cipher spec A

TLS trace: SSL_accept:SSLv3 write finished A

TLS trace: SSL_accept:SSLv3 flush data

connection_get(9): got connid=0

connection_read(9): checking for input on id=0

ber_get_next

ber_get_next: tag 0x30 len 5 contents:

ber_get_next

TLS trace: SSL3 alert read:warning:close notify

ber_get_next on fd 9 failed errno=0 (Success)

connection_read(9): input error=-2 id=0, closing.

connection_closing: readying conn=0 sd=9 for close

connection_close: deferring conn=0 sd=9

do_unbind

connection_resched: attempting closing conn=0 sd=9

connection_close: conn=0 sd=9

TLS trace: SSL3 alert write:warning:close notify

connection_get(9): got connid=1

connection_read(9): checking for input on id=1

ber_get_next

ber_get_next: tag 0x30 len 29 contents:

ber_get_next

ber_get_next on fd 9 failed errno=11 (Resource temporarily unavailable)

do_extended

ber_scanf fmt ({a) ber:

send_ldap_extended 0: (0)

send_ldap_response: msgid=1 tag=120 err=0

ber_flush: 14 bytes to sd 9

connection_get(9): got connid=1

connection_read(9): checking for input on id=1

TLS trace: SSL_accept:before/accept initialization

TLS trace: SSL_accept:SSLv3 read client hello A

TLS trace: SSL_accept:SSLv3 write server hello A

TLS trace: SSL_accept:SSLv3 write certificate A

TLS trace: SSL_accept:SSLv3 write server done A

TLS trace: SSL_accept:SSLv3 flush data

TLS trace: SSL_accept:error in SSLv3 read client certificate A

TLS trace: SSL_accept:error in SSLv3 read client certificate A

connection_get(9): got connid=1

connection_read(9): checking for input on id=1

TLS trace: SSL_accept:SSLv3 read client key exchange A

TLS trace: SSL_accept:SSLv3 read finished A

TLS trace: SSL_accept:SSLv3 write change cipher spec A

TLS trace: SSL_accept:SSLv3 write finished A

TLS trace: SSL_accept:SSLv3 flush data

connection_get(10): got connid=2

connection_read(10): checking for input on id=2

ber_get_next

ber_get_next: tag 0x30 len 29 contents:

ber_get_next

ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)

do_extended

ber_scanf fmt ({a) ber:

send_ldap_extended 0: (0)

send_ldap_response: msgid=1 tag=120 err=0

ber_flush: 14 bytes to sd 10

connection_get(10): got connid=2

connection_read(10): checking for input on id=2

TLS trace: SSL_accept:before/accept initialization

TLS trace: SSL_accept:SSLv3 read client hello A

TLS trace: SSL_accept:SSLv3 write server hello A

TLS trace: SSL_accept:SSLv3 write certificate A

TLS trace: SSL_accept:SSLv3 write server done A

TLS trace: SSL_accept:SSLv3 flush data

TLS trace: SSL_accept:error in SSLv3 read client certificate A

TLS trace: SSL_accept:error in SSLv3 read client certificate A

connection_get(10): got connid=2

connection_read(10): checking for input on id=2

TLS trace: SSL_accept:SSLv3 read client key exchange A

TLS trace: SSL_accept:SSLv3 read finished A

TLS trace: SSL_accept:SSLv3 write change cipher spec A

TLS trace: SSL_accept:SSLv3 write finished A

TLS trace: SSL_accept:SSLv3 flush data

connection_get(10): got connid=2

connection_read(10): checking for input on id=2

ber_get_next

ber_get_next: tag 0x30 len 5 contents:

ber_get_next

TLS trace: SSL3 alert read:warning:close notify

ber_get_next on fd 10 failed errno=0 (Success)

connection_read(10): input error=-2 id=2, closing.

connection_closing: readying conn=2 sd=10 for close

connection_close: deferring conn=2 sd=10

do_unbind

connection_resched: attempting closing conn=2 sd=10

connection_close: conn=2 sd=10

TLS trace: SSL3 alert write:warning:close notify

connection_get(11): got connid=3

connection_read(11): checking for input on id=3

ber_get_next

ber_get_next: tag 0x30 len 29 contents:

do_extended

ber_scanf fmt ({a) ber:

ber_get_next

ber_get_next on fd 11 failed errno=11 (Resource temporarily unavailable)

send_ldap_extended 0: (0)

send_ldap_response: msgid=1 tag=120 err=0

ber_flush: 14 bytes to sd 11

connection_get(11): got connid=3

connection_read(11): checking for input on id=3

TLS trace: SSL_accept:before/accept initialization

TLS trace: SSL_accept:SSLv3 read client hello A

TLS trace: SSL_accept:SSLv3 write server hello A

TLS trace: SSL_accept:SSLv3 write certificate A

TLS trace: SSL_accept:SSLv3 write server done A

TLS trace: SSL_accept:SSLv3 flush data

TLS trace: SSL_accept:error in SSLv3 read client certificate A

TLS trace: SSL_accept:error in SSLv3 read client certificate A

connection_get(11): got connid=3

connection_read(11): checking for input on id=3

TLS trace: SSL_accept:SSLv3 read client key exchange A

TLS trace: SSL_accept:SSLv3 read finished A

TLS trace: SSL_accept:SSLv3 write change cipher spec A

TLS trace: SSL_accept:SSLv3 write finished A

TLS trace: SSL_accept:SSLv3 flush data

connection_get(11): got connid=3

connection_read(11): checking for input on id=3

ber_get_next

ber_get_next: tag 0x30 len 5 contents:

ber_get_next

TLS trace: SSL3 alert read:warning:close notify

ber_get_next on fd 11 failed errno=0 (Success)

connection_read(11): input error=-2 id=3, closing.

