Bug 112262
Summary: | LDAP start_tls fails: Connect error (91) | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Mike Elkevizth <mike> |
Component: | openldap | Assignee: | Jay Fenlason <fenlason> |
Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 1 | CC: | del, jfeeney, mattdm |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-10-28 17:20:03 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Mike Elkevizth
2003-12-16 19:40:56 UTC
This can be fixed by adding the line TSL_REQCERT allow to /etc/openldap/slapd.conf I just did a fresh re-install of openldap-servers and was able to use the pre-generated slapd.pem without trouble. added line TLS_REQCERT allow to slapd.conf file on a new install of entire OS and used defaults for other TLS settings in the file (pre- generated slapd.pem) and still get a ldap_start_tls: Connect error (91) ....certificate verify failed I still believe the main reason is that the pregenerated cert is not signed by a CA. I'm unable to connect to any LDAP server using TLS ... even ones that I can verify are good (by using the same query on a RH8 box). For example, the following command succeeds on a RH8 box, but the same command fails on a fresh-installed Fedora Core1 box: ldapsearch -x -ZZ -h ldap.yoyoweb.com -p 1389 -b \'dc=yoyoweb,dc=com' '(uid=tprime)' The error is: ldap_start_tls: Protocol error (2) additional info: unsupported extended operation ... more information ... part of the problem seems to be the port number? I set up a server on port 389, and again the query works flawlessly on RH8, but now on Fedora 1 I get: ldap_start_tls: Connect error (91) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Same problem for me on Fedora Core 2. I have disabled TLS for the time being but a side effect of this is that authentication to gdm no longer works (see bug 97676 -- GDM LDAP User Authentication Fails). The work around for that is to switch to KDM by entering: DISPLAYMANAGER="KDE" in /etc/sysconfig/desktop I still believe that it's a bug for gdm to require TLS or SSL on LDAP connections when "ssl no" is set in /etc/ldap.conf You actually want to add TSL_REQCERT allow to /etc/openldap/ldap.conf (not slapd.conf) Fedora Core 1 is maintained by the Fedora Legacy project for security updates only. If this problem is a security issue, please reopen and reassign to the Fedora Legacy product. If it is not a security issue and hasn't been resolved in the current FC5 updates or in the FC6 test release, reopen and change the version to match. Thanks! NOTE: Fedora Core 1 is reaching the final end of support even by the Legacy project. After Fedora Core 6 Test 2 is released (currently scheduled for July 26th), there will be no more security updates for FC1. Please use these next two weeks to upgrade any remaining FC1 systems to a current release. Note that FC1 and FC2 are no longer supported even by Fedora Legacy. Many changes have occurred since these older releases. Please install a supported version of Fedora Core and retest. If this still occurs on FC3 or FC4, please assign to that version and Fedora Legacy. If it still occurs on FC5 or FC6, please reopen and assign to the correct version. Thanks! |