Bug#419516: closed by Fabio Tranchitella [EMAIL PROTECTED] (Re: Bug#419516: Do not work with tls)
Hi Ola, * 2007-08-04 22:33, Ola Lundqvist wrote: Thanks for the explanation as well, but it do not work still. Either I need a way to disable certificate checking, or someone need to explain to me exactly why the certificate check fails. How does this relate to the original bug in phpldapadmin? As far as I can see, this is a problem on your local slapd configuration. Anyway, do you specify the certification authority's certificate (ca.pem, the one from the demoCA if you used CA.pl) in /etc/ldap/ldap.conf? Cheers, -- Fabio Tranchitella http://www.kobold.it Free Software Developer and Consultant http://www.tranchitella.it _ 1024D/7F961564, fpr 5465 6E69 E559 6466 BF3D 9F01 2BF8 EE2B 7F96 1564 signature.asc Description: Digital signature
Bug#419516: closed by Fabio Tranchitella [EMAIL PROTECTED] (Re: Bug#419516: Do not work with tls)
Hi Fabio On Sun, Aug 05, 2007 at 10:45:07AM +0200, Fabio Tranchitella wrote: Hi Ola, * 2007-08-04 22:33, Ola Lundqvist wrote: Thanks for the explanation as well, but it do not work still. Either I need a way to disable certificate checking, or someone need to explain to me exactly why the certificate check fails. How does this relate to the original bug in phpldapadmin? As far as I can see, this is a problem on your local slapd configuration. Well I have been able to use ssl/tls in this setup in all other software that use ldap. That is horde3(+more of its web apps), pam, nss and exim. I can also access it from outside with ldapbrowser (java app). But if phpldapadmin require certificate check, than it is a local configuration issue. Isn't it possible to disable that check? If you can point me to a documentation, manual page or similar that explains how to set it all up (that works), then I'm perfectly satisfied. It would be good if the package point to that documentation in that case. :) Anyway, do you specify the certification authority's certificate (ca.pem, the one from the demoCA if you used CA.pl) in /etc/ldap/ldap.conf? I specify the following: TLSCertificateFile /etc/ssl/certs/ldap.opalsys.net-cert.pem TLSCertificateKeyFile /etc/ldap/ldap.opalsys.net-key-nopass.pem TLSCACertificateFile/etc/ssl/certs/cacert.pem TLSVerifyClient never TLSCRLCheck none The certificate is signed by the cacert. The CA certificate is a self signed CA cert. Best regards, // Ola Cheers, -- Fabio Tranchitella http://www.kobold.it Free Software Developer and Consultant http://www.tranchitella.it _ 1024D/7F961564, fpr 5465 6E69 E559 6466 BF3D 9F01 2BF8 EE2B 7F96 1564 -- --- Ola Lundqvist systemkonsult --- M Sc in IT Engineering / [EMAIL PROTECTED] Annebergsslingan 37\ | [EMAIL PROTECTED] 654 65 KARLSTAD| | http://opalsys.net/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#419516: closed by Fabio Tranchitella [EMAIL PROTECTED] (Re: Bug#419516: Do not work with tls)
Hi again, * 2007-08-05 11:37, Ola Lundqvist wrote: But if phpldapadmin require certificate check, than it is a local configuration issue. Isn't it possible to disable that check? I would say that the PHP LDAP extension does the check, but you have it working with horde (which is PHP based, IIRC) so I don't know how to disable it. TLSCertificateFile /etc/ssl/certs/ldap.opalsys.net-cert.pem TLSCertificateKeyFile /etc/ldap/ldap.opalsys.net-key-nopass.pem TLSCACertificateFile/etc/ssl/certs/cacert.pem TLSVerifyClient never TLSCRLCheck none These are from slapd.conf, I was talking about ldap.conf (the client configuration, from ldap-utils). You should have something like: TLS_CHECKPPER no TLS_CACERT /etc/ssl/certs/cacert.pem In a previous e-mail, you got failures while checking the certificate using utilities from ldap-utils, this is why I asked you about ldap.conf: once you can have it working with a standard ldapsearch from command line, we are sure that your setup is ok. Also, check that the common name specified in the certificate (ldap.opalsys.net, I think) is the same hostname used in the phpldapadmin configuration file: as far as I know, the hostname and the common name in the certificate must match. Cheers, -- Fabio Tranchitella http://www.kobold.it Free Software Developer and Consultant http://www.tranchitella.it _ 1024D/7F961564, fpr 5465 6E69 E559 6466 BF3D 9F01 2BF8 EE2B 7F96 1564 signature.asc Description: Digital signature
Bug#419516: closed by Fabio Tranchitella [EMAIL PROTECTED] (Re: Bug#419516: Do not work with tls)
reopen 419516 thanks Hi Thanks for the explanation as well, but it do not work still. Either I need a way to disable certificate checking, or someone need to explain to me exactly why the certificate check fails. [EMAIL PROTECTED]:/etc/ssl/CA# ldapsearch -W -x -LLL -D cn=admin,dc=opalsys,dc=net -H ldaps://ldap.opalsys.net -b dc=opalsys,dc=net -P3 -ZZ ldap_start_tls: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed [EMAIL PROTECTED]:/etc/ssl/CA# ldapsearch -W -x -LLL -D cn=admin,dc=opalsys,dc=net -H ldap://ldap.opalsys.net -b dc=opalsys,dc=net -P3 -ZZ ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed The ldap certificate looks like this when printed: Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption Issuer: C=SE, ST=-, L=Karlstad, O=Ola Lundqvist systemkonsult, CN=Certificate Authority/[EMAIL PROTECTED] Validity Not Before: Dec 29 18:45:05 2004 GMT Not After : Dec 28 18:45:05 2009 GMT Subject: C=SE, ST=-, L=Karlstad, O=opalsys.net, CN=ldap.opalsys.net/[EMAIL PROTECTED] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:c5:9b:ae:06:23:03:00:3b:78:12:92:be:ae:36: f8:4a:53:8c:16:b8:02:a0:b7:52:ee:87:b2:03:7b: 22:ca:fa:64:48:4a:a1:e1:55:89:fb:11:88:4b:0f: ea:e3:a7:a7:06:ad:b3:12:15:99:05:69:d6:82:ac: 57:5f:44:17:07:4d:9b:3e:1f:0d:5c:94:fe:a3:58: 09:17:71:52:b7:95:ad:6a:36:3d:f2:d8:33:6d:60: 8b:4c:c7:c7:05:9b:a5:4d:06:64:c3:b5:10:38:7d: ff:73:80:e5:59:d4:3f:7a:f1:82:0a:5e:4c:ac:6b: f1:91:39:30:80:09:d7:a5:37 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 8E:7A:1F:F1:DC:C8:3D:AE:D3:0D:93:A0:17:F7:7C:FC:9F:2B:71:CD X509v3 Authority Key Identifier: keyid:82:91:2D:B2:F1:1E:7F:A4:FA:0F:33:AE:9A:6D:32:97:FC:26:34:F4 DirName:/C=SE/ST=-/L=Karlstad/O=Ola Lundqvist systemkonsult/CN=Certificate Authority/[EMAIL PROTECTED] serial:96:CF:56:AF:18:23:8F:19 Signature Algorithm: md5WithRSAEncryption 64:5c:1a:45:43:c2:82:a9:80:b9:55:0c:f4:5f:5b:49:27:cc: fc:a8:25:7c:49:4a:bd:b3:47:22:fa:1c:7f:8c:e7:79:3a:e2: a4:f6:1f:cc:12:d5:e3:6e:db:e0:0e:6b:e5:aa:69:52:c6:bd: 2a:07:c2:d0:e5:d3:cb:18:c3:3d:36:9b:64:fd:ca:70:9d:34: 0c:df:7a:a6:50:11:5e:99:fc:f5:84:b1:6d:ef:6d:64:53:48: 50:df:d5:40:ea:c8:e7:9b:ab:0c:e6:2d:0c:00:d4:88:d0:e1: 20:5f:d5:c1:20:16:16:13:5d:d4:8b:3d:22:cd:aa:3b:b9:6b: 94:95 Best regards, // Ola On Sat, Aug 04, 2007 at 06:45:07PM +, Debian Bug Tracking System wrote: This is an automatic notification regarding your Bug report #419516: Do not work with tls, which was filed against the phpldapadmin package. It has been closed by Fabio Tranchitella [EMAIL PROTECTED]. Their explanation is attached below. If this explanation is unsatisfactory and you have not received a better one in a separate message then please contact Fabio Tranchitella [EMAIL PROTECTED] by replying to this email. Debian bug tracking system administrator (administrator, Debian Bugs database) From: Fabio Tranchitella [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Bug#419516: Do not work with tls X-Organization: Fabio Tranchitella: Torino (Italy), Pécs (Hungary) X-URL: http://www.tranchitella.it X-Operating-System: Debian GNU/Linux 4.0 X-GPG-Keyserver: http://keyring.debian.org X-GPG-Keynumber: 0x7F961564 X-GPG-Fingerprint: 5465 6E69 E559 6466 BF3D 9F01 2BF8 EE2B 7F96 1564 X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on rietz.debian.org X-Spam-Level: X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 * 2007-06-27 01:03, Adrian Bridgett wrote: Just looking for another bug and thought I'd comment. I have TLS working fine with 0.9.8.3-8. Thanks for your e-mail and explanation, I'm closing the bug report as the bug does not exist. Have a nice day, -- Fabio Tranchitella http://www.kobold.it Free Software Developer and Consultant http://www.tranchitella.it _ 1024D/7F961564, fpr 5465 6E69 E559 6466 BF3D 9F01 2BF8 EE2B
Bug#419516: Do not work with tls
Just looking for another bug and thought I'd comment. I have TLS working fine with 0.9.8.3-8. First, let's clear up some confusion: LDAPS is SSL over port 636. TLS starts unencrypted on port 389 and then negotiates TLS (still on port 389). First of all, check ldap from the command line: ldapsearch -W -x -LLL -D cn=admin,dc=example,dc=com -H ldap://ldap.example.com -b dc=example,dc=com -P3 -ZZ Ensure the host string matches the certificate - using a host of localhost will fail if the certificate says ldap.example.com. $ldapservers-SetValue($i,'server','host','ldap.example.com'); // as I said above, 389 is for TLS, 636 for LDAPS /* The port your LDAP server listens on (no quotes). 389 is standard. */ // $ldapservers-SetValue($i,'server','port','389'); $ldapservers-SetValue($i,'server','tls',true); On an older version I used to have to comment out line 1604 in /usr/share/phpldapadmin/functions.php which sets LDAP protocol v3 as it broke sign-in (and we disable v2 anyhow). I do not need to do this in etch. Hope this helps, Adrian -- Email: [EMAIL PROTECTED] -*- GPG key available on public key servers Debian GNU/Linux - the maintainable distribution -*- www.debian.org Avoid working with children, animals and Microsoft operating systems -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#419516: Do not work with tls
Package: phpldapadmin Severity: important Version: 0.9.8.3-8 Tags: security Hi I have recently upgraded from sarge to etch. I have problem to get the tls option to work. These are the relevant parts of the configuration: $ldapservers-SetValue($i,'server','host','ldaps://ldap.opalsys.net:636/'); $ldapservers-SetValue($i,'server','port','636'); $ldapservers-SetValue($i,'server','tls',true); It works very well if I set host to ldap://ldap.opalsys.net and tls to false. The error I get is: Error Could not start TLS. Please check your LDAP server configuration. LDAP said: Can't contact LDAP server I enabled the logging and it tells [0.000] login.php(17): ldapserver::connect(): Entered with (1,user,) [0.000] login.php(17): ldapserver::_connect(): Entered with (user) [0.000] login.php(16): ldapserver::connect(): Creating new connection [user] for Server ID [0] [0.000] login.php(80): ldapserver::connect(): This IS a config login [0.000] login.php(80): ldapserver::connect(): Config settings, DN [cn=browse,dc=opalsys,dc=net], PASS [2b465f26d3125d7f69dc9be516b2b6e1] [0.000] login.php(80): ldapserver::connect(): Config settings, DN [cn=browse,dc=opalsys,dc=net], PASS [2b465f26d3125d7f69dc9be516b2b6e1] [0.000] login.php(17): ldapserver::_connect(): Entered with (user) [0.001] login.php(16): ldapserver::connect(): LDAP Resource [Resource id #18], Host [ldaps://ldap.opalsys.net/], Port [636] [0.000] login.php(17): ldapserver::isTLSEnabled(): Entered with () [0.050] login.php(1): pla_error(): Entered with (Could not start TLS. Please check your LDAP server configuration.,Can't contact LDAP server,-1,1) I have also tried a numerous variants of port, uri settings etc. Nothing helps more than to disable tla. I have libnss-ldap setup with tls enabled and I can access it from many other places, but not from phpldapadmin. You can try for yourself as it is publicly available. I marked it with security as missing encryption support can be seen as a security issue. Regards, // Ola ii php4 4.4.4-8+etch1 server-side, HTML-embedded scripting language (meta-package) ii apache2 2.2.3-4 Next generation, scalable, extendable web server ii phpldapadmin 0.9.8.3-8 web based interface for administering LDAP servers -- --- Ola Lundqvist systemkonsult --- M Sc in IT Engineering / [EMAIL PROTECTED] Annebergsslingan 37\ | [EMAIL PROTECTED] 654 65 KARLSTAD| | http://opalsys.net/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]