ldapsearch -x -ZZ works fine on clients, when the server side slapd.conf has 'TLSVerifyClient' is set to 'try'. But after I changed that the 'demand' all clients' "ldapsearch -x -ZZ" command fails immediately. I run the 'slapd -d3' at server side too. It looks like maybe 'ldapsearch -x -zz' didn't send out client certificates, even though it should with '-ZZ' options -- from ldap.conf manual? My client side /etc/openldap/ldap.conf is like below: BASE dc=example,dc=com URI ldap://ldapmaster.example.com ## working TLS_CACERT /etc/openldap/myca.crt TLS_CERT /etc/openldap/ldapclient01.crt TLS_KEY /etc/openldap/ldapclient01.key My server side setup is: ## now using my own CA ## and it works! TLSCACertificateFile /etc/openldap/myca.crt TLSCertificateFile /etc/openldap/ldapmaster.crt TLSCertificateKeyFile /etc/openldap/ldapmaster.key #TLSVerifyClient allow TLSVerifyClient demand ## testing client TLS keys and my own CA setup, 'demand' failed for ldapsearch #TLSCipherSuite HIGH:MEDIUM:LOW:+SSLv2 TLSCipherSuite HIGH:MEDIUM:+SSLv2 The logs on server is attahed below as well, Thanks. ... connection_get(14): got connid=1000 connection_read(14): checking for input on id=1000 TLS: loaded CA certificate file /etc/openldap/myca.crt. TLS: certificate [E=admin at example.com,CN=ldapmaster.example.com,OU=techOps,O=Pegaclouds Inc.,L=San Mateo,ST=CA,C=US] is valid tls_read: want=3, got=3 0000: 16 03 01 ... tls_read: want=2, got=2 0000: 00 41 .A tls_read: want=65, got=65 0000: 01 00 00 3d 03 01 4f 95 c1 e0 a9 10 22 30 25 4b ...=..O....."0%K 0010: f8 da a5 27 64 9e 25 60 35 d0 5c 28 30 74 a8 40 ...'d.%`5.\(0t.@ ... tls_read: want=5 error=Resource temporarily unavailable connection_get(14): got connid=1000 connection_read(14): checking for input on id=1000 tls_read: want=5, got=5 0000: 16 03 01 01 0d ..... tls_read: want=269, got=269 0000: 0b 00 00 03 00 00 00 10 00 01 02 01 00 ac 64 b8 ..............d. 0010: bd bf 20 46 b8 14 e7 38 9a a1 40 2c 36 3a 78 fa .. F...8..@,6:x. 0020: 8a 12 61 3d e3 5e bf 02 f2 f9 a1 70 4e 7f 4e 11 ..a=.^.....pN.N. 0030: cd e6 ba 6d ee 1e 91 95 c7 9f c7 b3 e0 21 ea bb ...m.........!.. 0040: 11 78 cc 58 c1 b1 37 f4 d5 18 ff 59 ad df 48 52 .x.X..7....Y..HR 0050: a7 cd 26 0a fe d8 09 bb 7e 70 16 d2 b7 35 de 9f ..&.....~p...5.. 0060: b3 0a ee 1e aa 42 e4 20 ed 8d 2f 31 f2 5d e9 d7 .....B. ../1.].. 0070: 82 4c 78 30 48 5d 54 5c cf c2 cc c9 33 31 50 c5 .Lx0H]T\....31P. 0080: 56 62 f8 ea dd 34 32 ff a1 81 e3 2f f7 a4 0e 58 Vb...42..../...X 0090: ff 84 39 0a fe 74 20 18 a6 ac 18 00 dc 8c 0e fd ..9..t ......... 00a0: 5d 2e a3 87 4e 0b e8 51 66 85 8a 60 2e b7 01 a2 ]...N..Qf..`.... 00b0: 4a 5c d9 74 9b 32 04 16 57 2e f2 60 2d 45 3d 30 J\.t.2..W..`-E=0 00c0: e3 39 c9 a3 af 7b 86 4b f0 f0 7e 34 f8 bf cf 4c .9...{.K..~4...L 00d0: 73 57 df e5 11 0a 41 de 7f 78 ed f4 cf 9b e8 10 sW....A..x...... 00e0: ce 1a b1 73 ff 76 ec ff 23 46 85 24 02 b9 aa 4b ...s.v..#F.$...K 00f0: fe c9 2a c6 06 ff 54 94 25 5d cc 3d de 5b 1d 9f ..*...T.%].=.[.. 0100: 03 a1 36 da 3b 69 95 67 21 b5 61 d7 e9 ..6.;i.g!.a.. tls_write: want=7, written=7 0000: 15 03 01 00 02 02 2a ......* TLS: error: accept - force handshake failure: errno 11 - moznss error -12285 TLS: can't accept: TLS error -12285:Unable to find the certificate or key necessary for authentication.. connection_read(14): TLS accept failure error=-1 id=1000, closing connection_close: conn=1000 sd=14 ... --Robinson ________________________________ From: Robinson Tiemuqinke <hahaha_30k at yahoo.com> To: CentOS mailing list <centos at centos.org> Sent: Wednesday, November 23, 2011 11:20 AM Subject: Re: [CentOS] Any ideas?? -- Re: EC2 compatible kernel for centos 6? I've tried with cr kernel, not it moves much faster but still fails -- fails at the partition failure, this setup is S3 backed image. root (hd0) Filesystem type is ext2fs, using whole disk kernel /boot/vmlinuz-2.6.32-131.17.1.el6.x86_64 ro root=/dev/sda1 rd_NO_LUKS rd _NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTY PE=pc KEYTABLE=us crashkernel=auto crashkernel=auto initrd /boot/initramfs-2.6.32-131.17.1.el6.x86_64.img close blk: backend at /local/domain/0/backend/vbd/8/2049 close blk: backend at /local/domain/0/backend/vbd/8/2064 close blk: backend at /local/domain/0/backend/vbd/8/2080 close blk: backend at /local/domain/0/backend/vbd/8/2096 close blk: backend at /local/domain/0/backend/vbd/8/2112 Initializing cgroup subsys cpuset Initializing cgroup subsys cpu Linux version 2.6.32-131.17.1.el6.x86_64 (mockbuild at c6b5.bsys.dev.centos.org) (gcc version 4.4.5 20110214 (Red Hat 4.4.5-6) (GCC) ) #1 SMP Thu Oct 6 19:24:09 BST 2011 Command line: ro root=/dev/sda1 rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto crashkernel=auto KERNEL supported cpus: Intel GenuineIntel AMD AuthenticAMD Centaur CentaurHauls ACPI in unprivileged domain disabled BIOS-provided physical RAM map: Xen: 0000000000000000 - 00000000000a0000 (usable) Xen: 00000000000a0000 - 0000000000100000 (reserved) Xen: 0000000000100000 - 00000001c0000000 (usable) DMI not present or invalid. last_pfn = 0x1c0000 max_arch_pfn = 0x400000000 last_pfn = 0x100000 max_arch_pfn = 0x400000000 init_memory_mapping: 0000000000000000-0000000100000000 init_memory_mapping: 0000000100000000-00000001c0000000 RAMDISK: 02028000 - 0460c000 No NUMA configuration found Faking a node at 0000000000000000-00000001c0000000 Bootmem setup node 0 0000000000000000-00000001c0000000 NODE_DATA [0000000000008000 - 000000000003bfff] bootmap [000000000003c000 - 0000000000073fff] pages 38 (8 early reservations) ==> bootmem [0000000000 - 01c0000000] #0 [0000000000 - 0000001000] BIOS data page ==> [0000000000 - 0000001000] #1 [000540f000 - 000543e000] XEN PAGETABLES ==> [000540f000 - 000543e000] #2 [0000006000 - 0000008000] TRAMPOLINE ==> [0000006000 - 0000008000] #3 [0001000000 - 0002007524] TEXT DATA BSS ==> [0001000000 - 0002007524] #4 [0002028000 - 000460c000] RAMDISK ==> [0002028000 - 000460c000] #5 [000460c000 - 000540f000] XEN START INFO ==> [000460c000 - 000540f000] #6 [0000100000 - 00008d3000] PGTABLE ==> [0000100000 - 00008d3000] #7 [000543e000 - 0005a41000] PGTABLE ==> [000543e000 - 0005a41000] Reserving 129MB of memory at 96MB for crashkernel (System RAM: 7168MB) Zone PFN ranges: DMA 0x00000001 -> 0x00001000 DMA32 0x00001000 -> 0x00100000 Normal 0x00100000 -> 0x001c0000 Movable zone start PFN for each node early_node_map[2] active PFN ranges 0: 0x00000001 -> 0x000000a0 0: 0x00000100 -> 0x001c0000 SFI: Simple Firmware Interface v0.7 http://simplefirmware.org SMP: Allowing 8 CPUs, 0 hotplug CPUs No local APIC present APIC: disable apic facility PM: Registered nosave memory: 00000000000a0000 - 0000000000100000 PCI: Warning: Cannot find a gap in the 32bit address range PCI: Unassigned devices with 32bit resource registers may break! Allocating PCI resources starting at 1c0100000 (gap: 1c0100000:400000) Booting paravirtualized kernel on Xen Xen version: 3.4.3-2.6.18 (preserve-AD) NR_CPUS:4096 nr_cpumask_bits:8 nr_cpu_ids:8 nr_node_ids:1 PERCPU: Embedded 30 pages/cpu @ffff88002804f000 s92504 r8192 d22184 u122880 pcpu-alloc: s92504 r8192 d22184 u122880 alloc=30*4096 pcpu-alloc: [0] 0 [0] 1 [0] 2 [0] 3 [0] 4 [0] 5 [0] 6 [0] 7 Xen: using vcpu_info placement Built 1 zonelists in Node order, mobility grouping on. Total pages: 1807817 Policy zone: Normal Kernel command line: ro root=/dev/sda1 rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto crashkernel=129M at 0M PID hash table entries: 4096 (order: 3, 32768 bytes) Checking aperture... No AGP bridge found AMD-Vi disabled by default: pass amd_iommu=on to enable PCI-DMA: Using software bounce buffering for IO (SWIOTLB) Placing 64MB software IO TLB between ffff880020000000 - ffff880024000000 software IO TLB at phys 0x20000000 - 0x24000000 Memory: 6955572k/7340032k available (5013k kernel code, 388k absent, 384072k reserved, 7291k data, 1232k init) Hierarchical RCU implementation. NR_IRQS:33024 nr_irqs:336 Console: colour dummy device 80x25 console [tty0] enabled console [hvc0] enabled ... TCP cubic registered Initializing XFRM netlink socket NET: Registered protocol family 17 registered taskstats version 1 XENBUS: Device with no driver: device/vbd/2049 XENBUS: Device with no driver: device/vbd/2064 XENBUS: Device with no driver: device/vbd/2080 XENBUS: Device with no driver: device/vbd/2096 XENBUS: Device with no driver: device/vbd/2112 XENBUS: Device with no driver: device/vif/0 XENBUS: Device with no driver: device/console/0 drivers/rtc/hctosys.c: unable to open rtc device (rtc0) Initalizing network drop monitor service Freeing unused kernel memory: 1232k freed Write protecting the kernel read-only data: 10240k Freeing unused kernel memory: 1112k freed Freeing unused kernel memory: 1796k freed dracut: dracut-004-33.2.el6_0 dracut: rd_NO_LUKS: removing cryptoluks activation dracut: rd_NO_LVM: removing LVM activation device-mapper: uevent: version 1.0.3 device-mapper: ioctl: 4.20.6-ioctl (2011-02-02) initialised: dm-devel at redhat.com udev: starting version 147 dracut: Starting plymouth daemon dracut: rd_NO_DM: removing DM RAID activation dracut: rd_NO_MD: removing MD RAID activation xlblk_init: register_blkdev major: 202 blkfront: xvde1: barriers disabled blkfront: xvdf: barriers disabled xvdf: unknown partition table blkfront: xvdg: barriers disabled xvdg: unknown partition table blkfront: xvdh: barriers disabled xvdh: unknown partition table blkfront: xvdi: barriers disabled xvdi: unknown partition table Boot has failed, sleeping forever. ________________________________ From: Robinson Tiemuqinke <hahaha_30k at yahoo.com> To: Johnny Hughes <johnny at centos.org> Cc: CentOS mailing list <centos at centos.org> Sent: Wednesday, November 23, 2011 10:48 AM Subject: Re: [CentOS] Any ideas?? -- Re: EC2 compatible kernel for centos 6? Hi Johnny, Thanks a lot. I'll upgrade kernel to the cr repository, and give it a try now. --Guolin ________________________________ From: Johnny Hughes <johnny at centos.org> To: centos at centos.org Sent: Wednesday, November 23, 2011 9:55 AM Subject: Re: [CentOS] Any ideas?? -- Re: EC2 compatible kernel for centos 6? On 11/23/2011 11:40 AM, Robinson Tiemuqinke wrote: > I tried several ways but still no help. The following are the output (stock Centos 6 2.6.32-71.29.1.el6.x86_64 kernel), grub works fine and it located kernel and initial ramdisk. but kernel booting faied at the very beginning... > > Any suggestions are more than appreciated. > > > -------------------------------------------------- > > 2011-11-23T17:19:21+0000 > Xen Minimal OS! > start_info: 0x1890000(VA) > nr_pages: 0x1e0000 > shared_inf: 0xb2cea000(MA) > pt_base: 0x1893000(VA) > nr_pt_frames: 0x11 > mfn_list: 0x990000(VA) > mod_start: 0x0(VA) > mod_len: 0 > flags: 0x0 > cmd_line: root=/dev/sda1 ro 4 > stack: 0x94f860-0x96f860 > MM: Init > _text: 0x0(VA) > _etext: 0x6000d(VA) > _erodata: 0x78000(VA) > _edata: 0x80b00(VA) > stack start: 0x94f860(VA) > _end: 0x98fe68(VA) > start_pfn: 18a7 > max_pfn: 1e0000 > Mapping memory range 0x1c00000 - 0x1e0000000 > setting 0x0-0x78000 readonly > skipped 0x1000 > MM: Initialise page allocator for 27a0000(27a0000)-1e0000000(1e0000000) > MM: done > Demand map pfns at 1e0001000-21e0001000. > Heap resides at 21e0002000-41e0002000. > Initialising timer interface > Initialising console ... done. > gnttab_table mapped at 0x1e0001000. > Initialising scheduler > Thread "Idle": pointer: 0x21e0002010, stack: 0x36f0000 > Initialising xenbus > Thread "xenstore": pointer: 0x21e00027c0, stack: 0x3700000 > Dummy main: start_info=0x96f960 > Thread "main": pointer: 0x21e0002f70, stack: 0x3710000 > "main" "root=/dev/sda1" "ro" "4" > vbd 2049 is hd0 > ******************* BLKFRONT for device/vbd/2049 ********** > > > backend at /local/domain/0/backend/vbd/162/2049 > Failed to read /local/domain/0/backend/vbd/162/2049/feature-barrier. > Failed to read /local/domain/0/backend/vbd/162/2049/feature-flush-cache. > 20971520 sectors of 512 bytes > ************************** > vbd 2064 is hd1 > ******************* BLKFRONT for device/vbd/2064 ********** > > > backend at /local/domain/0/backend/vbd/162/2064 > Failed to read /local/domain/0/backend/vbd/162/2064/feature-barrier. > Failed to read /local/domain/0/backend/vbd/162/2064/feature-flush-cache. > 880732160 sectors of 512 bytes > ************************** > vbd 2080 is hd2 > ******************* BLKFRONT for device/vbd/2080 ********** > > > backend at /local/domain/0/backend/vbd/162/2080 > Failed to read /local/domain/0/backend/vbd/162/2080/feature-barrier. > Failed to read /local/domain/0/backend/vbd/162/2080/feature-flush-cache. > 880732160 sectors of 512 bytes > ************************** > [H[J > GNU GRUB version 0.97 (7864320K lower / 0K upper memory) > > [m[4;2H+-------------------------------------------------------------------------+[5;2H|[5;76H|[6;2H|[6;76H|[7;2H|[7;76H|[8;2H|[8;76H|[9;2H|[9;76H|[10;2H|[10;76H|[11;2H|[11;76H|[12;2H|[12;76H|[13;2H|[13;76H|[14;2H|[14;76H|[15;2H|[15;76H|[16;2H|[16;76H|[17;2H+-------------------------------------------------------------------------+[m > Use the ^ and v keys to select which entry is highlighted. > Press enter to boot the selected OS, 'e' to edit the > commands before booting, or 'c' for a command-line.[5;78H [m[7m[5;3H CentOS (2.6.32-71.29.1.el6.x86_64) [5;75H[m[m[6;3H [6;75H[m[m[7;3H [7;75H[m[m[8;3H [8;75H[m[m[9;3H > [9;75H[m[m[10;3H [10;75H[m[m[11;3H [11;75H[m[m[12;3H [12;75H[m[m[13;3H [13;75H[m[m[14;3H > [14;75H[m[m[15;3H [15;75H[m[m[16;3H [16;75H[m[16;78H [5;75H[23;4H The highlighted entry will be booted automatically in 5 seconds. [5;75H[23;4H The highlighted entry will be booted automatically in 4 seconds. [5;75H[23;4H The highlighted entry will be booted automatically in 3 seconds. [5;75H[23;4H The highlighted entry will be booted automatically in 2 seconds. [5;75H[23;4H The highlighted entry will be booted automatically in 1 seconds. [5;75H[H[J Booting 'CentOS (2.6.32-71.29.1.el6.x86_64)' > > root (hd0) > Filesystem type is ext2fs, using whole disk > > kernel /boot/vmlinuz-2.6.32-71.29.1.el6.x86_64 ro root=/dev/sda1 rhgb quiet > initrd /boot/initramfs-2.6.32-71.29.1.el6.x86_64.img > > close blk: backend at /local/domain/0/backend/vbd/162/2049 > close blk: backend at /local/domain/0/backend/vbd/162/2064 > close blk: backend at /local/domain/0/backend/vbd/162/2080 > PCI: Warning: Cannot find a gap in the 32bit address range > PCI: Unassigned devices with 32bit resource registers may break! > PCI: Fatal: No config space access function found > > Boot has failed, sleeping forever. > > > > > > > ________________________________ > From: Robinson Tiemuqinke <hahaha_30k at yahoo.com> > To: CentOS mailing list <centos at centos.org> > Sent: Tuesday, November 22, 2011 3:35 PM > Subject: [CentOS] EC2 compatible kernel for centos 6? > > Hi all, > > I'm just scrambling to collect clues to build an Amazon AWS AMI based on Centos 6. the AWS PV-GRUB kernel loads my kernel but failed immediately. I'm using stock Centos 6 kernel 2.6.32-71.29.1.el6. and the kernel seems have xen? support? My questions are: > > 1, Are the centos 6 stock kernels, like kernel-2.6.32-71.29.1.el6.x86_64, EC2 compatible? > > 2, If the answer to the above #1 question is NO, the are the centos plus kernels, like kernel-2.6.32-71.29.1.el6.centos.plus.x86_64, EC2 compatible? > > 3, If the answers to both above are 'NO', then Are there any instructions to build a EC2 kernel based on kernel source RPMs? > > > Any help are greatly appreciated. > > --Tie I do not use amazon services, but does this help: https://forums.aws.amazon.com/thread.jspa?threadID=78007 _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos