openLDAP ssl/tls Centos 6.3
Katerina Bubenickova
katerina.bubenickova na plbohnice.cz
Středa Březen 12 13:37:28 CET 2014
On Tue, 2014-03-11 at 16:59 +0100, Jerry wrote:
> Hoj,
> Zkus zvednout log verbosity pro klienta a server, sice je to vic ke
cteni,
> ale vysledek nekdy stoji za to.
při dotazu je množství logování dáno parametrem -d - to je ve výpisech v
minulých mejlech
ldapsearch -x -d 1 -ZZ -H ldaps://test-LDAP.bohnice.cz
myslela jsem, že je to u serveru, ale možná ne. Teď se mi podařilo
zvýšit loglevel na serveru na 1
po příkazu
# ldapsearch -x -d 1 -ZZ -H ldaps://test-LDAP.bohnice.cz
> Mar 12 13:19:49 test-LDAP slapd[7481]: slap_listener_activate(8):
> Mar 12 13:19:49 test-LDAP slapd[7481]: >>> slap_listener(ldaps:///)
> Mar 12 13:19:49 test-LDAP slapd[7481]: connection_get(14): got
connid=1002
> Mar 12 13:19:49 test-LDAP slapd[7481]: connection_read(14): checking
for input on id=1002
> Mar 12 13:19:49 test-LDAP slapd[7481]: connection_read(14): TLS accept
failure error=-1 id=1002, closing
> Mar 12 13:19:49 test-LDAP slapd[7481]: connection_close: conn=1002
sd=14
a při loglevel -1
> ar 12 13:23:28 test-LDAP slapd[7481]: daemon: read active on 14
> Mar 12 13:23:28 test-LDAP slapd[7481]: daemon: epoll: listen=8
active_threads=0 tvp=zero
> Mar 12 13:23:28 test-LDAP slapd[7481]: daemon: epoll: listen=9
active_threads=0 tvp=zero
> Mar 12 13:23:28 test-LDAP slapd[7481]: connection_get(14)
> Mar 12 13:23:28 test-LDAP slapd[7481]: connection_get(14): got
connid=1003
> Mar 12 13:23:28 test-LDAP slapd[7481]: connection_read(14): checking
for input on id=1003
> Mar 12 13:23:28 test-LDAP slapd[7481]: op tag 0x42, time 1394627008
> Mar 12 13:23:28 test-LDAP slapd[7481]: ber_get_next on fd 14 failed
errno=0 (Success)
> Mar 12 13:23:28 test-LDAP slapd[7481]: connection_read(14): input
error=-2 id=1003, closing.
> Mar 12 13:23:28 test-LDAP slapd[7481]: connection_closing: readying
conn=1003 sd=14 for close
> Mar 12 13:23:28 test-LDAP slapd[7481]: connection_close: deferring
conn=1003 sd=14
> Mar 12 13:23:28 test-LDAP slapd[7481]: conn=1003 op=2 do_unbind
> Mar 12 13:23:28 test-LDAP slapd[7481]: conn=1003 op=2 UNBIND
> Mar 12 13:23:28 test-LDAP slapd[7481]: connection_resched: attempting
closing conn=1003 sd=14
> Mar 12 13:23:28 test-LDAP slapd[7481]: connection_close: conn=1003
sd=14
> Mar 12 13:23:28 test-LDAP slapd[7481]: daemon: removing 14
> Mar 12 13:23:28 test-LDAP slapd[7481]: conn=1003 fd=14 closed
> Mar 12 13:23:28 test-LDAP slapd[7481]: connection_get(14)
> Mar 12 13:23:28 test-LDAP slapd[7481]: connection_get(14): connection
not used
> Mar 12 13:23:28 test-LDAP slapd[7481]: connection_read(14): no
connection!
