Re: slapd[5100]: connection_read(12): TLS accept error error=-1
fredag 27. mai 2005, 08:25, skrev Geert Stappers:
> On Thu, May 26, 2005 at 11:45:48PM +0200, Finn-Arne Johansen wrote:
> > Geert Stappers wrote:
> > > Hello,
>
> <snip/>
>
> > > In sys log file is this
>
> from the server
>
> > > May 26 21:11:17 tw89 slapd[5100]: daemon: read activity on 12
> > > May 26 21:11:17 tw89 slapd[5100]: connection_get(12)
> > > May 26 21:11:17 tw89 slapd[5100]: connection_get(12): got connid=20
> > > May 26 21:11:17 tw89 slapd[5100]: connection_read(12): checking for
> > > input on id=20 May 26 21:11:17 tw89 slapd[5100]: connection_read(12):
> > > TLS accept error error=-1 id=20, closing May 26 21:11:17 tw89
> > > slapd[5100]: connection_closing: readying conn=20 sd=12 for close May
> > > 26 21:11:17 tw89 slapd[5100]: connection_close: conn=20 sd=12 May 26
> > > 21:11:17 tw89 slapd[5100]: daemon: removing 12
> > >
> > > (More available on request)
> > >
> > >
> > > My questions are
> > >
> > > Why do I get the TLS accept error ?
> > >
> > > How to get more debug information when the loglevel is allready 16383
> > > ?
> > >
> > > Where to search for more clues?
> >
> > Have you told the clients to ignore the SSL certificate ?
>
> Sorry, not that I know. I use "plain" ldapsearch from the ldap-utils
> package.
>
> The manaul page tells about SASL voodoo, but nothing about SSL. What should
> I do at clients side to ignore or to honour the SSL certificate?
>
>
> While being clueless, is the gut feeling is that the cullprit is at
> serverside. Why should I search at client side?
Add to /etc/ldap/ldap.conf
TLS_REQCERT allow
for each client you want to accept a self-signed certificate. If you want
nothing to do with certificates at all, then use
TLS_REQCERT never
man 5 ldap.conf gives you all the gory details.
--
Ragnar Wisløff
--------------
life is a reach. then you gybe.
Reply to: