Bug#419516: closed by Fabio Tranchitella [EMAIL PROTECTED] (Re: Bug#419516: Do not work with tls)

2007-08-05 Thread Fabio Tranchitella 
Hi Ola,

* 2007-08-04 22:33, Ola Lundqvist wrote:
 Thanks for the explanation as well, but it do not work still.
 Either I need a way to disable certificate checking, or someone need
 to explain to me exactly why the certificate check fails.

How does this relate to the original bug in phpldapadmin? As far as I can
see, this is a problem on your local slapd configuration.

Anyway, do you specify the certification authority's certificate (ca.pem,
the one from the demoCA if you used CA.pl) in /etc/ldap/ldap.conf?

Cheers,

-- 
Fabio Tranchitella http://www.kobold.it
Free Software Developer and Consultant http://www.tranchitella.it
_
1024D/7F961564, fpr 5465 6E69 E559 6466 BF3D 9F01 2BF8 EE2B 7F96 1564


signature.asc
Description: Digital signature

Bug#419516: closed by Fabio Tranchitella [EMAIL PROTECTED] (Re: Bug#419516: Do not work with tls)

2007-08-05 Thread Ola Lundqvist 
Hi Fabio

On Sun, Aug 05, 2007 at 10:45:07AM +0200, Fabio Tranchitella wrote:
 Hi Ola,
 
 * 2007-08-04 22:33, Ola Lundqvist wrote:
  Thanks for the explanation as well, but it do not work still.
  Either I need a way to disable certificate checking, or someone need
  to explain to me exactly why the certificate check fails.
 
 How does this relate to the original bug in phpldapadmin? As far as I can
 see, this is a problem on your local slapd configuration.

Well I have been able to use ssl/tls in this setup in all other software
that use ldap. That is horde3(+more of its web apps), pam, nss and exim.
I can also access it from outside with ldapbrowser (java app).

But if phpldapadmin require certificate check, than it is a local
configuration issue. Isn't it possible to disable that check?

If you can point me to a documentation, manual page or similar that
explains how to set it all up (that works), then I'm perfectly satisfied.
It would be good if the package point to that documentation in that case. :)

 Anyway, do you specify the certification authority's certificate (ca.pem,
 the one from the demoCA if you used CA.pl) in /etc/ldap/ldap.conf?

I specify the following:
TLSCertificateFile  /etc/ssl/certs/ldap.opalsys.net-cert.pem
TLSCertificateKeyFile   /etc/ldap/ldap.opalsys.net-key-nopass.pem
TLSCACertificateFile/etc/ssl/certs/cacert.pem
TLSVerifyClient never
TLSCRLCheck none

The certificate is signed by the cacert. The CA certificate is a
self signed CA cert.

Best regards,

// Ola
 
 Cheers,
 
 -- 
 Fabio Tranchitella http://www.kobold.it
 Free Software Developer and Consultant http://www.tranchitella.it
 _
 1024D/7F961564, fpr 5465 6E69 E559 6466 BF3D 9F01 2BF8 EE2B 7F96 1564



-- 
 --- Ola Lundqvist systemkonsult --- M Sc in IT Engineering 
/  [EMAIL PROTECTED]   Annebergsslingan 37\
|  [EMAIL PROTECTED]   654 65 KARLSTAD|
|  http://opalsys.net/   Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#419516: closed by Fabio Tranchitella [EMAIL PROTECTED] (Re: Bug#419516: Do not work with tls)

2007-08-05 Thread Fabio Tranchitella 
Hi again,

* 2007-08-05 11:37, Ola Lundqvist wrote:
 But if phpldapadmin require certificate check, than it is a local
 configuration issue. Isn't it possible to disable that check?

I would say that the PHP LDAP extension does the check, but you have it
working with horde (which is PHP based, IIRC) so I don't know how to
disable it.

 TLSCertificateFile  /etc/ssl/certs/ldap.opalsys.net-cert.pem
 TLSCertificateKeyFile   /etc/ldap/ldap.opalsys.net-key-nopass.pem
 TLSCACertificateFile/etc/ssl/certs/cacert.pem
 TLSVerifyClient never
 TLSCRLCheck none

These are from slapd.conf, I was talking about ldap.conf (the client
configuration, from ldap-utils). You should have something like:

TLS_CHECKPPER no
TLS_CACERT /etc/ssl/certs/cacert.pem

In a previous e-mail, you got failures while checking the certificate using
utilities from ldap-utils, this is why I asked you about ldap.conf: once
you can have it working with a standard ldapsearch from command line, we
are sure that your setup is ok.

Also, check that the common name specified in the certificate
(ldap.opalsys.net, I think) is the same hostname used in the phpldapadmin
configuration file: as far as I know, the hostname and the common name in
the certificate must match.

Cheers,

-- 
Fabio Tranchitella http://www.kobold.it
Free Software Developer and Consultant http://www.tranchitella.it
_
1024D/7F961564, fpr 5465 6E69 E559 6466 BF3D 9F01 2BF8 EE2B 7F96 1564


signature.asc
Description: Digital signature

Bug#419516: closed by Fabio Tranchitella [EMAIL PROTECTED] (Re: Bug#419516: Do not work with tls)

2007-08-04 Thread Ola Lundqvist 
reopen 419516
thanks

Hi

Thanks for the explanation as well, but it do not work still.
Either I need a way to disable certificate checking, or someone need
to explain to me exactly why the certificate check fails.

[EMAIL PROTECTED]:/etc/ssl/CA# ldapsearch -W -x -LLL -D 
cn=admin,dc=opalsys,dc=net -H ldaps://ldap.opalsys.net -b dc=opalsys,dc=net -P3 
-ZZ
ldap_start_tls: Can't contact LDAP server (-1)
additional info: error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
[EMAIL PROTECTED]:/etc/ssl/CA# ldapsearch -W -x -LLL -D 
cn=admin,dc=opalsys,dc=net -H ldap://ldap.opalsys.net -b dc=opalsys,dc=net -P3 
-ZZ
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

The ldap certificate looks like this when printed:

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=SE, ST=-, L=Karlstad, O=Ola Lundqvist systemkonsult, 
CN=Certificate Authority/[EMAIL PROTECTED]
Validity
Not Before: Dec 29 18:45:05 2004 GMT
Not After : Dec 28 18:45:05 2009 GMT
Subject: C=SE, ST=-, L=Karlstad, O=opalsys.net, 
CN=ldap.opalsys.net/[EMAIL PROTECTED]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c5:9b:ae:06:23:03:00:3b:78:12:92:be:ae:36:
f8:4a:53:8c:16:b8:02:a0:b7:52:ee:87:b2:03:7b:
22:ca:fa:64:48:4a:a1:e1:55:89:fb:11:88:4b:0f:
ea:e3:a7:a7:06:ad:b3:12:15:99:05:69:d6:82:ac:
57:5f:44:17:07:4d:9b:3e:1f:0d:5c:94:fe:a3:58:
09:17:71:52:b7:95:ad:6a:36:3d:f2:d8:33:6d:60:
8b:4c:c7:c7:05:9b:a5:4d:06:64:c3:b5:10:38:7d:
ff:73:80:e5:59:d4:3f:7a:f1:82:0a:5e:4c:ac:6b:
f1:91:39:30:80:09:d7:a5:37
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: 
CA:FALSE
Netscape Comment: 
OpenSSL Generated Certificate
X509v3 Subject Key Identifier: 
8E:7A:1F:F1:DC:C8:3D:AE:D3:0D:93:A0:17:F7:7C:FC:9F:2B:71:CD
X509v3 Authority Key Identifier: 

keyid:82:91:2D:B2:F1:1E:7F:A4:FA:0F:33:AE:9A:6D:32:97:FC:26:34:F4
DirName:/C=SE/ST=-/L=Karlstad/O=Ola Lundqvist 
systemkonsult/CN=Certificate Authority/[EMAIL PROTECTED]
serial:96:CF:56:AF:18:23:8F:19

Signature Algorithm: md5WithRSAEncryption
64:5c:1a:45:43:c2:82:a9:80:b9:55:0c:f4:5f:5b:49:27:cc:
fc:a8:25:7c:49:4a:bd:b3:47:22:fa:1c:7f:8c:e7:79:3a:e2:
a4:f6:1f:cc:12:d5:e3:6e:db:e0:0e:6b:e5:aa:69:52:c6:bd:
2a:07:c2:d0:e5:d3:cb:18:c3:3d:36:9b:64:fd:ca:70:9d:34:
0c:df:7a:a6:50:11:5e:99:fc:f5:84:b1:6d:ef:6d:64:53:48:
50:df:d5:40:ea:c8:e7:9b:ab:0c:e6:2d:0c:00:d4:88:d0:e1:
20:5f:d5:c1:20:16:16:13:5d:d4:8b:3d:22:cd:aa:3b:b9:6b:
94:95

Best regards,

// Ola

On Sat, Aug 04, 2007 at 06:45:07PM +, Debian Bug Tracking System wrote:
 This is an automatic notification regarding your Bug report
 #419516: Do not work with tls,
 which was filed against the phpldapadmin package.
 
 It has been closed by Fabio Tranchitella [EMAIL PROTECTED].
 
 Their explanation is attached below.  If this explanation is
 unsatisfactory and you have not received a better one in a separate
 message then please contact Fabio Tranchitella [EMAIL PROTECTED] by replying
 to this email.
 
 Debian bug tracking system administrator
 (administrator, Debian Bugs database)
 

 From: Fabio Tranchitella [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Subject: Re: Bug#419516: Do not work with tls
 X-Organization: Fabio Tranchitella: Torino (Italy), Pécs (Hungary)
 X-URL: http://www.tranchitella.it
 X-Operating-System: Debian GNU/Linux 4.0
 X-GPG-Keyserver: http://keyring.debian.org
 X-GPG-Keynumber: 0x7F961564
 X-GPG-Fingerprint: 5465 6E69 E559 6466 BF3D  9F01 2BF8 EE2B 7F96 1564
 X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
   (1.212-2003-09-23-exp) on rietz.debian.org
 X-Spam-Level: 
 X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
   autolearn=no version=2.60-bugs.debian.org_2005_01_02
 
 * 2007-06-27 01:03, Adrian Bridgett wrote:
  Just looking for another bug and thought I'd comment.
  I have TLS working fine with 0.9.8.3-8.
 
 Thanks for your e-mail and explanation, I'm closing the bug report as the
 bug does not exist.
 
 Have a nice day,
 
 -- 
 Fabio Tranchitella http://www.kobold.it
 Free Software Developer and Consultant http://www.tranchitella.it
 _
 1024D/7F961564, fpr 5465 6E69 E559 6466 BF3D 9F01 2BF8 EE2B

Bug#419516: Do not work with tls

2007-06-26 Thread Adrian Bridgett 
Just looking for another bug and thought I'd comment.
I have TLS working fine with 0.9.8.3-8.

First, let's clear up some confusion:
LDAPS is SSL over port 636.
TLS starts unencrypted on port 389 and then negotiates TLS (still on
port 389).

First of all, check ldap from the command line:

ldapsearch -W -x -LLL -D cn=admin,dc=example,dc=com -H
  ldap://ldap.example.com -b dc=example,dc=com -P3 -ZZ

Ensure the host string matches the certificate - using a host of
localhost will fail if the certificate says ldap.example.com.

$ldapservers-SetValue($i,'server','host','ldap.example.com');
// as I said above, 389 is for TLS, 636 for LDAPS
/* The port your LDAP server listens on (no quotes). 389 is standard. */
// $ldapservers-SetValue($i,'server','port','389');
$ldapservers-SetValue($i,'server','tls',true);

On an older version I used to have to comment out line 1604 in
/usr/share/phpldapadmin/functions.php which sets LDAP protocol v3 as
it broke sign-in (and we disable v2 anyhow).   I do not need to do
this in etch.

Hope this helps,

Adrian
-- 
Email: [EMAIL PROTECTED]  -*-  GPG key available on public key servers
Debian GNU/Linux - the maintainable distribution   -*-  www.debian.org
Avoid working with children, animals and Microsoft operating systems


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#419516: Do not work with tls

2007-04-16 Thread Ola Lundqvist 
Package: phpldapadmin
Severity: important
Version: 0.9.8.3-8
Tags: security

Hi

I have recently upgraded from sarge to etch. I have problem
to get the tls option to work.

These are the relevant parts of the configuration:

$ldapservers-SetValue($i,'server','host','ldaps://ldap.opalsys.net:636/');
$ldapservers-SetValue($i,'server','port','636');
$ldapservers-SetValue($i,'server','tls',true);

It works very well if I set host to ldap://ldap.opalsys.net and tls to false.

The error I get is:
Error
Could not start TLS. Please check your LDAP server configuration.

LDAP said: Can't contact LDAP server

I enabled the logging and it tells
[0.000] login.php(17): ldapserver::connect(): Entered with (1,user,)
[0.000] login.php(17): ldapserver::_connect(): Entered with (user)
[0.000] login.php(16): ldapserver::connect(): Creating new connection [user] 
for Server ID [0]
[0.000] login.php(80): ldapserver::connect(): This IS a config login
[0.000] login.php(80): ldapserver::connect(): Config settings, DN 
[cn=browse,dc=opalsys,dc=net], PASS [2b465f26d3125d7f69dc9be516b2b6e1]
[0.000] login.php(80): ldapserver::connect(): Config settings, DN 
[cn=browse,dc=opalsys,dc=net], PASS [2b465f26d3125d7f69dc9be516b2b6e1]
[0.000] login.php(17): ldapserver::_connect(): Entered with (user)
[0.001] login.php(16): ldapserver::connect(): LDAP Resource [Resource id #18], 
Host [ldaps://ldap.opalsys.net/], Port [636]
[0.000] login.php(17): ldapserver::isTLSEnabled(): Entered with ()
[0.050] login.php(1): pla_error(): Entered with (Could not start TLS. Please 
check your LDAP server configuration.,Can't contact LDAP server,-1,1)


I have also tried a numerous variants of port, uri settings etc. Nothing helps
more than to disable tla.

I have libnss-ldap setup with tls enabled and I can access it from many other
places, but not from phpldapadmin.

You can try for yourself as it is publicly available.

I marked it with security as missing encryption support can be seen as a 
security
issue.

Regards,

// Ola


ii  php4  4.4.4-8+etch1 server-side, 
HTML-embedded scripting language (meta-package)
ii  apache2   2.2.3-4   Next generation, 
scalable, extendable web server
ii  phpldapadmin  0.9.8.3-8 web based interface for 
administering LDAP servers


-- 
 --- Ola Lundqvist systemkonsult --- M Sc in IT Engineering 
/  [EMAIL PROTECTED]   Annebergsslingan 37\
|  [EMAIL PROTECTED]   654 65 KARLSTAD|
|  http://opalsys.net/   Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]