connection_closing: readying conn=3 sd=11 for close

connection_close: deferring conn=3 sd=11

do_unbind

connection_resched: attempting closing conn=3 sd=11

connection_close: conn=3 sd=11

TLS trace: SSL3 alert write:warning:close notify

----------

## vtx

bump   :Rolling Eyes: 

----------

## Chris W

Can you explain what SSH has to do with this problem?  Is it that your are trying to login with ssh but are being rejected?

Let's take a step back and check the OpenLDAP server in isolation:

Can you run an ldapsearch against your LDAP directory through the insecure port?  What about the secure port? Something like:

```
$ ldapsearch -D bindDN -w bindpw -b dc=ilimburg,dc=nl -s sub -H ldap://127.0.0.1 '(objectclass=*)' 

$ ldapsearch -D bindDN -w bindpw -b dc=ilimburg,dc=nl -s sub -H ldaps://127.0.0.1 '(objectclass=*)' 
```

 should do it.

Are you starting the TLS interface to the LDAP server (port 636).  This is done with the -h "ldap:/// ldaps:///" option to slapd if memory serves.

----------

## vtx

 *Chris W wrote:*   

> Can you explain what SSH has to do with this problem?  Is it that your are trying to login with ssh but are being rejected? 

 

Yes, indeed. Ssh authentication via ldap works, but only when tls in disabled.

 *Chris W wrote:*   

> 
> 
> Let's take a step back and check the OpenLDAP server in isolation:
> 
> Can you run an ldapsearch against your LDAP directory through the insecure port?  What about the secure port? Something like:
> ...

 

Yes ldapsearch on the insecure port works.

 *Chris W wrote:*   

> 
> 
> Are you starting the TLS interface to the LDAP server (port 636).  This is done with the -h "ldap:/// ldaps:///" option to slapd if memory serves.

 

No, what iv'e read in the manual is that with TLS support on the ldap insecure & secure server are using the same port. That's what I'm trying to do here. Hopefully someone has a solution. Thanks so far for your support!

----------

## Chris W

Have a longish read at: http://www.openldap.org/faq/data/cache/185.html.  Particularly the bit about:  *Quote:*   

> Now stop slapd and start it again like this:
> 
>         slapd -h "ldap:/// ldaps:///"
> 
> Slapd will now listen on port 389 for LDAP and 636 for LDAP over SSL. The server can also negotiate TLS using the StartTLS extended operation over port 389. You may leave out the second URL if you only want to support StartTLS. You can use option -P to change the default port for LDAPS or you can use a specific port on the URL.

   My guess is that you're assuming the client (sshd in concert with the PAM) is using the StartTLS extension, but it may not be enabled in the ebuild or failing for some other reason.  The PAM is probably trying to connect to port 636, which cannot work if you are not serving the LDAP over SSL (TLS) interface.

Try running with the 636 interface and see.  It can't hurt.

----------

## Chris W

Another thought.  In my default ldap.conf file the following section appears:  *Quote:*   

> # OpenLDAP SSL mechanism
> 
> # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
> 
> #ssl start_tls
> ...

 

I notice that your file does not have the "ssl on" option set.  It's not clear if these are either/or options , or both required.

I would seem that if you specify the "host 127.0.0.1" and "port 389" you shouldn't need the two "uri ..." lines.  In fact, since the LDAPS port is not being serviced, the "uri ldaps://127.0.0.1/" line is probably a red herring and may cause problems.  From my default file: *Quote:*   

> # Another way to specify your LDAP server is to provide an
> 
> # uri with the server name. This allows to use
> 
> # Unix Domain Sockets to connect to a local LDAP Server.
> ...

 

----------

## ozukir@

From your descriptions I was having the exact same problems. I've posted my relevant configuration files here. As far as I can tell there are only two differences between our setups. I am also using OpenLDAP to store my samba users, and I generated my self signed certificate using the script provided with OpenLDAP (/etc/openldap/ssl/gencert.sh).

I compiled OpenLDAP without support for tcp-wrappers (why you'd ever want to use tcpd for OpenLDAP eludes me.) and changed my /etc/ldap.conf (the one for pam_ldap) to use a fully qualified domain name for the host setting. Whenever I used localhost or 127.0.0.1 for the host, pam_ldap could not contact openldap.

If this doesn't help let me know and we can compare our setups.

----------

