Dieter Kluenter schrieb:
Nein, eher openssl. Du stellst ja eigentlich SSL Verbinddungen her ohne daß nach einem Zertifikat verlangt wird, ist zwar nicht die feine Sache, aber mit AD wohl nicht anders zu realisieren.
% openssl s_client -connect dein.host:636 -showcerts
================================================================= openssl s_client -connect 143.xxx.xxx.2:636 -showcerts CONNECTED(00000003) depth=0 /CN=bell.sub.mydomain.de verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /CN=bell.sub.mydomain.de verify error:num=27:certificate not trusted verify return:1 depth=0 /CN=bell.sub.mydomain.de verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/CN=bell.sub.mydomain.de i:/Email=Frank.Ausserlechner@sub.mydomain.de/C=DE/ST=RLP/L=domain/O=FH/OU =sub/CN=watt1012 -----BEGIN CERTIFICATE----- MIIGVDCCBf6gAwIBAgIKLb9zgwAAAAAAAzANBgkqhkiG9w0BAQUFADCBkTE0MDIG CSqGSIb3DQEJARYlRnJhbmsuQXVzc2VybGVjaG5lckBldWkuZmgta29ibGVuei5k ZTELMAkGA1UEBhMCREUxDDAKBgNVBAgTA1JMUDEQMA4GA1UEBxMHS29ibGVuejEL MAkGA1UEChMCRkgxDDAKBgNVBAsTA0VVSTERMA8GA1UEAxMId2F0dDEwMTIwHhcN MDQwMzE3MDk0NDA5WhcNMDYwMzE3MDk1NDA5WjAhMR8wHQYDVQQDExZiZWxsLmV1 aS5maC1rb2JsZW56LmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDi59hl +c7VUKBHXhISWIDw6mtTtsTAnuHydpsfurQRQ9feBvvlf6IuzOcFyGxF7erzrn4w nAPVI8KZYrRnOs2M3XNzD8mdDkIXyyjPnymathSKvBarr8uF0oKYWAsyre66tL8Q hoBKmVE16ZYXbrl2aT7NK/a8mT83QtVmySJ28QIDAQABo4IEYTCCBF0wCwYDVR0P BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAvBgkrBgEEAYI3 FAIEIh4gAEQAbwBtAGEAaQBuAEMAbwBuAHQAcgBvAGwAbABlAHIwHQYDVR0OBBYE FAXKI5gZlu66ItdG2NXJq0b7zzcIMIHNBgNVHSMEgcUwgcKAFIdodhaJY5BPD/C/ nR96ApAC6zN/oYGXpIGUMIGRMTQwMgYJKoZIhvcNAQkBFiVGcmFuay5BdXNzZXJs ZWNobmVyQGV1aS5maC1rb2JsZW56LmRlMQswCQYDVQQGEwJERTEMMAoGA1UECBMD UkxQMRAwDgYDVQQHEwdLb2JsZW56MQswCQYDVQQKEwJGSDEMMAoGA1UECxMDRVVJ MREwDwYDVQQDEwh3YXR0MTAxMoIQaRAXykqW2pVOTf8Y6FQqOjCCAUoGA1UdHwSC AUEwggE9MIG+oIG7oIG4hoG1bGRhcDovLy9DTj13YXR0MTAxMixDTj13YXR0LENO PUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1D b25maWd1cmF0aW9uLERDPWV1aSxEQz1maC1rb2JsZW56LERDPWRlP2NlcnRpZmlj YXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RjbGFzcz1jUkxEaXN0cmlidXRp b25Qb2ludDA7oDmgN4Y1aHR0cDovL3dhdHQuZXVpLmZoLWtvYmxlbnouZGUvQ2Vy dEVucm9sbC93YXR0MTAxMi5jcmwwPaA7oDmGN2ZpbGU6Ly9cXHdhdHQuZXVpLmZo LWtvYmxlbnouZGVcQ2VydEVucm9sbFx3YXR0MTAxMi5jcmwwggF7BggrBgEFBQcB AQSCAW0wggFpMIGwBggrBgEFBQcwAoaBo2xkYXA6Ly8vQ049d2F0dDEwMTIsQ049 QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNv bmZpZ3VyYXRpb24sREM9ZXVpLERDPWZoLWtvYmxlbnosREM9ZGU/Y0FDZXJ0aWZp Y2F0ZT9iYXNlP29iamVjdGNsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwWAYI KwYBBQUHMAKGTGh0dHA6Ly93YXR0LmV1aS5maC1rb2JsZW56LmRlL0NlcnRFbnJv bGwvd2F0dC5ldWkuZmgta29ibGVuei5kZV93YXR0MTAxMi5jcnQwWgYIKwYBBQUH MAKGTmZpbGU6Ly9cXHdhdHQuZXVpLmZoLWtvYmxlbnouZGVcQ2VydEVucm9sbFx3 YXR0LmV1aS5maC1rb2JsZW56LmRlX3dhdHQxMDEyLmNydDBCBgNVHREEOzA5oB8G CSsGAQQBgjcZAaASBBAhHOcXFJxDQKTT8Xjat2qgghZiZWxsLmV1aS5maC1rb2Js ZW56LmRlMA0GCSqGSIb3DQEBBQUAA0EAsu2oxYCWkgqfwlu8g5uXV8iaQX75IR0g V0ooZp5M38EQtVZ1sjW3Vr0QcsQ20DYQT2HzvqQ4D8SiQ3ryHWzGgw== -----END CERTIFICATE----- --- Server certificate subject=/CN=bell.sub.mydomain.de issuer=/Email=Frank.Ausserlechner@sub.mydomain.de/C=DE/ST=RLP/L=domain/O=FH/ OU=sub/CN=watt1012 --- Acceptable client certificate CA names /Email=Frank.Ausserlechner@sub.mydomain.de/C=DE/ST=RLP/L=domain/O=FH/OU=sub/ CN=watt1012 /Email=Frank.ausserlechner@sub.mydomain.de/C=DE/ST=rlp/L=domain/O=watt1012/O U=watt1012/CN=watt1012 /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority - G2/O U=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority - G2/O U=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - F or authorized use only/CN=VeriSign Class 3 Public Primary Certification Authori ty - G3 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - F or authorized use only/CN=VeriSign Class 1 Public Primary Certification Authori ty - G3 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Freemail CA/Email=personal-freemail@thawte.com /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Premium CA/Email=personal-premium@thawte.com /C=US/O=First Data Digital Certificates Inc./CN=First Data Digital Certificates Inc. Certification Authority /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Basic CA/Email=personal-basic@thawte.com /C=DK/O=KMD/OU=KMD-CA/CN=KMD-CA Server/0.9.2342.19200300.100.1.3=infoca@kmd-ca. dk /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - F or authorized use only/CN=VeriSign Class 2 Public Primary Certification Authori ty - G3 /C=PL/O=Unizeto Sp. z o.o./CN=Certum CA /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority /O=eSign Australia/OU=Public Secure Services/CN=Primary Utility Root CA /O=eSign Australia/OU=Public Secure Services/CN=eSign Imperito Primary Root CA /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c ) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048) /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/O U=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=HU/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLo ck Uzleti (Class B) Tanusitvanykiado /O=Entrust.net/OU=www.entrust.net/SSL_CPS incorp. by ref. (limits liab.)/OU=(c) 2000 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority /C=CO/L=Carrera 9 16-21 Bogota/O=Certicamara S.A. Entidad de Certificacion/CN=C ertificado Empresarial Clase-A /C=BR/O=ICP-Brasil/OU=Instituto Nacional de Tecnologia da Informacao - ITI/L=Br asilia/ST=DF/CN=Autoridade Certificadora Raiz Brasileira /C=US/O=GTE Corporation/CN=GTE CyberTrust Root /C=BE/O=Belgacom/OU=E-Trust/CN=Belgacom E-Trust Root CA for qualified certifica tes /C=US/O=Wells Fargo/OU=Wells Fargo Certification Authority/CN=Wells Fargo Root Certificate Authority /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Glo bal Root /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c ) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority /C=AT/O=A-Trust/OU=A-Trust-nQual-01/CN=A-Trust-nQual-01 /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Ro ot Authority /C=DK/O=KMD/OU=Root CA/CN=KMD-CA Root /C=HU/ST=Hungary/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiad ok/CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/O U=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=DK/O=KMD/OU=KMD-CA/CN=KMD-CA Kvalificeret Person /C=IE/O=An Post/OU=Post.Trust Ltd./CN=Post.Trust Root CA /C=BE/O=Belgacom/OU=E-Trust/CN=Belgacom E-Trust Root CA for normalised certific ates /O=eSign Australia/OU=Gatekeeper PKI/CN=Gatekeeper Root CA /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - F or authorized use only/CN=VeriSign Class 4 Public Primary Certification Authori ty - G3 /DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority /O=Entrust.net/OU=www.entrust.net/GCCA_CPS incorp. by ref. (limits liab.)/OU=(c ) 2000 Entrust.net Limited/CN=Entrust.net Client Certification Authority /C=US/O=Entrust.net/OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limit s liab./OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Client Certification Aut hority /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Roo t /C=HK/O=Hongkong Post/CN=Hongkong Post Root CA /C=HU/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLo ck Expressz (Class C) Tanusitvanykiado /C=AT/O=Telekom-Control-Kommission/CN=Telekom-Control-Kommission Top 1 /C=AT/O=\x00A\x00-\x00T\x00r\x00u\x00s\x00t\x00 \x00G\x00e\x00s\x00.\x00 \x00f\ x00\xFC\x00r\x00 \x00S\x00i\x00c\x00h\x00e\x00r\x00h\x00e\x00i\x00t\x00s\x00s\x 00y\x00s\x00t\x00e\x00m\x00e\x00 \x00i\x00m\x00 \x00e\x00l\x00e\x00k\x00t\x00r\ x00.\x00 \x00D\x00a\x00t\x00e\x00n\x00v\x00e\x00r\x00k\x00e\x00h\x00r\x00 \x00G \x00m\x00b\x00H/OU=A-Trust-Qual-01/CN=A-Trust-Qual-01 /C=es/O=Servicio de Certificacion del Colegio de Registradores (SCR)/OU=Certifi cado Propio/OU=Certificado Raiz/CN=Certificado de la Clave Principal/2.5.4.9=Pr incipe de Vergara 72 28006 Madrid/Email=scr@registradores.org --- SSL handshake has read 8900 bytes and written 318 bytes ---koblenz New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher : RC4-MD5 Session-ID: F11E0000C972A21E46A2948832A022D42499CB7203CDFE84F914B619711D2D0 4 Session-ID-ctx: Master-Key: 4E145EAFDEAA028782426E188F235D4A31374E1786D7DA0C431E61430C8A8D4 24057E20487D9E01E5D40E2E93D082631 Key-Arg : None Start Time: 1080763661 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) =====================================================================
sollte dir zeigen, ob das Zertifikat gelesen werden kann.
sonste versuche mal mit ldapsearch -d3 -H ldaps://dein.host usw. da werden die Verbindungsdaten ausgewiesen.
Jo, das selbe spiel es klappt ja mit einem eingetragenen Host in der ldap.conf aber nur nicht mit zwei. Nach googlen hab ich auch das hier gefunden, sollte dir ja bekannt sein. ;-) http://www.openldap.org/lists/openldap-software/200403/msg00330.html Hilft mir auch nicht weiter, nur das einer das gleiche Problem hat, vielleicht schreib ich ihm einfach mal, vielleicht hat er das Problem gelöst bekommen. Viele Dank im Vorraus Gruss Patrick