Re: Support for multiple DN's
On Sunday, 11 April 2010 05:59:47 Meena Ram wrote: Hello Sarati; I wanted the following thing to work. Like i would like to do a ldapsearch for multiple domains. At present when i try to slapadd for an entry into the second domain it fails. Since you didn't provide the commandline you used, or a sample of the data, or the exact error message, the only option we have is to guess. My guess is that you didn't specify the database number or suffix that slapadd should operate on. ldapadd also seems to fail for the second domain. Again, you provide no information here, and there are way too many possibilities for failure to even try and guess. i have two separate directories for the two domain. /var/lib/ldap and /var/lib/ldap2. Really appreciate your help in this regard ### First Domain # databasebdb suffix dc=openldap,dc=Americas,dc=California,dc=com rootdn cn=Manager,dc=openldap,dc=Americas,dc=California,dc=com rootpw {SSHA}yBt63W8/N8AZLiSIh9VnwuUSVH8snQtW directory /var/lib/ldap # Indices to maintain for this database . ### # ldbm and/or bdb database definitions - For second Domain ### #database ldbm databasebdb suffix dc=openldap2,dc=Americas,dc=California,dc=com rootdn cn=manager,dc=openldap2,dc=Americas,dc=California,dc=com rootpw {SSHA}yBt63W8/N8AZLiSIh9VnwuUSVH8snQtW
Re: Slapd-ldap proxy between replica and mirror
Hi, Ok, i understand that the problem is authorization, but when i supress the back-ldap proxy from my scenario it works. I am going to give more details. First Scenario: - A delta syncrepl server replicating from the first server of a mirror. IPs: delta syncrepl (192.168.1.5), mirror server 1 (192.168.1.10), mirror server 2 (192.168.1.20) replica slapd.conf # # Chaining configuration # # overlay chain chain-uri ldap://mirror1:389 http://192.168.1.10:389/ chain-idassert-bind bindmethod=simple binddn=cn=replicator,dc=example,dc=com credentials=secret mode=self chain-return-error TRUE ## # Replica # ## database bdb suffix dc=example,dc=com rootdn cn=Administrator,dc=example,dc=com rootpw secret checkpoint 1024 5 cachesize 1 index objectClass,uidNumber,gidNumber eq index member,mail eq,pres index cn,displayname,uid,sn,givenname sub,eq,pres overlay ppolicy ppolicy_default cn=Default Password Policy,dc=example,dc=com ppolicy_forward_updates ppolicy_hash_cleartext overlay memberof ## # Syncrepl directives # ## syncrepl rid=001 provider=ldap://mirror1:389 http://192.168.1.10:389/ type=refreshAndPersist retry=60 + searchbase=dc=example,dc=com filter=(objectclass=*) scope=sub attrs=* schemachecking=on binddn=cn=replicator,dc=example,dc=com bindmethod=simple credentials=secret sizelimit=unlimited logbase=cn=accesslog logfilter=((objectClass=auditWriteObject)(reqResult=0)) syncdata=accesslog # Refer updates to the master updateref ldap://mirror1:389 http://192.168.1.10:389/ - - slapd.conf of mirror server #1 --- # Global section serverID 1 moduleload memberof access to dn.base= by * read access to dn.base=cn=Subschema by * read access to attrs=userPassword,userPKCS12 by self write by dn.base=cn=replicator,dc=example,dc=com read by * auth access to attrs=shadowLastChange by self write by * read # Give the replica DN unlimited read access. This ACL needs to be # merged with other ACL statements, and/or moved within the scope # of a database. The by * break portion causes evaluation of # subsequent rules. See slapd.access(5) for details. access to * by dn.base=cn=replicator,dc=example,dc=com read by * break access to * by * read # Load the accesslog overlay moduleload accesslog.la #Load the syncprov overlay moduleload syncprov.la # Accesslog database definitions database bdb monitoring off suffix cn=accesslog rootdn cn=accesslog index default eq index entryCSN,objectClass,reqEnd,reqResult,reqStart overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE # Let the replica DN have limitless searches limits dn.exact=cn=replicator,dc=example,dc=com time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited ### # BDB database definitions ### database bdb monitoring off suffix dc=example,dc=com rootdn cn=Administrator,dc=example,dc=com rootpw secret checkpoint 1024 5 cachesize 1 index objectClass,uidNumber,gidNumber eq index member,mail eq,pres index cn,displayname,uid,sn,givenname sub,eq,pres overlay ppolicy ppolicy_default cn=Default Password Policy,dc=example,dc=com ppolicy_hash_cleartext overlay memberof # Habilitar authz-policiy authz-policy to index entryCSN eq index entryUUID eq # syncrepl Provider for primary db overlay syncprov syncprov-checkpoint 1000 60 # accesslog overlay definitions for primary db overlay accesslog logdb cn=accesslog logops writes logsuccess TRUE # scan the accesslog DB every day, and purge entries older than 7 days logpurge 07+00:00 01+00:00 # Let the replica DN have limitless searches limits dn.exact=cn=replicator,dc=example,dc=com time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited # MirrorMode - Syncrepl directive syncreplrid=001 provider=ldap://mirror2:389 bindmethod=simple binddn=cn=Administrator,dc=example,dc=com credentials=secret searchbase=dc=example,dc=com schemachecking=on type=refreshAndPersist retry=60 + mirrormode on --- --- In the mirror servers we have set the attribute authzTo for the replicator dn: ldapsearch -x -b 'cn=replicator,dc=example,dc=com' -H ldap://mirror1:389 -D
SSL / Certificates / ... Some confusion
Hi, since a couple of days I try to setup a provider and a consumer over ssl following the documentation in a book [1] an dusing two servers. (Red Hat 5.x, openssl-0.9.8e-12, openldap-2.3.43-3 ) Doing so I was confronted with a lot off different warnings/messages but finaly I got the replication crypted. The final step in the tutorial is to use the saslmech=external but the messages I do get are different from the messages I should get. I noticed and googeled some provider debug info and wanted to ask for some prove or clarification or work around: From the provider log: TLS certificate verification: Error, unsupported certificate purpose ... TLS trace: SSL3 alert write:warning:bad certificate connection_read(13): unable to get TLS client DN, error=49 id=1 From a posting from 2006 and the answere from Howard Chu [2] I think I do have the same problem: My consumer server certificate should be from the providers view a client certificate. From the certificate: X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Am I wrong, right, lost, ... Is there a workaround or any step while creating the certificates? Thanks once more and best regards, Götz [1] http://www.galileocomputing.de/katalog/buecher/titel/gp/titelID-1801 [2] http://www.openldap.org/lists/openldap-software/200604/msg00202.html -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reini...@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Geschäftsführer: Prof. Thomas Schadt
Re: deleting one domain
Dear Patrick, please read the manpage of ldapmodify on how to delete a DN. Thanks. On Mon, Apr 12, 2010 at 11:43, Patrick Mburu patrick_li...@yahoo.comwrote: Hi guys i get this output from slapcat; dn: dc=mycompany,dc=com objectClass: dcObject objectClass: organization o: mycompany dc: mycompany structuralObjectClass: organization entryUUID: e235aa56-cd4a-102e-9e99-4f8ab88a5141 creatorsName: cn=root,dc=mycompany,dc=com modifiersName: cn=root,dc=mycompany,dc=com createTimestamp: 20100326174351Z modifyTimestamp: 20100326174351Z entryCSN: 20100326174351Z#00#00#00 dn: dc=mycompany,dc=local objectClass: dcObject objectClass: organization o: mycompany dc: mycompany structuralObjectClass: organization entryUUID: 4c85f2e4-cf9e-102e-9a60-f35afa4f4768 creatorsName: cn=root,dc=mycompany,dc=local modifiersName: cn=root,dc=mycompany,dc=local createTimestamp: 20100329164559Z modifyTimestamp: 20100329164559Z entryCSN: 20100329164559Z#00#00#00 i want to delete the mycompany.com domain and be left with mycompany.local how do i go abt it? thanks in advance -- To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To be is to do -- Sartre | Do be do be do -- Sinatra
Re: SSL / Certificates / ... Some confusion
Götz Reinicke - IT-Koordinator goetz.reini...@filmakademie.de writes: Hi, [...] I noticed and googeled some provider debug info and wanted to ask for some prove or clarification or work around: From the provider log: TLS certificate verification: Error, unsupported certificate purpose ... TLS trace: SSL3 alert write:warning:bad certificate connection_read(13): unable to get TLS client DN, error=49 id=1 What is the commonName attribute value of the client certificate? -Dieter -- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Re: TLS issues
