<DIV><STRONG>when I use ldapsearch -H </STRONG><A rel=nofollow><STRONG><FONT color=#003399>ldaps://localhost/..I</FONT></STRONG></A><STRONG> can get correct record.</STRONG></DIV> <DIV><STRONG></STRONG> </DIV> <DIV><STRONG>debug info:</STRONG></DIV> <DIV>connection_get(11): got connid=12<BR>connection_read(11): checking for input on id=12<BR>TLS trace: SSL_accept:before/accept initialization<BR>TLS trace: SSL_accept:SSLv3 read client hello A<BR>TLS trace: SSL_accept:SSLv3 write server hello A<BR>TLS trace: SSL_accept:SSLv3 write certificate A<BR>TLS trace: SSL_accept:SSLv3 write server done A<BR>TLS trace: SSL_accept:SSLv3 flush data<BR>TLS trace: SSL_accept:error in SSLv3 read client certificate A<BR>TLS trace: SSL_accept:error in SSLv3 read client certificate A<BR>connection_get(11): got connid=12<BR>connection_read(11): checking for input on id=12<BR>TLS trace: SSL_accept:SSLv3 read client key exchange A<BR>TLS trace: SSL_accept:SSLv3 read finished A<BR>TLS
trace: SSL_accept:SSLv3 write change cipher spec A<BR>TLS trace: SSL_accept:SSLv3 write finished A<BR>TLS trace: SSL_accept:SSLv3 flush data<BR><STRONG>connection_read(11): unable to get TLS client DN, error=49 id=12<BR>connection_get(11): got connid=12<BR>connection_read(11): checking for input on id=12<BR>ber_get_next</STRONG><BR><STRONG>ber_get_next: tag 0x30 len 45 contents:<BR>ber_get_next</STRONG><BR>do_bind<BR>ber_scanf fmt ({imt) ber:<BR>ber_scanf fmt (m}) ber:<BR>>>> dnPrettyNormal: <cn=admin,dc=aehve,dc=com><BR><<< dnPrettyNormal: <cn=admin,dc=aehve,dc=com>, <cn=admin,dc=aehve,dc=com>do_bind: version=3 dn="cn=admin,dc=aehve,dc=com" method=128<BR>do_bind: v3 bind: "cn=admin,dc=aehve,dc=com" to "cn=admin,dc=aehve,dc=com"send_ldap_result: conn=12 op=0 p=3<BR>send_ldap_response: msgid=1 tag=97 err=0<BR>ber_flush: 14 bytes to sd 11<BR>connection_get(11): got connid=12<BR>connection_read(11): checking for input on
id=12<BR>ber_get_next<BR>ber_get_next: tag 0x30 len 73 contents:<BR>ber_get_next<BR>do_search<BR>ber_scanf fmt ({miiiib) ber:<BR>>>> dnPrettyNormal: <cn=hlin,ou=People,dc=aehve,dc=com><BR><<< dnPrettyNormal: <cn=hlin,ou=People,dc=aehve,dc=com>, <cn=hlin,ou=people,dc=aehve,dc=com><BR>ber_scanf fmt (m) ber:<BR>ber_scanf fmt ({M}}) ber:<BR>=> bdb_search<BR>bdb_dn2entry("cn=hlin,ou=people,dc=aehve,dc=com")<BR>search_candidates: base="cn=hlin,ou=people,dc=aehve,dc=com" (0x0000000b) scope=2<BR>=> bdb_dn2idl("cn=hlin,ou=people,dc=aehve,dc=com")<BR><= bdb_dn2idl: id=1 first=11 last=11<BR>=> bdb_presence_candidates (objectClass)<BR>bdb_search_candidates: id=1 first=11 last=11<BR>=> send_search_entry: conn 12 dn="cn=hlin,ou=People,dc=aehve,dc=com"<BR>ber_flush: 188 bytes to sd 11<BR><= send_search_entry: conn 12 exit.<BR>send_ldap_result: conn=12 op=1 p=3<BR>send_ldap_response: msgid=2 tag=101 err=0<BR>ber_flush: 14 bytes to sd
11<BR>connection_get(11): got connid=12<BR>connection_read(11): checking for input on id=12<BR>ber_get_next<BR>ber_get_next: tag 0x30 len 5 contents:<BR>ber_get_next<BR>do_unbind<BR>connection_closing: readying conn=12 sd=11 for close<BR>connection_resched: attempting closing conn=12 sd=11<BR>connection_close: conn=12 sd=11<BR>TLS trace: SSL3 alert write:warning:close notify</DIV> <DIV> </DIV> <DIV> </DIV> <DIV><STRONG>when I use freeradius in the same host:</STRONG></DIV> <DIV>do_extended<BR>ber_scanf fmt ({m) ber:<BR>send_ldap_extended: err=0 oid= len=0<BR>send_ldap_response: msgid=1 tag=120 err=0<BR>ber_flush: 14 bytes to sd 11<BR>connection_get(11): got connid=11<BR>connection_read(11): checking for input on id=11<BR>TLS trace: SSL_accept:before/accept initialization<BR>TLS trace: SSL_accept:SSLv3 read client hello A<BR>TLS trace: SSL_accept:SSLv3 write server hello A<BR>TLS trace: SSL_accept:SSLv3 write certificate A<BR>TLS trace: SSL_accept:SSLv3 write
server done A<BR>TLS trace: SSL_accept:SSLv3 flush data<BR>TLS trace: SSL_accept:error in SSLv3 read client certificate A<BR>TLS trace: SSL_accept:error in SSLv3 read client certificate A<BR>connection_get(11): got connid=11<BR>connection_read(11): checking for input on id=11<BR>TLS trace: SSL_accept:SSLv3 read client key exchange A<BR>TLS trace: SSL_accept:SSLv3 read finished A<BR>TLS trace: SSL_accept:SSLv3 write change cipher spec A<BR>TLS trace: SSL_accept:SSLv3 write finished A<BR>TLS trace: SSL_accept:SSLv3 flush data<BR><STRONG>connection_read(11): unable to get TLS client DN, error=49 id=11<BR>connection_get(11): got connid=11<BR>connection_read(11): checking for input on id=11<BR>ber_get_next<BR>ber_get_next: tag 0x30 len 5 contents:<BR>ber_get_next</STRONG><BR>TLS trace: SSL3 alert read:warning:close notify<BR>ber_get_next on fd 11 failed errno=0 (Success)<BR>connection_closing: readying conn=11 sd=11 for close<BR>connection_close: deferring conn=11
sd=11<BR>do_unbind<BR>connection_resched: attempting closing conn=11 sd=11<BR>connection_close: conn=11 sd=11<BR>TLS trace: SSL3 alert write:warning:close notify</DIV> <DIV> </DIV> <DIV><BR><BR><B><I>Hangjun He <elmerhe@yahoo.com.cn></I></B> дµÀ£º</DIV> <BLOCKQUOTE class=replbq style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid"> <DIV> freeradius version 1.1.6</DIV> <DIV> openldap version 2.3.23</DIV> <DIV> opensll verson 0.9.7g<BR><BR><B><I>Hangjun He <elmerhe@yahoo.com.cn></I></B> дµÀ£º</DIV> <BLOCKQUOTE class=replbq style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid"> <DIV>hi,</DIV> <DIV> freeradis with openldap is OK when use cleartext communication.</DIV> <DIV>Now I want to use tls.</DIV> <DIV> </DIV> <DIV> openssl s_client -connect 127.0.0.1:636 -showcerts -state -CAfile
/usr/local/etc/openldap/ssl/cacert.pem show the cacert /cert/key is correct.</DIV> <DIV> </DIV> <DIV> </DIV> <DIV> <STRONG>But when I use freeradis with tls, errors pup up:</STRONG></DIV> <DIV> </DIV> <DIV><STRONG>freeradius error:</STRONG></DIV> <DIV>rlm_ldap: - authorize<BR>rlm_ldap: performing user authorization for hwang<BR>radius_xlat: '(uid=hwang)'<BR>radius_xlat: 'ou=People,dc=aerohive,dc=com'<BR>rlm_ldap: ldap_get_conn: Checking Id: 0<BR>rlm_ldap: ldap_get_conn: Got Id: 0<BR>rlm_ldap: attempting LDAP reconnection<BR>rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0<BR>rlm_ldap: setting TLS CACert File to /usr/local/etc/openldap/ssl/cacert.pem<BR>rlm_ldap: setting TLS Require Cert to demand<BR>rlm_ldap: starting TLS<BR>rlm_ldap: ldap_start_tls_s()<BR>rlm_ldap: could not start TLS Connect error<BR>rlm_ldap: (re)connection attempt failed<BR>rlm_ldap: search failed<BR>rlm_ldap:
ldap_release_conn: Release Id: 0</DIV> <DIV> </DIV> <DIV> </DIV> <DIV><STRONG>openldap error:</STRONG></DIV> <DIV>TLS trace: SSL_accept:SSLv3 read client hello A<BR>TLS trace: SSL_accept:SSLv3 write server hello A<BR>TLS trace: SSL_accept:SSLv3 write certificate A<BR>TLS trace: SSL_accept:SSLv3 write server done A<BR>tls_write: want=902, written=902 ......<BR>TLS trace: SSL_accept:SSLv3 flush data<BR>tls_read: want=5, got=5<BR> 0000: 15 03 01 00 02 .....<BR>tls_read: want=2, got=2<BR> 0000: 02
2a .*<BR><STRONG>TLS trace: SSL3 alert read:fatal:bad certificate<BR>TLS trace: SSL_accept:failed in SSLv3 read client certificate A<BR>TLS: can't accept.<BR>TLS: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate s3_pkt.c:1052</STRONG><BR>connection_read(11): TLS accept failure error=-1 id=5, closing<BR>connection_closing: readying conn=5 sd=11 for close<BR>connection_close: conn=5 sd=11<BR>daemon: removing 11</DIV> <DIV> </DIV> <DIV> </DIV> <DIV> <STRONG>When I use freeradius in the same host with openldap, There are other errors:</STRONG></DIV> <DIV>connection_get(10)<BR>connection_get(10): got connid=11<BR>connection_read(10): checking for input on
id=11<BR>TLS trace: SSL_accept:before/accept initialization<BR>TLS trace: SSL_accept:SSLv3 read client hello A<BR>TLS trace: SSL_accept:SSLv3 write server hello A<BR>TLS trace: SSL_accept:SSLv3 write certificate A<BR>TLS trace: SSL_accept:SSLv3 write certificate request A<BR>TLS trace: SSL_accept:SSLv3 flush data<BR>TLS trace: SSL_accept:error in SSLv3 read client certificate A<BR>TLS trace: SSL_accept:error in SSLv3 read client certificate A<BR>connection_get(10)<BR>connection_get(10): got connid=11<BR>connection_read(10): checking for input on id=11<BR>TLS trace: SSL_accept:SSLv3 read client certificate A<BR>TLS trace: SSL_accept:SSLv3 read client key exchange A<BR>TLS trace: SSL_accept:SSLv3 read finished A<BR>TLS trace: SSL_accept:SSLv3 write change cipher spec A<BR>TLS trace: SSL_accept:SSLv3 write finished A<BR>TLS trace: SSL_accept:SSLv3 flush data<BR><STRONG>connection_read(10): unable to get TLS client DN, error=49
id=11</STRONG><BR>connection_get(10)<BR>connection_get(10): got connid=11<BR>connection_read(10): checking for input on id=11<BR>ber_get_next<BR>ber_get_next: tag 0x30 len 5 contents:<BR>ber_get_next<BR>TLS trace: SSL3 alert read:warning:close notify</DIV> <DIV> </DIV> <DIV> </DIV> <DIV><STRONG>partly configuration in slapd.conf:</STRONG></DIV> <DIV>TLSCipherSuite HIGH:MEDIUM:+SSLv2<BR>TLSCACertificateFile /usr/local/etc/openldap/ssl/cacert.pem<BR>TLSCertificateFile /usr/local/etc/openldap/ssl/servercrt.pem<BR>TLSCertificateKeyFile /usr/local/etc/openldap/ssl/serverkey.pem<BR><STRONG>TLSVerifyClient try</STRONG></DIV> <DIV> </DIV> <DIV>Can anyone tell me why it is? Anything wrong with my configure file.</DIV> <DIV> </DIV> <DIV> </DIV> <DIV> Thanks!</DIV> <DIV>John</DIV> <DIV> </DIV> <DIV> </DIV> <DIV> </DIV> <DIV> </DIV> <DIV> </DIV> <DIV> <HR SIZE=1> <A href="http://cn.mail.yahoo.com/"
target=blank>ÇÀ×¢ÑÅ»¢Ãâ·ÑÓÊÏä3.5GÈÝÁ¿£¬20M¸½¼þ£¡</A> </DIV></BLOCKQUOTE><BR> <div> <HR SIZE=1> <A href="http://cn.mail.yahoo.com/" target=blank>ÇÀ×¢ÑÅ»¢Ãâ·ÑÓÊÏä-3.5GÈÝÁ¿£¬20M¸½¼þ£¡</A> - <BR>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html</BLOCKQUOTE><BR><p>
<hr size=1><a href="http://cn.mail.yahoo.com/" target=blank>
ÑÅ»¢Ãâ·ÑÓÊÏä-3.5GÈÝÁ¿£¬20M¸½¼þ</a>