Menu
▾
▴
[Jxplorer-users] ldaps:// connection issue
|
From: Michael H. <mi...@de...> - 2010-06-01 08:50:10
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi folks!
I have the following problem. I am using openldap-2.4.11 with TLS
enabled. I've a CaCert certificate and enabled it in the slapd.conf with
TLSCipherSuite TLS_RSA_AES_256_CBC_SHA1
TLSCertificateFile /etc/ssl/${FQDN}.crt
TLSCACertificatePath /etc/ssl/
TLSCertificateKeyFile /etc/ssl/private/${FQDN}.key
TLSVerifyClient never
and I am serving "ldaps://${FQDN}:636/".
Now I am able to connect and retrieve the ssl cert (where class3.crt is
the root cert from CaCert)
openssl s_client -connect ${FQDN} -showcerts -state -CAfile class3.crt
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=2 /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
Authority/emailAddress=su...@ca...
[...]
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
3AC41F487E5862C0010613C09A44ABE42C7F7BFE344CF35A4DA474B333490580
Session-ID-ctx:
Master-Key:
12A49AE0D9004A8B4FD6D4F247D6B7F6F8EFFBF71F592A99280738ECDA4816E0ACA220A03650DDB9C671BB353D578780
Key-Arg : None
Krb5 Principal: None
Start Time: 1275381418
Timeout : 300 (sec)
Verify return code: 0 (ok)
- ---
Looks very good to me. Next step is to use ldapsearch to connect to my
ldap server over ldaps://
ldapsearch -H ldaps://${FQDN}:636 -x -b "dc=${domain},dc=${end}" -D
"uid=${user},ou=people,dc=${domain},dc=${end}" -W
and retrieve the responce I am awaiting.
Now the problem in JXplorer. I am adding the Cacert root cert and even
the server crt itself to the cacerts keystore with your nice key
management gui. If I am now trying to connect to the server with the
following data:
Host: ${FQDN}
Port: 636
Protocol: LDAPv3
Base DN: dc=${domain},dc=${end}
Level: SSL + User + Password
User DN: uid=${user},ou=people,dc=derhammer,dc=net
Password: <SECRET_ONE>
I get the following error in the pop up:
Error opening connection:
simple bind failed: ${FQDN}:636
and this exception:
javax.naming.CommunicationException: simple bind failed: ${FQDN}:636
[Root exception is javax.net.ssl.SSLHandshakeException: Remote host
closed connection during handshake]
Ok - the SSL handshake does not work - but why? My guess is that there
is some difference between the ldaps:// (I open the connection per SSL)
and the ldap:// with StartTLS (I open an uncrypt connection and request
TLS). I am not an expert in all this SSL/TLS crap but I am running out
of ideas what I can change in my setup. I also think that most people
would configure their openldap server this way and therefor must have
the same problems - assumed that I don't make a conceptional misstake.
I'd really appreciate your help because I'd "love" to use the jxplorer
to browse and edit my ldap directory. (BTW: without SSL everything works
pretty well - but I can't do a simple bind without SSL for security
reasons!)
Greets, Michael
- --
- ----------------------------------------------------------------------
Michael Hammer
GPG-Key-ID: 0x1BA5F0DE
phone: +43 (0) 650 86 33 55 8
Graz - AUSTRIA
http://www.michael-hammer.at/
- ----------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkwEyaoACgkQPsRu3xul8N45OwCeItY4hGFT+/NtktNpXJu/iqL8
S0AAn2NLDnJCpOfQJjRYcxlyLRAnkXxf
=LKnM
-----END PGP SIGNATURE-----
|