LDAP clients fail to connect with SSL enabled
LDAP clients fail to connect with SSL enabled I am attempting to setup SSL/TLS support on my openLDAP 2.4 server on FreeBSD. LBSD2# pkg_info | grep openldap openldap-sasl-client-2.4.23 Open source LDAP client implementation with SASL2 support openldap-sasl-server-2.4.23 Open source LDAP server implementation I put my cert file, key file and CA certfile in a directory called /usr/local/etc/openldap/cacerts Here's how it looks: [r...@lbsd2:/usr/local/etc/openldap/cacerts]#ls -l total 48 dr--r- 2 root ldap 512 Nov 21 17:12 bak -r--r- 1 root ldap 1960 Nov 21 07:05 bsd2.summitnjhome.com.crt -r--r- 1 root ldap 4604 Nov 21 17:16 gd_bundle.crt -r--r- 1 root ldap 4689 Nov 21 18:59 sf_bundle.crt -r--r- 1 root ldap 1537 Nov 21 17:16 sf_issuing.crt -r--r- 1 root ldap 1090 Nov 21 12:29 slapd.csr -r--r- 1 root ldap 1743 Nov 21 12:26 slapd.key -r--r- 1 root ldap 1675 Nov 21 17:25 slapd.pem My cert flie is a GoDaddy turbo-ssl certfile named bsd2.summitnjhome.com.crt. slapd.key is the key file and slapd.pem is the same thing only with the password removed. I'm a little unsure of which CA file to use but I think that sf_issuing.crt _should_ work as this is the CA file that I used to setup a similar SSL enabled LDAP server for a client recently. Although I have tried all three CA files in this directory: (gd_bundle.crt, sf_bundle.crt, and sf_issuing.crt). I put the various cert/key files into my slapd.conf file like this: LBSD2# cat slapd.conf | grep -i tls ## TLS options for slapd TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /usr/local/etc/openldap/cacerts/bsd2.summitnjhome.com.crt TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_issuing.crt Slapd restarts cleanly! LBSD2# /usr/local/etc/rc.d/slapd restart Stopping slapd. Waiting for PIDS: 81924. Starting slapd. Then I attempt to setup a virtual instance of CentOS 5.5 on the client side and that's where things fall apart...I attempt to ssh to localhost as an LDAP account: [r...@virtcent08:/etc/openldap/cacerts]#ssh bluethu...@localhost [...tectonic plates drift, careers begin and end, babies learn to walk, talk and grow to adulthood..] Connection closed by 127.0.0.1 [r...@virtcent08:/etc/openldap/cacerts]#getent passwd | grep ldapAccount [same interminable wait as above] This is what my /etc/ldap.conf file looks like on the client: [r...@virtcent08:/etc/openldap/cacerts]#cat /etc/ldap.conf # Your LDAP server. Must be resolvable without using LDAP. # Multiple hosts may be specified, each separated by a # space. How long nss_ldap takes to failover depends on # whether your LDAP client library supports configurable # network or connect timeouts (see bind_timelimit). #host 127.0.0.1 # The distinguished name of the search base. base dc=summitnjhome,dc=com # stored in /etc/ldap.secret (mode 600) #rootbinddn cn=manager,dc=example,dc=com # The port. # Optional: default is 389. #port 389 # Search timelimit #timelimit 30 timelimit 120 # Bind/connect timelimit #bind_timelimit 30 bind_timelimit 120 # Idle timelimit; client will close connections # (nss_ldap only) if the server has not been contacted # for the number of seconds specified below. #idle_timelimit 3600 idle_timelimit 3600 # Netscape SDK LDAPS #ssl on # Netscape SDK SSL options #sslpath /etc/ssl/certs # OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 #ssl start_tls #ssl on # OpenLDAP SSL options # Require and verify server certificate (yes/no) # Default is to use libldap's default behavior, which can be configured in # /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for # OpenLDAP 2.0 and earlier is no, for 2.1 and later is yes. #tls_checkpeer yes # CA certificates for server certificate verification # At least one of these are required if tls_checkpeer is yes #tls_cacertfile /etc/ssl/ca.cert #tls_cacertdir /etc/ssl/certs # SSL cipher suite # See man ciphers for syntax #tls_ciphers TLSv1 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key # SASL mechanism for PAM authentication - use is experimental # at present and does not support password policy control uri ldap://ldap.summitnjhome.com/ ssl start_tls tls_cacertdir /etc/openldap/cacerts pam_password crypt This is how my nsswitch on the client side is setup: passwd: files ldap shadow: files ldap group: files ldap And here is the cert dir on my CentOS client: [r...@virtcent08:/etc/openldap/cacerts]#ls -l total 72 lrwxrwxrwx 1 root root 13 Nov 21 09:44 97552d04.0 - gd_bundle.crt lrwxrwxrwx 1 root root 14 Nov 21 09:44 b737b221.0 - sf_issuing.crt dr--r--r-- 2 root root 4096 Nov 21 2010 bak -r--r--r-- 1 root root 1960 Nov 21 07:05 bsd2.summitnjhome.com.crt lrwxrwxrwx 1 root root 25 Nov 21 09:44 c75be861.0 - bsd2.summitnjhome.com.crt -r--r--r-- 1 root root 4604 Nov 21 2010
Re: LDAP clients fail to connect with SSL enabled
On 21/11/10 17:24 -0500, bluethundr wrote: I am attempting to setup SSL/TLS support on my openLDAP 2.4 server on FreeBSD. LBSD2# pkg_info | grep openldap openldap-sasl-client-2.4.23 Open source LDAP client implementation with SASL2 support openldap-sasl-server-2.4.23 Open source LDAP server implementation LBSD2# cat slapd.conf | grep -i tls ## TLS options for slapd TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /usr/local/etc/openldap/cacerts/bsd2.summitnjhome.com.crt TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_issuing.crt Connection closed by 127.0.0.1 [r...@virtcent08:/etc/openldap/cacerts]#getent passwd | grep ldapAccount [same interminable wait as above] This is what my /etc/ldap.conf file looks like on the client: [r...@virtcent08:/etc/openldap/cacerts]#cat /etc/ldap.conf base dc=summitnjhome,dc=com timelimit 120 bind_timelimit 120 idle_timelimit 3600 uri ldap://ldap.summitnjhome.com/ ssl start_tls tls_cacertdir /etc/openldap/cacerts pam_password crypt commented out lines removed Does an ldapsearch -d -1 -ZZ successfully connect? If so, then that should rule out a problem with your slapd configuration and ldap client library configuration (the options within your ldap.conf used by the OpenLDAP client library). In that case, you might focus on your ldap nss configuration. -- Dan White
Re: LDAP clients fail to connect with SSL enabled
Does an ldapsearch -d -1 -ZZ successfully connect?
If so, then that should rule out a problem with your slapd configuration
and ldap client library configuration (the options within your ldap.conf
used by the OpenLDAP client library). In that case, you might focus on your
ldap nss configuration.
Hi Dan,
Thanks for your input! I just noticed this interesting tidbit in the
output of that command.
TLS: hostname (ldap.summitnjhome.com) does not match common name in
certificate (bsd2.summitnjhome.com).
ldap_perror
ldap_start_tls: Connect error (-11)
additional info: TLS: hostname does not match CN in peer certificate
Which is interesting because I caught that earlier, and genertated a
new CSR and downloaded the cert once more. When I regenerated the csr
I made sure to copy-paste the output into the common name field of the
generation process.
I'm enclosing the full output of that command as an attachment but I
think my next step is to call godaddy... heh :)
On Sun, Nov 21, 2010 at 6:16 PM, Dan White dwh...@olp.net wrote:
On 21/11/10 17:24 -0500, bluethundr wrote:
I am attempting to setup SSL/TLS support on my openLDAP 2.4 server on
FreeBSD.
LBSD2# pkg_info | grep openldap
openldap-sasl-client-2.4.23 Open source LDAP client implementation
with SASL2 support
openldap-sasl-server-2.4.23 Open source LDAP server implementation
LBSD2# cat slapd.conf | grep -i tls
## TLS options for slapd
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile
/usr/local/etc/openldap/cacerts/bsd2.summitnjhome.com.crt
TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem
TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_issuing.crt
Connection closed by 127.0.0.1
[r...@virtcent08:/etc/openldap/cacerts]#getent passwd | grep ldapAccount
[same interminable wait as above]
This is what my /etc/ldap.conf file looks like on the client:
[r...@virtcent08:/etc/openldap/cacerts]#cat /etc/ldap.conf
base dc=summitnjhome,dc=com
timelimit 120
bind_timelimit 120
idle_timelimit 3600
uri ldap://ldap.summitnjhome.com/
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
pam_password crypt
commented out lines removed
Does an ldapsearch -d -1 -ZZ successfully connect?
If so, then that should rule out a problem with your slapd configuration
and ldap client library configuration (the options within your ldap.conf
used by the OpenLDAP client library). In that case, you might focus on your
ldap nss configuration.
--
Dan White
--
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9
Share and enjoy!!
[r...@virtcent08:~]#ldapsearch -h ldap.summitnjhome.com -d -1 -ZZ
dc=summitnjhome,dc=com
ldap_create
ldap_url_parse_ext(ldap://ldap.summitnjhome.com)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.summitnjhome.com:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.1.44:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x9043260 ptr=0x9043260 end=0x904327f len=31
: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ber_scanf fmt ({) ber:
ber_dump: buf=0x9043260 ptr=0x9043265 end=0x904327f len=26
: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1.
0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037
ber_flush: 31 bytes to sd 3
: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ldap_write: want=31, written=31
: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ldap_result ld 0x903a530 msgid 1
wait4msg ld 0x903a530 msgid 1 (infinite timeout)
wait4msg continue ld 0x903a530 msgid 1 all 1
** ld 0x903a530 Connections:
* host: ldap.summitnjhome.com port: 389 (default)
refcnt: 2 status: Connected
last used: Sun Nov 21 18:39:49 2010
** ld 0x903a530 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** ld 0x903a530 Response Queue:
Empty
ldap_chkResponseList ld 0x903a530 msgid 1 all 1
ldap_chkResponseList returns ld 0x903a530 NULL
ldap_int_select
read1msg: ld 0x903a530 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=8
: 30 0c 02 01 01 78 07 0a0x..
ldap_read: want=6, got=6
: 01 00 04 00 04 00 ..
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x9044680 ptr=0x9044680 end=0x904468c len=12
: 02 01 01 78 07 0a 01 00 04 00 04 00 ...x
read1msg: ld 0x903a530 msgid 1
Re: self signed certificate
Dieter Klünter wrote: Fri, Nov 19, 2010 at 02:58:30PM -0200, Márcio Luciano Donada wrote: Hi list, When using TLS, I have information that I'm using a self-signed certificate, as shown below: # ldapsearch -x -d5 -b 'ou=Usuarios,dc=xx,dc=com,dc=br' -H ldaps://121.1.1.97/ '(objectclass=*)' ldap_url_parse_ext(ldaps://121.1.1.97/) ldap_create ldap_url_parse_ext(ldaps://121.1.1.97:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 121.1.1.97:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 121.1.1.97:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 18, subject: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=ldap.xx.com.br, issuer: -State/O=Internet Widgits Pty Ltd/CN=ldap.xx.com.br TLS certificate verification: Error, self signed certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate). ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) OpenLDAP is quite picky about correct certificate chains. No, the software will accept whatever you tell it to use, if you configure it appropriately. You really should create a full certificate chain, that is, a ca, a server certificate and a server key. But yes, the Project always recommends that you do the right thing. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