Hey Neil, thanks for the tip, I might try re-compiling it with the options you mentioned. The things is, at the moment (and for the last couple of days), all has been working flawlessly, even on phpldapadmin (with which I always had those issues), so I cannot reproduce the error anymore (and therefore I wouldn't be able to tell if the recompilation-trick worked or not...). But again, assuming the problem would be some certificate field, this wouldn't change over time, so it still wouldn't explain why it worked sometimes while others not... I'm starting to believe it was just a random error, but again, I'm still afraid it will spontaneously show up some time in the future and give me a lot of headaches... Anyway, as I mentioned, now it all seems to be working fine, but I still get this error when clients (successfully) connect: slapd[13887]: connection_read(14): unable to get TLS client DN, error=49 id=14 It seems to be an issue related to the client certificate, but I am specifically saying on slapd.conf TLSVerifyClient never, so I am out of ideas as to how to fix this error... Cheers, Em 08-04-2010 19:20, Neil Dunbar escreveu: On 8 Apr 2010, at 03:57, Daniel Gomes wrote: First of all, the specs: it's a OpenLDAP 2.4.19 compiled (manually, not via apt-get) on a Ubuntu 8.04 (Hardy) Hmm. Ubuntu and Debian OpenLDAP packages use GNUTLS by default, and I've certainly had problems with cert name recognition - especially with subjectAltNames in certificates before. Hit it with the LDAP URI set to the name in the subjectName, and it works. Hit it with the subjectAltName DNS names, and it tends to barf. I recompile the OpenLDAP debs from package source (better still - use the 2.4.21 package from Lucid), and change debian/configure.options from --with-ssl=gnutls to --with-ssl=openssl; also change the debian/control file dependencies from libgnutls-dev (= {version}) to libssl-dev. Follow that with a dpkg-buildpackage -rfakeroot, and you should end up with OpenSSL linked packages. Note: I'm not trying to get into yet another Debian/GNUTLS/OpenSSL licensing debate here, just saying what works for me. Cheers, Neil NEIL DUNBAR Systems Architect (602) 850-5783 work +44 7976 616583 mobile +1 (602) 535-6914 US mobile www.llnw.com -- Daniel Gomes, 55350
Re: SSL / Certificates / ... Some confusion
Götz Reinicke - IT-Koordinator goetz.reini...@filmakademie.de writes: Dieter Kluenter schrieb: Götz Reinicke - IT-Koordinator goetz.reini...@filmakademie.de writes: Hi, [...] I noticed and googeled some provider debug info and wanted to ask for some prove or clarification or work around: From the provider log: TLS certificate verification: Error, unsupported certificate purpose ... TLS trace: SSL3 alert write:warning:bad certificate connection_read(13): unable to get TLS client DN, error=49 id=1 What is the commonName attribute value of the client certificate? CN=ldap2.filmakademie.de That's what I thought, but this is not a valid distinguished name, because it is not the client host name that has to be authenticated but an entries DN. -Dieter -- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Re: SSL / Certificates / ... Some confusion
Hi, X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server You can use this Certificate only for Server, not for Client-authentication. Netscape Cert Type: should be SSL Client, SSL Server if You would use the Certificate as Client/Server (I would prefer this) or SSL Client if You would use the Certificate only as Client Look for nsCertType in Your Openssl configuration file manpage : config and x509 -- Klaus Lemkau Am 12.04.2010 11:58, schrieb Götz Reinicke - IT-Koordinator: Hi, since a couple of days I try to setup a provider and a consumer over ssl following the documentation in a book [1] an dusing two servers. (Red Hat 5.x, openssl-0.9.8e-12, openldap-2.3.43-3 ) Doing so I was confronted with a lot off different warnings/messages but finaly I got the replication crypted. The final step in the tutorial is to use the saslmech=external but the messages I do get are different from the messages I should get. I noticed and googeled some provider debug info and wanted to ask for some prove or clarification or work around: From the provider log: TLS certificate verification: Error, unsupported certificate purpose ... TLS trace: SSL3 alert write:warning:bad certificate connection_read(13): unable to get TLS client DN, error=49 id=1 From a posting from 2006 and the answere from Howard Chu [2] I think I do have the same problem: My consumer server certificate should be from the providers view a client certificate. From the certificate: X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Am I wrong, right, lost, ... Is there a workaround or any step while creating the certificates? Thanks once more and best regards, Götz [1] http://www.galileocomputing.de/katalog/buecher/titel/gp/titelID-1801 [2] http://www.openldap.org/lists/openldap-software/200604/msg00202.html -- Technisch Universitaet Berlin tubIT Service Center Sekr. EN 50, Raum EN-030 Einsteinufer 17, 10587 Berlin phone: +49 30 31424229
Re: Slapd-ldap proxy between replica and mirror
Hi, Ok, i understand that the problem is authorization, but when i supress the back-ldap proxy from my scenario it works. I am going to give more details. First Scenario: - A delta syncrepl server replicating from the first server of a mirror. IPs: delta syncrepl (192.168.1.5), mirror server 1 (192.168.1.10), mirror server 2 (192.168.1.20) replica slapd.conf # # Chaining configuration # # overlay chain chain-uri ldap://mirror1:389 http://192.168.1.10:389/ chain-idassert-bind bindmethod=simple binddn=cn=replicator,dc=example,dc=com credentials=secret mode=self chain-return-error TRUE ## # Replica # ## database bdb suffix dc=example,dc=com rootdn cn=Administrator,dc=example,dc=com rootpw secret checkpoint 1024 5 cachesize 1 index objectClass,uidNumber,gidNumber eq index member,mail eq,pres index cn,displayname,uid,sn,givenname sub,eq,pres overlay ppolicy ppolicy_default cn=Default Password Policy,dc=example,dc=com ppolicy_forward_updates ppolicy_hash_cleartext overlay memberof ## # Syncrepl directives # ## syncrepl rid=001 provider=ldap://mirror1:389 http://192.168.1.10:389/ type=refreshAndPersist retry=60 + searchbase=dc=example,dc=com filter=(objectclass=*) scope=sub attrs=* schemachecking=on binddn=cn=replicator,dc=example,dc=com bindmethod=simple credentials=secret sizelimit=unlimited logbase=cn=accesslog logfilter=((objectClass=auditWriteObject)(reqResult=0)) syncdata=accesslog # Refer updates to the master updateref ldap://mirror1:389 http://192.168.1.10:389/ - - slapd.conf of mirror server #1 --- # Global section serverID 1 moduleload memberof access to dn.base= by * read access to dn.base=cn=Subschema by * read access to attrs=userPassword,userPKCS12 by self write by dn.base=cn=replicator,dc=example,dc=com read by * auth access to attrs=shadowLastChange by self write by * read # Give the replica DN unlimited read access. This ACL needs to be # merged with other ACL statements, and/or moved within the scope # of a database. The by * break portion causes evaluation of # subsequent rules. See slapd.access(5) for details. access to * by dn.base=cn=replicator,dc=example,dc=com read by * break access to * by * read # Load the accesslog overlay moduleload accesslog.la #Load the syncprov overlay moduleload syncprov.la # Accesslog database definitions database bdb monitoring off suffix cn=accesslog rootdn cn=accesslog index default eq index entryCSN,objectClass,reqEnd,reqResult,reqStart overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE # Let the replica DN have limitless searches limits dn.exact=cn=replicator,dc=example,dc=com time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited ### # BDB database definitions ### database bdb monitoring off suffix dc=example,dc=com rootdn cn=Administrator,dc=example,dc=com rootpw secret checkpoint 1024 5 cachesize 1 index objectClass,uidNumber,gidNumber eq index member,mail eq,pres index cn,displayname,uid,sn,givenname sub,eq,pres overlay ppolicy ppolicy_default cn=Default Password Policy,dc=example,dc=com ppolicy_hash_cleartext overlay memberof # Habilitar authz-policiy authz-policy to index entryCSN eq index entryUUID eq # syncrepl Provider for primary db overlay syncprov syncprov-checkpoint 1000 60 # accesslog overlay definitions for primary db overlay accesslog logdb cn=accesslog logops writes logsuccess TRUE # scan the accesslog DB every day, and purge entries older than 7 days logpurge 07+00:00 01+00:00 # Let the replica DN have limitless searches limits dn.exact=cn=replicator,dc=example,dc=com time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited # MirrorMode - Syncrepl directive syncreplrid=001 provider=ldap://mirror2:389 bindmethod=simple binddn=cn=Administrator,dc=example,dc=com credentials=secret searchbase=dc=example,dc=com schemachecking=on type=refreshAndPersist retry=60 + mirrormode on --- --- In the mirror
Re: SSL / Certificates / ... Some confusion
Hi Klaus, thanks a lot. Just two minute ago I finished my two-hour-google-look up ending in the same direction :-) A posting from Howard Chu pointed into the right direction: http://www.openldap.org/lists/openldap-software/200704/msg00129.html Than of to - http://www.openssl.org/docs/apps/x509v3_config.html The next minutes I'll dedicated to you doing some kowtow. And some more if everything works ;-) Cheers, Götz Klaus Lemkau schrieb: Hi, X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server You can use this Certificate only for Server, not for Client-authentication. Netscape Cert Type: should be SSL Client, SSL Server if You would use the Certificate as Client/Server (I would prefer this) or SSL Client if You would use the Certificate only as Client Look for nsCertType in Your Openssl configuration file manpage : config and x509 -- Klaus Lemkau Am 12.04.2010 11:58, schrieb Götz Reinicke - IT-Koordinator: Hi, since a couple of days I try to setup a provider and a consumer over ssl following the documentation in a book [1] an dusing two servers. (Red Hat 5.x, openssl-0.9.8e-12, openldap-2.3.43-3 ) Doing so I was confronted with a lot off different warnings/messages but finaly I got the replication crypted. The final step in the tutorial is to use the saslmech=external but the messages I do get are different from the messages I should get. I noticed and googeled some provider debug info and wanted to ask for some prove or clarification or work around: From the provider log: TLS certificate verification: Error, unsupported certificate purpose ... TLS trace: SSL3 alert write:warning:bad certificate connection_read(13): unable to get TLS client DN, error=49 id=1 From a posting from 2006 and the answere from Howard Chu [2] I think I do have the same problem: My consumer server certificate should be from the providers view a client certificate. From the certificate: X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Am I wrong, right, lost, ... Is there a workaround or any step while creating the certificates? Thanks once more and best regards, Götz [1] http://www.galileocomputing.de/katalog/buecher/titel/gp/titelID-1801 [2] http://www.openldap.org/lists/openldap-software/200604/msg00202.html -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reini...@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Geschäftsführer: Prof. Thomas Schadt
Problem with SSL/TLS
I have created a cert. on the server and openldap starts without any issues, however when I attempt to connect via ldaps I keep getting the following error: ldapsearch -x -H ldaps://localhost:636 -D cn=Manager,dc=testing,dc=com -W -b dc=testing,dc=com (objectClass=top) Enter LDAP Password: ldap_bind: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed I can’t quite pin point what the problem might be. Lynn York II MavenWire Hosting Admin www.mavenwire.com (866) 343-4870 x717 MavenWire - We DELIVER http://www.mavenwire.com This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message. MavenWire - We DELIVER http://www.mavenwire.com This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.
Re: Problem with SSL/TLS
/etc/ldap.conf is used by nss tools and the ilk. /etc/openldap/ldap.conf would be used by openldap tools - like ldapsearch. I have the same setting there for tls_checkpeer - but in the latter ldap.conf (under openldap). FWIW: there's apparently no real different format for the two files; while one would only be setup on ldap servers, mine are identical and things work with a mirror master, both setup behind a VIP (fail over, not load balanced) and a plethora of slaves in different subdomains. - chris PS: I'd forgotten to 'reply-to-all' earlier. :) Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jac...@apollogrp.edu From: Lynn York To: Chris Jacobs Sent: Mon Apr 12 10:29:19 2010 Subject: RE: Problem with SSL/TLS Here is my /etc/ldap.conf: #host 127.0.0.1 base cn=users,dc=testing,dc=com uri ldap://localhost:636 binddn cn=manager,dc=testing,dc=com bindpw password scope sub timelimit 120 bind_policy soft bind_timelimit 120 idle_timelimit 3600 ssl on tls_cacert /etc/openldap/cacerts/servercrt.pem tls_cacertdir /etc/openldap/cacerts tls_checkpeer no nss_base_group cn=groups,dc=testing,dc=com?sub pam_password md5 I have tried it with and without “tls_checkpeer”…. I am sort of at a loss as to what it can be. I also tested it using openssl client.. and here is the output: CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 /C=US/ST=Pennsylvania/O=MavenWire, LLC/OU=Support/CN=testing.com/emailaddress=test...@testing.comhttp://testing.com/emailaddress=test...@testing.com verify return:1 depth=0 /C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire, LLC/OU=Support/CN=testing.com/emailaddress=test...@testing.comhttp://testing.com/emailaddress=test...@testing.com verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write certificate verify A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire, LLC/OU=Support/CN=testing.com/emailaddress=test...@testing.comhttp://testing.com/emailaddress=test...@testing.com i:/C=US/ST=Pennsylvania/O=MavenWire, LLC/OU=Support/CN=testing.com/emailaddress=test...@testing.comhttp://testing.com/emailaddress=test...@testing.com -BEGIN CERTIFICATE- MIIDPzCCAqigAwIBAgIBATANBgkqhkiG9w0BAQUFADCBmTELMAkGA1UEBhMCVVMx FTATBgNVBAgTDFBlbm5zeWx2YW5pYTEXMBUGA1UEChMOTWF2ZW5XaXJlLCBMTEMx EDAOBgNVBAsTB1N1cHBvcnQxFjAUBgNVBAMTDW1hdmVud2lyZS5jb20xMDAuBgkq hkiG9w0BCQEWIW13LWhvc3Rpbmctc3lzYWRtaW5AbWF2ZW53aXJlLmNvbTAeFw0x MDA0MDkyMDUwNDlaFw0xMTA0MDkyMDUwNDlaMIGzMQswCQYDVQQGEwJVUzEVMBMG A1UECBMMUGVubnN5bHZhbmlhMRgwFgYDVQQHEw9LaW5nIG9mIFBydXNzaWExFzAV BgNVBAoTDk1hdmVuV2lyZSwgTExDMRAwDgYDVQQLEwdTdXBwb3J0MRYwFAYDVQQD Ew1tYXZlbndpcmUuY29tMTAwLgYJKoZIhvcNAQkBFiFtdy1ob3N0aW5nLXN5c2Fk bWluQG1hdmVud2lyZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMGp U5HS8A2DRokU5TQz1Dyycx/VA2uhrRwatTPq8xtoQigWM2feiXUwtoiQ/gP3IjB5 AJLf8aC8y72Io2IME4aqh1s7bdscV2b0QMs1MfXiL9h2XQWZVCkgDLjjb1XzHhlw 3I6vkrh/uGH2PQyXbuG/6dIguzCHfnGgGXgy1o45AgMBAAGjezB5MAkGA1UdEwQC MAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl MB0GA1UdDgQWBBR0mZkOwZZjYFiWlloEvgSpoPxOuzAfBgNVHSMEGDAWgBS7Iqbt j25p56k4BdHpXYG3xjhdijANBgkqhkiG9w0BAQUFAAOBgQARO7OcDgNOZ3WuP9IM mUeQWuGVBAh7MQ3Uv2HrSOAfTHxg/QxjCZZlwULq1EZZDHNgyPMM+5ElWSID5El/ fdxHcizNOjPPuVPwtJIrs8RhTIehn0aKryqtkvpcAnxFuc+VxwcCBhV58wtbSuXL PXRTvoTDXWkiXwdR4m1bubOF5A== -END CERTIFICATE- 1 s:/C=US/ST=Pennsylvania/O=MavenWire, LLC/OU=Support/CN=testing.com/emailaddress=test...@testing.comhttp://testing.com/emailaddress=test...@testing.com i:/C=US/ST=Pennsylvania/O=MavenWire, LLC/OU=Support/CN=testing.com/emailaddress=test...@testing.comhttp://testing.com/emailaddress=test...@testing.com -BEGIN CERTIFICATE- MIIDJTCCAo6gAwIBAgIBADANBgkqhkiG9w0BAQUFADCBmTELMAkGA1UEBhMCVVMx FTATBgNVBAgTDFBlbm5zeWx2YW5pYTEXMBUGA1UEChMOTWF2ZW5XaXJlLCBMTEMx EDAOBgNVBAsTB1N1cHBvcnQxFjAUBgNVBAMTDW1hdmVud2lyZS5jb20xMDAuBgkq hkiG9w0BCQEWIW13LWhvc3Rpbmctc3lzYWRtaW5AbWF2ZW53aXJlLmNvbTAeFw0x MDA0MDkyMDUwMDBaFw0xMzA0MDgyMDUwMDBaMIGZMQswCQYDVQQGEwJVUzEVMBMG A1UECBMMUGVubnN5bHZhbmlhMRcwFQYDVQQKEw5NYXZlbldpcmUsIExMQzEQMA4G A1UECxMHU3VwcG9ydDEWMBQGA1UEAxMNbWF2ZW53aXJlLmNvbTEwMC4GCSqGSIb3 DQEJARYhbXctaG9zdGluZy1zeXNhZG1pbkBtYXZlbndpcmUuY29tMIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQC6yVPz1ccamBapkRR8vTjpiKj7JuJKdCecTQ7/ f2KWoIRuYdEWU4njEsu/KHQWmxR0lelqOzM15EHVanOJCsPKCEMQg4lY5cQm8W1Q
Re: Problem with SSL/TLS
Chris Jacobs wrote: /etc/ldap.conf is used by nss tools and the ilk. /etc/openldap/ldap.conf would be used by openldap tools - like ldapsearch. Actually it's used by libldap, which means everything that uses libldap (including nss_ldap). But of course the converse is not true, /etc/ldap.conf only affects nss_ldap and pam_ldap, not anything else. I have the same setting there for tls_checkpeer - but in the latter ldap.conf (under openldap). tls_checkpeer is not a valid OpenLDAP ldap.conf keyword. FWIW: there's apparently no real different format for the two files; while one would only be setup on ldap servers, mine are identical and things work with a If they are identical and things work, it's by sheer luck. Read the ldap.conf(5) manpage. Relying on anything not documented there would be a mistake. To the original poster: use the ldapsearch debug flag. OpenSSL s_client is not a reliable indicator of anything. mirror master, both setup behind a VIP (fail over, not load balanced) and a plethora of slaves in different subdomains. - chris PS: I'd forgotten to 'reply-to-all' earlier. :) Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jac...