Description of problem: On Fedora 8, GQ (Gq client to connect to ldap server (OpenLDAP or Red Hat Directory server) on 636 ports. But able to connect to Openldap or Red Hat Directory server on port 389 On GQ, File-Preferences->Servers->New-> Name:MYLDAPSERVER LDAP Host/URI: 10.65.6.194 LDAP Port: 636 Base DN: dc=example,dc=com Bind DN is empty, as i am doing an anonymous search. On ldap server i have enabled anonymous binds. I have the following box checked. Ask password on First connect Hide Internal attributes Cache Connection Click on Ok In the search browser, I enter "uid=user1" as user1 is the user created in ldap server. I get Error "oops! Server 'MYLDAPSERVER' not found On the OpenLDAP server side, I get the following error <snip> Feb 5 12:01:49 dhcp6-194 slapd[2006]: conn=15 fd=17 ACCEPT from IP=10.65.1.58:46439 (IP=0.0.0.0:636) Feb 5 12:01:49 dhcp6-194 slapd[2006]: conn=15 fd=17 closed (TLS negotiation failure) </snip> Version-Release number of selected component (if applicable): gq-1.2.2-7.fc8 How reproducible: Steps to Reproduce: 1. Create a new entry of server on File-preferences-servers and specify port 636 2. Search for an entry in ldap server 3. you get an error "oops! Server 'MYLDAPSERVER' not found Actual results: "oops! Server 'MYLDAPSERVER' not found Expected results: Should actually give me results of the user. Additional info: Below is my slapd.conf <snip> include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt TLSCertificateFile /etc/pki/tls/certs/slapd.pem TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem database bdb suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" rootpw {SSHA}eWI+VtfkjFwC+qtDnoCorH7DTjioMuBp password-hash {SSHA} directory /var/lib/ldap-example index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub access to attrs=userPassword by self write by anonymous auth access to * by * read </snip> My OpenLDAP version is openldap-2.3.27-8.el5_1.1
Could you please test the fresh gq from bz #228632?
Hi In my previous post, I have updated that when you connect through gq to openldap server on port 636 you receive error "oops! Server 'MYLDAPSERVER' not found". Sorry, i guess, the above means that the entry "MYLDAPSERVER" is not avaliable, The actual messages "Couldn't bind LDAP connection to 'MYLDAPSERVER': can't contact LDAP server
Hi Ok with gq-1.3.3-2.fc8, i don't get the message "MYLDAPSERVER" is not available but it doesn't solve my primary issue i.e connecting to ldap server on port 636 In the new version, I have created a new server entry in File-Preferences->server->New Name:MYLDAPSERVER LDAP Host/URI: 10.65.6.194 LDAP Port: 636 Base DN: dc=example,dc=com under Connections: Bind DN: cn=Manager,dc=example,dc=com The below options are checked: Ask for password for first connection cache connections In the main window, I do a search Under "attribute begins with" uid=user1 It prompts me for password of "cn=Manager,dc=example,dc=com" , and then it continously asks password, eventhough i click on "Remember password" And on the OpenLDAP server logs, i get <snip> Feb 5 13:33:13 dhcp6-194 slapd[2006]: conn=36 fd=17 ACCEPT from IP=10.65.1.58:40416 (IP=0.0.0.0:636) Feb 5 13:33:13 dhcp6-194 slapd[2006]: conn=36 fd=17 closed (TLS negotiation failure) Feb 5 13:34:52 dhcp6-194 slapd[2006]: conn=37 fd=17 ACCEPT from IP=10.65.1.58:40417 (IP=0.0.0.0:636) Feb 5 13:34:52 dhcp6-194 slapd[2006]: conn=37 fd=17 closed (TLS negotiation failure) </snip>
OK but STARTTLS works, i.e TLS Encryption on port 389 works , but on port 636 fails
ok to check if my ldap server indeed returns results on port 636, Below is the test #nmap 10.65.6.194 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-02-05 14:01 IST Interesting ports on foobar.com (10.65.6.194): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind 389/tcp open ldap 515/tcp open printer 636/tcp open ldapssl 896/tcp open unknown ldapsearch -x -b "dc=example,dc=com" uid=user1 -H ldaps://10.65.6.194 # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: uid=user1 # requesting: ALL # # user1, People, example.com dn: uid=user1,ou=People,dc=example,dc=com shadowLastChange: 13838 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount givenName: user1 sn: user1 loginShell: /bin/bash uidNumber: 10001 gidNumber: 10001 uid: user1 gecos: user1 cn: ldap user 1 homeDirectory: /home/user1 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
> ldapsearch -x -b "dc=example,dc=com" uid=user1 -H ldaps://10.65.6.194 What happens if you add -ZZ to that line? OK, maybe I have a workaround: Try this with gq-1.3.3-2.fc8: In Servers dialog click Edit and Set LDAP HOST/URI to: ldaps://10.65.6.194 Port to 636 (may not be possible, which is ok). An disable TLS in the Details tab (TLS really means starttls in this context).
Hi, > ldapsearch -x -b "dc=example,dc=com" uid=user1 -H ldaps://10.65.6.194 What happens if you add -ZZ to that line? [root@dhcp6-194 ~]# ldapsearch -x -ZZ -b "dc=example,dc=com" uid=user1 -H ldaps://10.65.6.194 ldap_start_tls: Operations error (1) additional info: TLS already started I guess when you use -ZZ then it is TLS operation and TLS operations are performed on 389 port and not on 636. But earlier TLS was working, after installing GQ from #228632. The steps you asked me to performed. Try this with gq-1.3.3-2.fc8: In Servers dialog click Edit and Set LDAP HOST/URI to: ldaps://10.65.6.194 Port to 636 (may not be possible, which is ok). An disable TLS in the Details tab (TLS really means starttls in this context). Yes with the above gq-1.3.3-2.fc8 , Gq performs the query on port 636 successfully. It works with gq-1.3.3-2.fc8. Thanks a lot