From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Message-ID: <3EB68E88.5050507@altlinux.ru> Date: Mon, 05 May 2003 20:17:12 +0400 From: Igor Muratov User-Agent: Mozilla/5.0 (X11; U; Linux i686; ru-RU; rv:1.2.1) Gecko/20030210 X-Accept-Language: ru-ru, en MIME-Version: 1.0 To: community@altlinux.ru Subject: Re: [Comm] OpenLDAP =?KOI8-R?Q?=C9_SSL?= References: <200304191453.48391.alexey_borovskoy@pochtamt.ru> <200304221914.40531.alexey_borovskoy@pochtamt.ru> <3EA51CB7.1010501@altlinux.ru> <200304231118.47715.alexey_borovskoy@pochtamt.ru> In-Reply-To: <200304231118.47715.alexey_borovskoy@pochtamt.ru> X-Enigmail-Version: 0.70.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 8bit Sender: community-admin@altlinux.ru Errors-To: community-admin@altlinux.ru X-BeenThere: community@altlinux.ru X-Mailman-Version: 2.0.9 Precedence: bulk Reply-To: community@altlinux.ru List-Unsubscribe: , List-Id: List-Post: List-Help: List-Subscribe: , List-Archive: Archived-At: List-Archive: List-Post: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alexey Borovskoy пишет: | * 22 Апрель 2003 23:43 Igor Muratov | |>-----BEGIN PGP SIGNED MESSAGE----- |>Hash: SHA1 |> |>Alexey Borovskoy пишет: |>| * 21 Апрель 2003 23:22 Igor Muratov |>| |>|>Есть еще подозрение что сервер не подхватил сертификат а на |>|>636 порт законнектился без всякого ssl. |>|>Попрбуйте зайти туда telnet'ом |>| |>| Захожу. Черный экран. Затем сервер сбрасывает соединение. |>| Он должен что-то сказать? | | | В файле 1.txt результат работы openssl s_client на домашней | машине. | | |>А не пробовали брать openldap из более ранних дистрибутивов? К |>примеру в спринге это точно работало. В ALM2.0 кажется тоже. | | | Да. На Мастере 2.0 это точно работало. | | |>| Сегодня вытащил свежий stunnel буду дома собирать. Костыль |>| конечно, но что делать. |> |>Может не стоит тратить на это время? | | | Хотелось бы чтобы заработало без костылей. | | |>| Может общими усилиями локализовать и ликвидировать багу? |>| Я понимаю, что я один наступил на эти грабли. Но эти грабли |>| повторяются на трех инсталляциях openldap на трех разных |>| машинах/конфигурациях. |> |>Тогда уж покажите конфииг полностью. | | | Какие именно? | К письму приложил slapd.conf и сертификат | | ---- | Алексей. | JID:alb@jabber.ru | | | ------------------------------------------------------------------------ | | [alb@alb 2]$ openssl s_client -connect alb.home:636 -debug | CONNECTED(00000004) | write to 0809BEB8 [0809BF00] (130 bytes => 130 (0x82)) | 0000 - 80 80 01 03 01 00 57 00-00 00 20 00 00 16 00 00 ......W... ..... | 0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 07 00 00 05 .........f...... | 0020 - 00 00 04 05 00 80 03 00-80 01 00 80 08 00 80 00 ................ | 0030 - 00 65 00 00 64 00 00 63-00 00 62 00 00 61 00 00 .e..d..c..b..a.. | 0040 - 60 00 00 15 00 00 12 00-00 09 06 00 40 00 00 14 `...........@... | 0050 - 00 00 11 00 00 08 00 00-06 00 00 03 04 00 80 02 ................ | 0060 - 00 80 aa dd 8f a3 ad c5-70 56 63 2c 43 16 f6 1c ........pVc,C... | 0070 - dd 82 3a 80 cf 8d b0 f4-67 94 e4 cb c0 4f cc 61 ..:.....g....O.a | 0080 - 27 ad '. | read from 0809BEB8 [080A1460] (7 bytes => 7 (0x7)) | 0000 - 15 03 01 00 02 02 28 ......( | 2140:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:465: | | | ------------------------------------------------------------------------ | | # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 kurt Exp $ | # | # See slapd.conf(5) for details on configuration options. | # This file should NOT be world readable. | # | # Modified by Christian Zoffoli | # Version 0.2 | # | # Modified by Volkov Serge | # Version 0.3 | # Last modification at 26 Jun 2002 | # | | # Default schemas | include /etc/openldap/schema/core.schema | include /etc/openldap/schema/cosine.schema | include /etc/openldap/schema/inetorgperson.schema | include /etc/openldap/schema/misc.schema | include /etc/openldap/schema/nis.schema | include /etc/openldap/schema/openldap.schema | #include /etc/openldap/schema/krb5-kdc.schema | #include /etc/openldap/schema/kerberosobject.schema | #include /etc/openldap/schema/corba.schema | #include /etc/openldap/schema/java.schema | | # Addon schemas | #include /etc/openldap/schema/rfc822-MailMember.schema | #include /etc/openldap/schema/pilot.schema | #include /etc/openldap/schema/autofs.schema | #include /etc/openldap/schema/samba.schema | #include /etc/openldap/schema/qmail.schema | #include /etc/openldap/schema/qmailControl.schema | #include /etc/openldap/schema/cron.schema | #include /etc/openldap/schema/dns.schema | #include /etc/openldap/schema/trust.schema | #include /etc/openldap/schema/turbo.schema | | # Netscape Roaming | #include /etc/openldap/schema/mull.schema | #include /etc/openldap/schema/netscape-profile.schema | | # Local schema, that you will be constract | #include /etc/openldap/schema/local.schema | | # Load dynamic backend modules: | #modulepath /usr/lib/openldap | #moduleload back_bdb.la | # moduleload back_ldap.la | #moduleload back_ldbm.la | # moduleload back_passwd.la | # moduleload back_shell.la | | # Do not enable referrals until AFTER you have a working directory | # service AND an understanding of referrals. | #referral ldap://root.openldap.org | | pidfile /var/run/slapd.pid | argsfile /var/run/slapd.args | | # To allow TLS-enabled connections, create /usr/share/ssl/certs/slapd.pem | # and uncomment the following lines. | TLSCipherSuite HIGH:MEDIUM:LOW:+SSLv2 | TLSCertificateFile /etc/openldap/ldap.pem | TLSCertificateKeyFile /etc/openldap/ldap.pem Проблема похоже вот здесь. Предшествующих пробелов быть не дожно Вот выдержка из /etc/init.d/ldap if grep -qs ^TLS "$CONFIG"; then ~ daemon ${SLAPD} -u ldap -h '"ldap:/// ldaps:///"' $OPTIONS $SLAPD_OPTIONS ~ RETVAL=$? ~ else ~ daemon ${SLAPD} -u ldap -h 'ldap://127.0.0.1/' $OPTIONS $SLAPD_OPTIONS ~ RETVAL=$? ~ fi | # TLSCACertificateFile /etc/openldap/ldap.pem | | | # Define global ACLs to disable default read access. | #include /etc/openldap/slapd.access.conf | | # | # Sample Access Control | # Allow read access of root DSE | # Allow self write access | # Allow authenticated users read access | # Allow anonymous users to authenticate | # | #access to dn="" by * read | #access to * | # by self write | # by users read | # by anonymous auth | # | # if no access controls are present, the default is: | # Allow read by all | # | # rootdn can always write! | | # The example in development not use if you don't known what are you doing!!! | # Basic ACL | # access to attr=userPassword | # by self write | # by anonymous auth | # by dn="uid=root,ou=People,dc=example,dc=com" write | # by * none | # | # access to * | # by dn="uid=root,ou=People,dc=example,dc=com" write | # by * read | | | | ####################################################################### | # ldbm database definitions | ####################################################################### | | database ldbm | suffix "dc=intranet" | rootdn "cn=ldapadmin,dc=intranet" | | # Cleartext passwords, especially for the rootdn, should | # be avoid. See slappasswd(8) and slapd.conf(5) for details. | # Use of strong authentication encouraged. | rootpw secret | #rootpw {crypt}ijFYNcSNctBYg | | # The database directory MUST exist prior to running slapd AND | # should only be accessible by the slapd/tools. Mode 700 recommended. | directory /var/lib/ldap/bases/intranet | | # LogLevel information | # if you want enable debuggin mode | # choose one of the next | # and check /etc/syslog.conf for line | # "LOCAL4.* /var/log/ldap/log" exist | # --------------------------------------------------- | # | -1 | enable all debugging | # | 0 | no debugging | # | 1 | trace function calls | # | 2 | debug packet handling | # | 4 | heavy trace debugging | # | 8 | connection management | # | 16 | print out packets sent and received | # | 32 | search filter processing | # | 64 | configuration file processing | # | 128 | access control list processing | # | 256 | stats log connections/operations/results | # | 512 | stats log entries sent | # | 1024| print communication with shell backends | # | 2048| print entry parsing debugging | # --------------------------------------------------- | loglevel -1 | | # Indices to maintain | #index objectClass eq | index objectClass,uid,uidNumber,gidNumber eq | index cn,mail,surname,givenname eq,subinitial | | | # Sample security restrictions | # | # Disallow clear text exchange of passwords | # disallow bind_simple_unprotected | # | # Require integrity protection (prevent hijacking) | # Require 112-bit (3DES or better) encryption for updates | # Require 63-bit encryption for simple bind | # security ssf=1 update_ssf=112 simple_bind=64 | | # Sample access control policy: | # Root DSE: allow anyone to read it | # Subschema (sub)entry DSE: allow anyone to read it | # Other DSEs: | # Allow self write access | # Allow authenticated users read access | # Allow anonymous users to authenticate | # Directives needed to implement policy: | # access to dn.base="" by * read | # access to dn.base="cn=Subschema" by * read | # access to * | # by self write | # by users read | # by anonymous auth | # | # if no access controls are present, the default policy is: | # Allow read by all | # | # rootdn can always write! | - -- With best regards System administrator Igor Muratov mailto:migor at altlinux.ru -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+to6HqjgjB/MK76QRAoqkAJ90cpsx3b4kSWGA19YEFbH1vFGQMgCdGmbV HeJevYGof1M1EjXZBM5ETus= =bIKe -----END PGP SIGNATURE-----