Re: slapd[5100]: connection_read(12): TLS accept error error=-1
Geert Stappers wrote:
> Hello,
>
> On a computer, hostname tw89, with LDAP configured with debian-edu
> packages, do I get this at client side:
>
> | tw89:/etc/ldap
> | # ldapsearch -W -H ldaps://tw89 -D
> | # cn=admin,ou=people,dc=gst,dc=stappers,dc=nl -b
> | # dc=gst,dc=stappers,dc=nl '(objectClass=simpleSecurityObject)' cn
> | # description userPassword
> | Enter LDAP Password:
> | ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
> | additional info: error:14090086:SSL
> | routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> | tw89:/etc/ldap
> | #
>
> The certificate is generated with mkslapdcert, from the debian-edu-config
> package. The config file is
>
> | tw89:/etc/ldap
> | # cat ssl/slapd-cert.cnf
> | RANDOM=/dev/random
> |
> | [ req ]
> | default_bits = 1024
> | encrypt_key = yes
> | distinguished_name = req_dn
> | x509_extensions = cert_type
> | prompt = no
> |
> | [ req_dn ]
> | C=NO
> | ST=NA
> | L=gst
> | O=Ldap server
> | OU=Automatically-generated Ldap SSL key
> | CN=tw89
> | emailAddress=postmaster@tw89.gst.stappers.nl
> |
> |
> | [ cert_type ]
> | nsCertType = server
> | tw89:/etc/ldap
> | #
>
> ( that is the skolelinux /etc/ldap/ssl/slapd-cert.cnf
> with modified 'CN' and 'emailAdress'
>
> In sys log file is this
>
> May 26 21:11:17 tw89 slapd[5100]: daemon: read activity on 12
> May 26 21:11:17 tw89 slapd[5100]: connection_get(12)
> May 26 21:11:17 tw89 slapd[5100]: connection_get(12): got connid=20
> May 26 21:11:17 tw89 slapd[5100]: connection_read(12): checking for input on id=20
> May 26 21:11:17 tw89 slapd[5100]: connection_read(12): TLS accept error error=-1 id=20, closing
> May 26 21:11:17 tw89 slapd[5100]: connection_closing: readying conn=20 sd=12 for close
> May 26 21:11:17 tw89 slapd[5100]: connection_close: conn=20 sd=12
> May 26 21:11:17 tw89 slapd[5100]: daemon: removing 12
>
> (More available on request)
>
>
> My questions are
>
> Why do I get the TLS accept error ?
>
> How to get more debug information when the loglevel is allready 16383 ?
>
> Where to search for more clues?
Have you told the clients to ignore the SSL certificate ?
--
Finn-Arne Johansen
faj@bzz.no http://bzz.no/
Leverandør av support på, drift og videreutvikling av Skolelinux-løsninger
Reply to: