When I use ldap without TLS is worked fine (no trouble) When I use TLS the trouble starts.

Ldap Document - All of my configurations regarding openLDAP with TLS ..... Details : 1 server (centos 5.7 )- hostname = server3.example.com (172.29.10.105/255.255.255.240) 1 client (centos 5.7 ) - hostname = client.example.com (172.29.10.100/255.255.255.240) [root@server3 ~] # yum install bind-* openldap* openssl* caching* http* vsftpd* ftp* [root@server3 ~] # cd /etc/pki/tls/misc/ [root@server3 ~] # ./CA -newca entered country name - IN state - MH city - PUNE organisation(company) - FOCUS organisational unit - (blank) common name (hostname) - server3.example.com email - (blank) rest all - (blank) [root@server3 ~] # openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem entered country name - IN state - MH city - PUNE organisation(company) - FOCUS organisational unit - (blank) common name (hostname) - server3.example.com email - (blank) rest all - (blank) [root@server3 ~] # ./CA -sign [root@server3 ~] # cp /etc/pki/CA/cacert.pem /etc/openldap/cacerts/ [root@server3 ~] # cp newcert.pem /etc/openldap/cacerts/servercrt.pem [root@server3 ~] # cp newreq.pem /etc/openldap/cacerts/serverkey.pem [root@server3 ~] # cd /etc/openldap/cacerts/ [root@server3 ~] #chown root:ldap server* [root@server3 ~] # chmod 644 servercrt.pem [root@server3 ~] # chmod 600 serverkey.pem [root@server3 ~] # chmod 644 cacert.pem [root@server3 ~] # cp cacert.pem /var/ftp/pub/ .. and broadcasted it using http in directory /var/ftp/pub so that the client can download it . [root@server3 ~] # cd .. [root@server3 ~] # cp DB_CONFIG.example /var/lib/ldap/DB_CONFIG [root@server3 ~] # chmod 600 /var/lib/ldap/DB_CONFIG [root@server3 ~] # chown ldap:ldap /var/lib/ldap/DB_CONFIG

[root@server3 ~] # vim /etc/sysconfig/ldap -----------------------------------------------------------# Parameters to ulimit called right before starting slapd # - use this to change system limits for slapd ULIMIT_SETTINGS= # How long to wait between sending slapd TERM and KILL # signals when stopping slapd by init script # - format is the same as used when calling sleep STOP_DELAY=3s # By default only listening on ldap:/// is turned on. # If you want to change listening options for slapd, # set following three variables to yes or no SLAPD_LDAP=yes SLAPD_LDAPS=yes SLAPD_LDAPI=no ---------------------------------------------------------:wq!

[root@server3 ~] # slappasswd {SSHA}FPeSsKHE5zBmzdIHZTjzG7QQM558Wqpu [root@server3 ~] # cd /etc/openldap/ [root@server3 ~] # vim slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/dnszone.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile argsfile /var/run/openldap/slapd.pid /var/run/openldap/slapd.args

# Load dynamic backend modules: # modulepath /usr/lib/openldap # Modules available in openldap-servers-overlays RPM package # Module syncprov.la is now statically linked with slapd and there # is no need to load it here # moduleload accesslog.la # moduleload auditlog.la # moduleload denyop.la # moduleload dyngroup.la # moduleload dynlist.la # moduleload lastmod.la # moduleload pcache.la # moduleload ppolicy.la # moduleload refint.la # moduleload retcode.la # moduleload rwm.la # moduleload smbk5pwd.la # moduleload translucent.la # moduleload unique.la # moduleload valsort.la # modules available in openldap-servers-sql RPM package: # moduleload back_sql.la # The next three lines allow use of TLS for encrypting connections using a # dummy test certificate which you can generate by changing to # /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. Your client software # may balk at self-signed certificates, however. TLSCACertificateFile /etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/cacerts/servercrt.pem TLSCertificateKeyFile /etc/openldap/cacerts/serverkey.pem # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to *

# by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING!

####################################################################### # ldbm and/or bdb database definitions ####################################################################### database bdb suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # rootpw {crypt}ijFYNcSNctBYg rootpw {SSHA}FPeSsKHE5zBmzdIHZTjzG7QQM558Wqpu # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub # Replicas of this database #replogfile /var/lib/ldap/openldap-master-replog #replica host=ldap-1.example.com:389 starttls=critical # bindmethod=sasl saslmech=GSSAPI # authcId=host/[email protected]

[root@server3 ~]# vim /etc/openldap/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=example, dc=com URI ldap://server3.example.com ldap://server3.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never

[root@server3 ~]# /etc/init.d/ldap start ............ ldap starts fine no issues .....

But the error regarding handshake comes up with the following command . [root@server3 ~]# openssl s_client -connect server3.example.com:636 -CAfile /etc/openldap/cacerts/cacert.pem ----> gives this error CONNECTED(00000003) 3305:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:583: [root@server3 ~]# ldapsearch -x -b 'dc=example,dc=com' -D 'cn=Manager,dc=example,dc=com' 'objectclass*' -H ldap://server3.example.com -W -ZZ ------> gives this error ldap_start_tls: Connect error (-11) additional info: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure