Bug 431514 - Gq client unable to connect to Openldap server (Openldap or Red Hat Directory Server) using 636 port
Gq client unable to connect to Openldap server (Openldap or Red Hat Directory...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: gq (Show other bugs)
8
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: Terje Røsten
Fedora Extras Quality Assurance
: EasyFix
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-05 02:05 EST by Niranjan Mallapadi Raghavender
Modified: 2008-02-11 04:49 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-11 04:49:41 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Niranjan Mallapadi Raghavender 2008-02-05 02:05:20 EST
Description of problem:
On Fedora 8, GQ (Gq client to connect to ldap server (OpenLDAP or Red Hat
Directory server) on 636 ports. But able to connect to Openldap or Red Hat
Directory server on port 389

On GQ, File-Preferences->Servers->New->
Name:MYLDAPSERVER
LDAP Host/URI: 10.65.6.194
LDAP Port: 636
Base DN: dc=example,dc=com

Bind DN is empty, as i am doing an anonymous search. On ldap server i have
enabled anonymous binds. 

I have the following box checked. 
Ask password on First connect 
Hide Internal attributes
Cache Connection

Click on Ok

In the search browser, I enter "uid=user1" as user1 is the user created in ldap
server. 

I get Error "oops! Server 'MYLDAPSERVER' not found

On the OpenLDAP server side, I get the following error 
<snip>
Feb  5 12:01:49 dhcp6-194 slapd[2006]: conn=15 fd=17 ACCEPT from
IP=10.65.1.58:46439 (IP=0.0.0.0:636) 
Feb  5 12:01:49 dhcp6-194 slapd[2006]: conn=15 fd=17 closed (TLS negotiation
failure) 
</snip>

Version-Release number of selected component (if applicable):
gq-1.2.2-7.fc8

How reproducible:

Steps to Reproduce:
1. Create a new entry of server on File-preferences-servers and specify port 636
2. Search for an entry in ldap server
3. you get an error "oops! Server 'MYLDAPSERVER' not found

  
Actual results:

"oops! Server 'MYLDAPSERVER' not found

Expected results:

Should actually give me results of the user. 

Additional info:

Below is my slapd.conf 
<snip>
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema

allow bind_v2


pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args


TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem

database        bdb
suffix          "dc=example,dc=com"
rootdn          "cn=Manager,dc=example,dc=com"

rootpw  {SSHA}eWI+VtfkjFwC+qtDnoCorH7DTjioMuBp
password-hash   {SSHA}
directory       /var/lib/ldap-example
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
access to attrs=userPassword
     by self write
     by anonymous auth

access to *
     by * read
</snip>

My OpenLDAP version is openldap-2.3.27-8.el5_1.1
Comment 1 Terje Røsten 2008-02-05 02:57:38 EST
Could you please test the fresh gq from bz #228632?
Comment 2 Niranjan Mallapadi Raghavender 2008-02-05 02:58:25 EST
Hi In my previous post, I have updated that when you connect through gq to
openldap server on port 636 you receive error "oops! Server 'MYLDAPSERVER' not
found". 

Sorry, i guess, the above means that the entry "MYLDAPSERVER" is not avaliable, 

The actual messages "Couldn't bind LDAP connection to 'MYLDAPSERVER': can't
contact LDAP server
Comment 3 Niranjan Mallapadi Raghavender 2008-02-05 03:26:39 EST
Hi 

Ok with gq-1.3.3-2.fc8, i don't get the message "MYLDAPSERVER" is not available
but it doesn't solve my primary issue i.e connecting to ldap server on port 636

In the new version, I have created a new server entry in
File-Preferences->server->New
Name:MYLDAPSERVER
LDAP Host/URI: 10.65.6.194
LDAP Port: 636
Base DN: dc=example,dc=com

under Connections: 
Bind DN: cn=Manager,dc=example,dc=com

The below options are checked:
Ask for password for first connection
cache connections

In the main window, I do a search Under "attribute begins with" uid=user1

It prompts me for password of "cn=Manager,dc=example,dc=com" , and then 
it continously asks password, eventhough i click on "Remember password" 

And on the OpenLDAP server logs, i get 
<snip>
Feb  5 13:33:13 dhcp6-194 slapd[2006]: conn=36 fd=17 ACCEPT from
IP=10.65.1.58:40416 (IP=0.0.0.0:636) 
Feb  5 13:33:13 dhcp6-194 slapd[2006]: conn=36 fd=17 closed (TLS negotiation
failure) 
Feb  5 13:34:52 dhcp6-194 slapd[2006]: conn=37 fd=17 ACCEPT from
IP=10.65.1.58:40417 (IP=0.0.0.0:636) 
Feb  5 13:34:52 dhcp6-194 slapd[2006]: conn=37 fd=17 closed (TLS negotiation
failure) 
</snip>



Comment 4 Niranjan Mallapadi Raghavender 2008-02-05 03:28:32 EST
OK but STARTTLS works, i.e TLS Encryption on port 389 works , but on port 636 fails
Comment 5 Niranjan Mallapadi Raghavender 2008-02-05 03:47:52 EST
ok to check if my ldap server indeed returns results on port 636, Below is the test
#nmap 10.65.6.194
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-02-05 14:01 IST
Interesting ports on foobar.com (10.65.6.194):
Not shown: 1674 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
111/tcp open  rpcbind
389/tcp open  ldap
515/tcp open  printer
636/tcp open  ldapssl
896/tcp open  unknown

ldapsearch -x -b "dc=example,dc=com" uid=user1 -H ldaps://10.65.6.194

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: uid=user1
# requesting: ALL
#

# user1, People, example.com
dn: uid=user1,ou=People,dc=example,dc=com
shadowLastChange: 13838
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
givenName: user1
sn: user1
loginShell: /bin/bash
uidNumber: 10001
gidNumber: 10001
uid: user1
gecos: user1
cn: ldap user 1
homeDirectory: /home/user1

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
Comment 6 Terje Røsten 2008-02-05 14:14:41 EST
> ldapsearch -x -b "dc=example,dc=com" uid=user1 -H ldaps://10.65.6.194

What happens if you add -ZZ to that line?

OK, maybe I have a workaround:

Try this with gq-1.3.3-2.fc8:

In Servers dialog click Edit and

Set LDAP HOST/URI to: ldaps://10.65.6.194

Port to 636 (may not be possible, which is ok).

An disable TLS in the Details tab (TLS really means starttls in this context).




 
Comment 7 Niranjan Mallapadi Raghavender 2008-02-09 01:50:54 EST
Hi,

> ldapsearch -x -b "dc=example,dc=com" uid=user1 -H ldaps://10.65.6.194

What happens if you add -ZZ to that line?
[root@dhcp6-194 ~]# ldapsearch -x -ZZ -b "dc=example,dc=com" uid=user1 -H
ldaps://10.65.6.194
ldap_start_tls: Operations error (1)
        additional info: TLS already started

I guess when you use -ZZ then it is TLS operation and TLS operations are
performed on 389 port and not on 636. But earlier TLS was working, after
installing GQ from #228632. 

The steps you asked me to performed.
Try this with gq-1.3.3-2.fc8:
In Servers dialog click Edit and
Set LDAP HOST/URI to: ldaps://10.65.6.194
Port to 636 (may not be possible, which is ok).
An disable TLS in the Details tab (TLS really means starttls in this context).

Yes with the above gq-1.3.3-2.fc8 , Gq performs the query on port 636 successfully. 

It works with gq-1.3.3-2.fc8. 

Thanks a lot

Note You need to log in before you can comment on or make changes to this bug.