> Mar 12 13:23:28 test-LDAP slapd[7481]: connection_read(14) error
> Mar 12 13:23:28 test-LDAP slapd[7481]: connection_get(14)
> Mar 12 13:23:28 test-LDAP slapd[7481]: connection_get(14): connection
not used
> Mar 12 13:23:28 test-LDAP slapd[7481]: connection_read(14): no
connection!
> Mar 12 13:23:28 test-LDAP slapd[7481]: connection_read(14) error
> Mar 12 13:23:28 test-LDAP slapd[7481]: connection_get(14)
> Mar 12 13:23:28 test-LDAP slapd[7481]: connection_get(14): connection
not used
> Mar 12 13:23:28 test-LDAP slapd[7481]: connection_read(14): no
connection!
> Mar 12 13:23:28 test-LDAP slapd[7481]: connection_read(14) error
> Mar 12 13:23:28 test-LDAP slapd[7481]: daemon: activity on 1
descriptor
> Mar 12 13:23:28 test-LDAP slapd[7481]: daemon: activity on:
> Mar 12 13:23:28 test-LDAP slapd[7481]:
> Mar 12 13:23:28 test-LDAP slapd[7481]: daemon: epoll: listen=8
active_threads=0 tvp=zero
> Mar 12 13:23:28 test-LDAP slapd[7481]: daemon: epoll: listen=9
active_threads=0 tvp=zero
> Mar 12 13:23:33 test-LDAP slapd[7481]: daemon: activity on 1
descriptor
> Mar 12 13:23:33 test-LDAP slapd[7481]: daemon: activity on:
> Mar 12 13:23:33 test-LDAP slapd[7481]:
> Mar 12 13:23:33 test-LDAP slapd[7481]: slap_listener_activate(8):
> Mar 12 13:23:33 test-LDAP slapd[7481]: daemon: epoll: listen=8 busy
> Mar 12 13:23:33 test-LDAP slapd[7481]: daemon: epoll: listen=9
active_threads=0 tvp=zero
> Mar 12 13:23:33 test-LDAP > Mar 12 13:23:33 test-LDAP slapd[7481]: daemon: listen=8, new
connection on 14
> Mar 12 13:23:33 test-LDAP slapd[7481]: daemon: added 14r (active)
listener=(nil)
> Mar 12 13:23:33 test-LDAP slapd[7481]: conn=1004 fd=14 ACCEPT from
IP=172.19.11.229:36130 (IP=0.0.0.0:636)
> Mar 12 13:23:33 test-LDAP slapd[7481]: daemon: activity on 1
descriptor
> Mar 12 13:23:33 test-LDAP slapd[7481]: daemon: activity on:
> Mar 12 13:23:33 test-LDAP slapd[7481]:
> Mar 12 13:23:33 test-LDAP slapd[7481]: daemon: epoll: listen=8
active_threads=0 tvp=zero
> Mar 12 13:23:33 test-LDAP slapd[7481]: daemon: epoll: listen=9
active_threads=0 tvp=zero
> Mar 12 13:23:33 test-LDAP slapd[7481]: daemon: activity on 1
descriptor
> Mar 12 13:23:33 test-LDAP slapd[7481]: daemon: activity on:
> Mar 12 13:23:33 test-LDAP slapd[7481]: 14r
Neumím z toho nic zajímavého vyčíst
> - Projde konfigurace SSL bez TLS? Cili pouze ldaps URI a z konfigurace
> vysekat TLS.
Tomu nerozumím, jak to myslíš. Co vlastně mám vyhodit. Nějak to neumím
rozlišit.
> - Jake je CN u SSL/TLS certifikatu?
Jak to cn poznám? Všechno, co o certifikátu umím zjistit, jsem napsala v
minulém mejlu. Možná je cn ten nickname, pak je to v pořádku.
Předpokládám, že je to správně, protože jsem to dělala jak nejpřesnějc
to šlo podle návodu
https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html
Moc díky za pomoc
Kateřina
Další informace o konferenci Linux