Error in mm_init -- LDAP pool initialization error 52
Hi,
I am trying to configure user group lookups to our ldap server with SSL. The ldap server is set up with verisign certs and is working correctly. When I configure our front end mta server to use ldap over ssl and restart, i get the following error.
Error in mm_init -- LDAP pool initialization error 52
I make the following changes:
# ./configutil -o local.service.pab.ldaport -v 10636
OK SET
# ./configutil -o local.ugldapport -v 10636
OK SET
# ./configutil -o local.ugldapusessl -v 1
OK SET
# ./stop-msg
Connecting to watcher ...
shutting down all servers...
Stopping job_controller server 989 ... done
Stopping dispatcher server 986 ... done
Stopping sched server 984 ... done
Stopping ens server 983 ... done
stopping watcher process 982 ... done
# ./start-msg
12:58:24.68: Error in mm_init -- LDAP pool initialization error 52
Connecting to watcher ...
Launching watcher ...
Starting ens server ... 1041
Starting sched server ... 1042
Starting dispatcher server .... 1044
Starting job_controller server .... 1047
mta2:root bash /opt/SUNWmsgsr/sbin #
However... it still seems to work......
Any ideas on what this problem may be?
[1314 byte] By [
DarrenLCC] at [2007-11-26 11:29:35]
# 1
I suspect that your PAB access is attempting to connect to ldap on the ssl port, but is not in ssl mode. . . I suspect that you will find that pab isn't working for you, now......
# 2
THis makes sense, is it possible to configure pab to use ssl? If so how? Any suggestions would be great.
Also note the following entry in the imta log
[15/Nov/2006:09:23:32 -0700] mta2 64a.1[1610]: LDAP Error: sslinit failed, ldaps unavailable
Which is strange because user group look ups seem to be working in ssl mode. I have monitored the ldap server and ssl is starting correctly. Also I can watch the access log and see that it is infact access it in ldaps mode. I have also tested ldaps connections with an ssl global address book access.
# 3
configutillocal.service.pab.ldapusessl
# 4
I have re-checked everything and done some more digging. From the ldap logs, it seems that in fact user group lookups are not working over ssl, just normal. I am able to do an ldapsearch command line search using the cert db of the messaging server and get a proper connection. But, everytime I start the msg server i get the following error and cannot get it to create an ldaps connection.
# ./start-msg
13:13:22.35: Error in mm_init -- LDAP pool initialization error 52
Connecting to watcher ...
Launching watcher ...
Starting ens server ... 2212
Starting sched server ... 2213
Starting dispatcher server .... 2215
Starting job_controller server .... 2219
mta2:root bash /opt/SUNWmsgsr/sbin #
-
get this in the imta log
[15/Nov/2006:13:13:22 -0700] mta2 8a1.1[2209]: LDAP Error: sslinit failed, ldaps unavailable
--
Is there a way to debug this and find out where the problem is?
# 5
Darron? The SSL library needs to have a server certificate installed before Messaging can use SSL for anything. YOu have one installed in your Messaging Server?
# 6
Yes.. I read that somewhere. I do have a server cert installed although its a verisign trial cert.
# ./certutil -L -d /opt/SUNWmsgsr/config
verisign--test-rootCT,C,C
verisign-rootCT,C,C
server-cert CTu,Cu,Cu
mta2:root bash /opt/SUNWmsgsr/sbin #
-
# ./configutil | grep nss
encryption.fortezza.nssslactivation = off
encryption.nsssl2 = off
encryption.nsssl3 = on
encryption.nsssl3ciphers = rsa_rc4_40_md5
encryption.nsssl3sessiontimeout = 0
encryption.nssslclientauth = 0
encryption.nssslsessiontimeout = 0
encryption.rsa.nssslactivation = on
encryption.rsa.nssslpersonalityssl = server-cert
encryption.rsa.nsssltoken = internal
nsserversecurity = on
-
mta2:root bash /opt/SUNWmsgsr/sbin # ./configutil | grep ssl
encryption.fortezza.nssslactivation = off
encryption.nsssl2 = off
encryption.nsssl3 = on
encryption.nsssl3ciphers = rsa_rc4_40_md5
,rsa_rc2_40_md5
,rsa_des_sha
,rsa_rc4_128_md5
,rsa_3des_sha
encryption.nsssl3sessiontimeout = 0
encryption.nssslclientauth = 0
encryption.nssslsessiontimeout = 0
encryption.rsa.nssslactivation = on
encryption.rsa.nssslpersonalityssl = server-cert
encryption.rsa.nsssltoken = internal
local.ldapusessl = 0
local.service.pab.ldapusessl = 1
local.ugldapusessl = 1
service.http.enablesslport = no
service.http.sslcachesize = 0
service.http.sslport = 443
service.http.sslusessl = no
service.imap.enablesslport = no
service.imap.sslcachesize = 0
service.imap.sslport = 993
service.imap.sslusessl = no
service.pop.enablesslport = no
service.pop.sslport = 992
service.pop.sslusessl = no
mta2:root bash /opt/SUNWmsgsr/sbin #
# 7
Hm. A couple things:
encryption.nssslclientauth = 0
looks like client authentication is off. That's what you're asking it to do.
encryption.nsssl3ciphers = rsa_rc4_40_md5
you're limiting it here, to a 40-bit cypher. If your ldap system is set for more, then you may not connect.
The above string should be:
"rsa_3des_sha,rsa_rc4_128_md5,rsa_des_sha,tls_rsa_export1024_with_rc4_56_sha,tl s_rsa_export1024_with_des_cbc_sha,rsa_rc2_40_md5,rsa_rc4_40_md5"
# 8
I had tried those settings but just to be sure, i set them again. Still nothing.
# ./configutil -o encryption.nsssl3ciphers
rsa_3des_sha,rsa_rc4_128_md5,rsa_des_sha,tls_rsa_export1024_with_rc4_56_sha,tls _rsa_export1024_with_des_cbc_sha,rsa_rc2_40_md5,rsa_rc4_40_md5
encryption.nssslclientauth = 1
# 9
My suggestion is that it's time to open a support case.
