I think I have made some progress by using start_tls rather than ldap over ssl (ldaps). I am trying to verify that traffic is actually encrypted though. I am playing with tcpdumps now. On the client, I removed URI ldaps://ldapserver and changed "ssl yes" to "ssl start_tls". I now see SSL/TLS messages in the debug output of slapd and I can login vis nss_ldap. But I am still not certain that traffic is actually encrypted. How can I find out? BTW, now the debug output for slapd looks like: ldap_pvt_gethostbyname_a: host=mcnode1.EraGen.com, r=0 connection_get(10): got connid=0 connection_read(10): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 29 contents: do_extended ber_scanf fmt ({a) ber: ber_get_next ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable) send_ldap_extended 0: (0) send_ldap_response: msgid=1 tag=120 err=0 ber_flush: 14 bytes to sd 10 connection_get(10): got connid=0 connection_read(10): checking for input on id=0 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(10): got connid=0 connection_read(10): checking for input on id=0 TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_get(10): got connid=0 connection_read(10): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 12 contents: ber_get_next ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable) do_bind ber_scanf fmt ({iat) ber: ber_scanf fmt (o}) ber: do_bind: version=3 dn="" method=128 send_ldap_result: conn=0 op=1 p=3 send_ldap_response: msgid=2 tag=97 err=0 ber_flush: 14 bytes to sd 10 do_bind: v3 anonymous bind connection_get(10): got connid=0 connection_read(10): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 203 contents: ber_get_next ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable) do_search [search messages] I worry about the "Resource temporarily unavailable" messages, but I have seen them in other peoples' posts as well. Any comments? Does this look correct? How can I tell that it is actually encrypting the sensitive passwd data? Thanks in advance, Chris On Tue, Jul 31, 2001 at 04:48:09PM -0400, Chris Black wrote: > I am trying to get OpenLDAP over SSL working so I can use it > securely for logins. I am running on SuSE 7.1 w/ OpenLDAP 2.0.7. > I have setup slapd.conf with the following SSL options: > # SSL/TLS config > TLSCertificateFile /etc/openldap/server.pem > TLSCertificateKeyFile /etc/openldap/server.pem > TLSCACertificateFile /etc/openldap/server.pem > TLSVerifyClient false > > > The server.pem file was generated by: > openssl req -new -x509 -nodes -out server.pem -keyout server.pem -days 365 > > I made sure that the common name was set to the FQDN of the ldap > server. > > On a client machine, I have ldap.conf setup as: > HOST ldapserver > BASE dc=sub,dc=domain,dc=com > URI ldaps://ldapserver > ssl yes > > > On the ldap server I start in debug mode with: > /usr/lib/openldap/slapd -d 1 -h "ldaps:///" > and get: > @(#) $OpenLDAP: slapd 2.0.7-Release (Mon Jun 18 20:50:20 GMT 2001) $ > root@Hahn:/usr/src/packages/BUILD/openldap-2.0.7/servers/slapd > daemon_init: listen on ldaps:/// > daemon_init: 1 listeners to open... > ldap_url_parse(ldaps:///) > daemon: socket() failed errno=97 (Address family not supported by protocol) > daemon: initialized ldaps:/// > daemon_init: 1 listeners opened > slapd init: initiated server. > slap_sasl_init: initialized! > slapd startup: initiated. > slapd starting > > > I am a bit concerned about the daemon socket() error but don't know > why it is happening. > > After starting the ldap server in this way I try to run an > ldapsearch against it from a client: > ldapsearch -H ldaps://ldapserver -x -b "" -s base > > And get a segmentation fault on the client. > The output from from the slapd server debug is: > ldap_pvt_gethostbyname_a: host=mcnode1.EraGen.com, r=0 > connection_get(9): got connid=0 > connection_read(9): checking for input on id=0 > TLS trace: SSL_accept:before/accept initialization > TLS trace: SSL_accept:SSLv3 read client hello A > TLS trace: SSL_accept:SSLv3 write server hello A > TLS trace: SSL_accept:SSLv3 write certificate A > TLS trace: SSL_accept:SSLv3 write server done A > TLS trace: SSL_accept:SSLv3 flush data > TLS trace: SSL_accept:error in SSLv3 read client certificate A > TLS trace: SSL_accept:error in SSLv3 read client certificate A > connection_get(9): got connid=0 > connection_read(9): checking for input on id=0 > TLS trace: SSL_accept:SSLv3 read client key exchange A > TLS trace: SSL_accept:SSLv3 read finished A > TLS trace: SSL_accept:SSLv3 write change cipher spec A > TLS trace: SSL_accept:SSLv3 write finished A > TLS trace: SSL_accept:SSLv3 flush data > connection_get(9): got connid=0 > connection_read(9): checking for input on id=0 > ber_get_next > ber_get_next on fd 9 failed errno=0 (Success) > connection_read(9): input error=-2 id=0, closing. > connection_closing: readying conn=0 sd=9 for close > connection_close: conn=0 sd=9 > TLS trace: SSL3 alert write:warning:close notify > > > The two lines I think might be interesting is the "error in SSLv3 > read client certificate A" and the line: > ber_get_next on fd 9 failed errno=0 (Success) > > ldap logins work if I don't use SSL so the problem must be with the > SSL functionality. > > I have been looking through the mailing list archives and have seen > people post with similar problems, but nobody seems to have > posted a fix as far as I have seen. > > Has anyone actually gotten OpenLDAP over SSL/TLS working? If so, > could you please let me know what your config files look like? What > you did differently than me? > Also, if someone could tell me what some of the error messages > from the debug output mean, I might be able to try a few things > and try to track it down. If I do find a fix and get this working, > I will post my solution. > > Thanks. > > Chris > >
Attachment:
pgpbYGOWRzhYq.pgp
Description: PGP signature