@apollogrp.edu -- *From*: Lynn York *To*: Chris Jacobs *Sent*: Mon Apr 12 10:29:19 2010 *Subject*: RE: Problem with SSL/TLS Here is my /etc/ldap.conf: #host 127.0.0.1 base cn=users,dc=testing,dc=com uri ldap://localhost:636 binddn cn=manager,dc=testing,dc=com bindpw password scope sub timelimit 120 bind_policy soft bind_timelimit 120 idle_timelimit 3600 ssl on tls_cacert /etc/openldap/cacerts/servercrt.pem tls_cacertdir /etc/openldap/cacerts tls_checkpeer no nss_base_group cn=groups,dc=testing,dc=com?sub pam_password md5 I have tried it with and without “tls_checkpeer”…. I am sort of at a loss as to what it can be. I also tested it using openssl client.. and here is the output: *From*: openldap-technical-bounces+chris.jacobs=apollogrp.edu http://apollogrp.edu@OpenLDAP.org *To*: openldap-technical@openldap.org mailto:openldap-technical@openldap.org *Sent*: Mon Apr 12 08:13:39 2010 *Subject*: Problem with SSL/TLS I have created a cert. on the server and openldap starts without any issues, however when I attempt to connect via ldaps I keep getting the following error: ?? ?? ldapsearch -x -H ldaps://localhost:636 -D cn=Manager,dc=testing,dc=com -W -b dc=testing,dc=com (objectClass=top) Enter LDAP Password: ldap_bind: Can't contact LDAP server (-1) ?? additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ?? I can???t quite pin point what the problem might be.?? -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
RE: Problem with SSL/TLS
I ran into various issues with OpenLDAP + SSL/TLS. Finally, I ended up tunneling via stunnel. Something you might want to consider? Siddhartha From: openldap-technical-bounces+sjain=silverspringnet@openldap.org [mailto:openldap-technical-bounces+sjain=silverspringnet@openldap.org] On Behalf Of Lynn York Sent: Monday, April 12, 2010 8:14 AM To: openldap-technical@openldap.org Subject: Problem with SSL/TLS I have created a cert. on the server and openldap starts without any issues, however when I attempt to connect via ldaps I keep getting the following error: ldapsearch -x -H ldaps://localhost:636 -D cn=Manager,dc=testing,dc=com -W -b dc=testing,dc=com (objectClass=top) Enter LDAP Password: ldap_bind: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed I can't quite pin point what the problem might be. Lynn York II MavenWire Hosting Admin www.mavenwire.comhttp://www.mavenwire.com (866) 343-4870 x717 MavenWire - We DELIVER http://www.mavenwire.com This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message. MavenWire - We DELIVER http://www.mavenwire.com This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.
RE: Problem with SSL/TLS
As that might be a viable option, at this point it is not. I have too many servers that will be getting the user information from LDAP, I would much rather just copy a couple certs instead of installing stunnel.. unless, I am missing something here? *From:* Siddhartha Jain [mailto:sj...@silverspringnet.com] *Sent:* Monday, April 12, 2010 3:53 PM *To:* Lynn York; openldap-technical@openldap.org *Subject:* RE: Problem with SSL/TLS I ran into various issues with OpenLDAP + SSL/TLS. Finally, I ended up tunneling via stunnel. Something you might want to consider? Siddhartha *From:* openldap-technical-bounces+sjain=silverspringnet@openldap.org[mailto: openldap-technical-bounces+sjain openldap-technical-bounces%2Bsjain= silverspringnet@openldap.org] *On Behalf Of *Lynn York *Sent:* Monday, April 12, 2010 8:14 AM *To:* openldap-technical@openldap.org *Subject:* Problem with SSL/TLS I have created a cert. on the server and openldap starts without any issues, however when I attempt to connect via ldaps I keep getting the following error: ldapsearch -x -H ldaps://localhost:636 -D cn=Manager,dc=testing,dc=com -W -b dc=testing,dc=com (objectClass=top) Enter LDAP Password: ldap_bind: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed I can’t quite pin point what the problem might be. Lynn York II MavenWire Hosting Admin www.mavenwire.com (866) 343-4870 x717 MavenWire - We DELIVER http://www.mavenwire.com This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message. MavenWire - We DELIVER http://www.mavenwire.com This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message. MavenWire - We DELIVER http://www.mavenwire.com This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.
RE: Problem with SSL/TLS
--On Monday, April 12, 2010 2:20 PM -0400 Lynn York lynn.y...@mavenwire.com wrote: TLS certificate verification: depth: 0, err: 18, subject: /C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire, LLC/OU=Support/CN=testing.com/emailaddress=mw-hosting-sysad...@testing.co m, issuer: /C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire, LLC/OU=Support/CN=testing.com/emailaddress=mw-hosting-sysad...@testing.com TLS certificate verification: Error, self signed certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B The above error seems very clear to me. The CA for the offered cert is unknown. Either your CA path for OpenLDAP is wrong in your OpenLDAP ldap.conf file (which is set via the TLS_CACERT or TLS_CACERTDIR variables), or you've pointed at the wrong one, etc. As has been noted numerous times to you so far /etc/ldap.conf is not the place you set these variables. You fail to show your /etc/ldap/ldap.conf (assuming that's the location of it) settings. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
RE: Problem with SSL/TLS
Here is my /etc/openldap/ldap.conf: uri ldaps://localhost base cn=users,dc=testing,dc=com tls_cacert /etc/openldap/cacerts/ca.key tls_cacertdir /etc/openldap/cacerts tls_reqcert allow After adding the TLS options in there, I get the following: ldapsearch -d1 -x -H ldaps://localhost:636/ ldap_create ldap_url_parse_ext(ldaps://localhost:636/) ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 TLS: could not load verify locations (file:`/etc/openldap/cacerts/ca.key',dir:`/etc/openldap/cacerts'). ldap_perror ldap_bind: Can't contact LDAP server (-1) However, the certs and key's to exist.. ls -al /etc/openldap/cacerts/ total 44 drwxr-xr-x 3 ldap ldap 4096 Apr 12 13:48 . drwxr-xr-x 4 ldap ldap 4096 Apr 12 18:09 .. drwxr-xr-x 2 ldap ldap 4096 Apr 12 13:45 backup -rw-r--r-- 1 ldap ldap 1805 Apr 12 13:46 ca.cert -rw-r--r-- 1 ldap ldap 1679 Apr 12 13:46 ca.key -rw-r--r-- 1 ldap ldap 17 Apr 12 13:48 ca.srl -rw-r--r-- 1 ldap ldap 1411 Apr 12 13:48 hltraindb01.crt -rw-r--r-- 1 ldap ldap 1106 Apr 12 13:46 hltraindb01.csr -rw-r--r-- 1 ldap ldap 1679 Apr 12 13:45 hltraindb01.key -Original Message- From: Quanah Gibson-Mount [mailto:qua...@zimbra.com] Sent: Monday, April 12, 2010 6:00 PM To: Lynn York Cc: openldap-technical@openldap.org Subject: RE: Problem with SSL/TLS --On Monday, April 12, 2010 2:20 PM -0400 Lynn York lynn.y...@mavenwire.com wrote: TLS certificate verification: depth: 0, err: 18, subject: /C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire, LLC/OU=Support/CN=testing.com/emailaddress=mw-hosting-sysad...@testing.co m, issuer: /C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire, LLC/OU=Support/CN=testing.com/emailaddress=mw-hosting-sysad...@testing.com TLS certificate verification: Error, self signed certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B The above error seems very clear to me. The CA for the offered cert is unknown. Either your CA path for OpenLDAP is wrong in your OpenLDAP ldap.conf file (which is set via the TLS_CACERT or TLS_CACERTDIR variables), or you've pointed at the wrong one, etc. As has been noted numerous times to you so far /etc/ldap.conf is not the place you set these variables. You fail to show your /etc/ldap/ldap.conf (assuming that's the location of it) settings. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration MavenWire - We DELIVER http://www.mavenwire.com This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.
RE: Problem with SSL/TLS
--On Monday, April 12, 2010 6:13 PM -0400 Lynn York lynn.y...@mavenwire.com wrote: Here is my /etc/openldap/ldap.conf: uri ldaps://localhost base cn=users,dc=testing,dc=com tls_cacert /etc/openldap/cacerts/ca.key tls_cacertdir /etc/openldap/cacerts tls_reqcert allow You specify *one* of the two options (Either TLS_CACERT or TLS_CACERTDIR). Not both. If you are specifying the file, then it needs to be the cert, not the key. TLS: could not load verify locations (file:`/etc/openldap/cacerts/ca.key',dir:`/etc/openldap/cacerts'). However, the certs and key's to exist.. ls -al /etc/openldap/cacerts/ total 44 drwxr-xr-x 3 ldap ldap 4096 Apr 12 13:48 . drwxr-xr-x 4 ldap ldap 4096 Apr 12 18:09 .. drwxr-xr-x 2 ldap ldap 4096 Apr 12 13:45 backup -rw-r--r-- 1 ldap ldap 1805 Apr 12 13:46 ca.cert -rw-r--r-- 1 ldap ldap 1679 Apr 12 13:46 ca.key What about the permissions on /etc/openldap and /etc/openldap/cacerts? I.e., if you su - ldap, can you actually read /etc/openldap/cacerts/ca.cert? --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration