Bug 112262 - LDAP start_tls fails: Connect error (91)
LDAP start_tls fails: Connect error (91)
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: openldap (Show other bugs)
1
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jay Fenlason
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-12-16 14:40 EST by Mike Elkevizth
Modified: 2014-08-31 19:25 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-10-28 13:20:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mike Elkevizth 2003-12-16 14:40:56 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET 
CLR 1.1.4322)

Description of problem:
When trying to setup an OpenLDAP server to use TLS it can not use the 
pre-generated slapd.pem certificate. It will always fail with a 
Connect error (91)
aditional info: error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.
From the information I found this is due to a few reasons, first is 
that the common name in the certificate doesn't match the host name.
But that is only the start, also with the 2.1 version of OpenLDAP the 
certificate must be signed by a CA, slef created or commercial. Also 
new to the 2.1 code is the addition of the TLS_CACERT line required 
in the /etc/openldap/ldap.conf file. After following the steps found 
at http://www.openldap.org/faq/data/cache/185.html the server now 
works with TLS like it should. I believe this is something that could 
easily be fixed for the next release and could save a lot of 
headaches. (Or all the TLS configuration stuff could be left out so 
as not to be confusing!)

Version-Release number of selected component (if applicable):
2.1.22

How reproducible:
Always

Steps to Reproduce:
1. Setup an OpenLDAP server
2. ldapsearch ... -ZZ
3. fail

Additional info:
Comment 1 Stephen Walton 2003-12-31 13:13:34 EST
This can be fixed by adding the line

TSL_REQCERT allow

to /etc/openldap/slapd.conf

I just did a fresh re-install of openldap-servers and was able to use
the pre-generated slapd.pem without trouble.
Comment 2 Mike Elkevizth 2004-01-05 12:12:00 EST
added line TLS_REQCERT allow to slapd.conf file on a new install of 
entire OS and used defaults for other TLS settings in the file (pre-
generated slapd.pem) and still get a ldap_start_tls: Connect error 
(91) ....certificate verify failed

I still believe the main reason is that the pregenerated cert is not 
signed by a CA.
Comment 3 Thornton Prime 2004-05-06 19:42:11 EDT
I'm unable to connect to any LDAP server using TLS ... even ones that
I can verify are good (by using the same query on a RH8 box).

For example, the following command succeeds on a RH8 box, but the same
command fails on a fresh-installed Fedora Core1 box:

 ldapsearch -x -ZZ -h ldap.yoyoweb.com -p 1389 -b \'dc=yoyoweb,dc=com'
'(uid=tprime)'

The error is:

ldap_start_tls: Protocol error (2)
        additional info: unsupported extended operation
Comment 4 Thornton Prime 2004-05-06 19:50:23 EDT
... more information ... part of the problem seems to be the port number?

I set up a server on port 389, and again the query works flawlessly on
RH8, but now on Fedora 1 I get:

ldap_start_tls: Connect error (91)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Comment 5 Elson, Del 2004-05-30 06:08:10 EDT
Same problem for me on Fedora Core 2.  I have disabled TLS for the
time being but a side effect of this is that authentication to gdm no
longer works (see bug 97676 -- GDM LDAP User Authentication Fails).

The work around for that is to switch to KDM by entering:

DISPLAYMANAGER="KDE"

in /etc/sysconfig/desktop

I still believe that it's a bug for gdm to require TLS or SSL on LDAP
connections when "ssl no" is set in /etc/ldap.conf
Comment 6 ShaColby Jackson 2004-08-19 02:14:25 EDT
You actually want to add 
TSL_REQCERT allow
to /etc/openldap/ldap.conf (not slapd.conf)
Comment 7 Matthew Miller 2006-07-11 13:25:24 EDT
Fedora Core 1 is maintained by the Fedora Legacy project for security updates
only. If this problem is a security issue, please reopen and reassign to the
Fedora Legacy product. If it is not a security issue and hasn't been resolved in
the current FC5 updates or in the FC6 test release, reopen and change the
version to match.

Thanks!

NOTE: Fedora Core 1 is reaching the final end of support even by the Legacy
project. After Fedora Core 6 Test 2 is released (currently scheduled for July
26th), there will be no more security updates for FC1. Please use these next two
weeks to upgrade any remaining FC1 systems to a current release.

Comment 8 John Thacker 2006-10-28 13:20:03 EDT
Note that FC1 and FC2 are no longer supported even by Fedora Legacy.  Many
changes have occurred since these older releases.  Please install a supported
version of Fedora Core and retest.  If this still occurs on FC3 or FC4, please
assign to that version and Fedora Legacy.  If it still occurs on FC5 or FC6,
please reopen and assign to the correct version.  Thanks!

Note You need to log in before you can comment on or make changes to this bug.