I think I have made some progress by using start_tls rather than
ldap over ssl (ldaps). I am trying to verify that traffic is
actually encrypted though. I am playing with tcpdumps now.
On the client, I removed URI ldaps://ldapserver and changed "ssl yes"
to "ssl start_tls". I now see SSL/TLS messages in the debug output
of slapd and I can login vis nss_ldap. But I am still not certain
that traffic is actually encrypted. How can I find out?
BTW, now the debug output for slapd looks like:
ldap_pvt_gethostbyname_a: host=mcnode1.EraGen.com, r=0
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
do_extended
ber_scanf fmt ({a) ber:
ber_get_next
ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
send_ldap_extended 0: (0)
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 10
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
ber_get_next
ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
do_bind
ber_scanf fmt ({iat) ber:
ber_scanf fmt (o}) ber:
do_bind: version=3 dn="" method=128
send_ldap_result: conn=0 op=1 p=3
send_ldap_response: msgid=2 tag=97 err=0
ber_flush: 14 bytes to sd 10
do_bind: v3 anonymous bind
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 203 contents:
ber_get_next
ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
do_search
[search messages]
I worry about the "Resource temporarily unavailable" messages, but
I have seen them in other peoples' posts as well.
Any comments? Does this look correct? How can I tell that it is
actually encrypting the sensitive passwd data?
Thanks in advance,
Chris
On Tue, Jul 31, 2001 at 04:48:09PM -0400, Chris Black wrote:
> I am trying to get OpenLDAP over SSL working so I can use it
> securely for logins. I am running on SuSE 7.1 w/ OpenLDAP 2.0.7.
> I have setup slapd.conf with the following SSL options:
> # SSL/TLS config
> TLSCertificateFile /etc/openldap/server.pem
> TLSCertificateKeyFile /etc/openldap/server.pem
> TLSCACertificateFile /etc/openldap/server.pem
> TLSVerifyClient false
>
>
> The server.pem file was generated by:
> openssl req -new -x509 -nodes -out server.pem -keyout server.pem -days 365
>
> I made sure that the common name was set to the FQDN of the ldap
> server.
>
> On a client machine, I have ldap.conf setup as:
> HOST ldapserver
> BASE dc=sub,dc=domain,dc=com
> URI ldaps://ldapserver
> ssl yes
>
>
> On the ldap server I start in debug mode with:
> /usr/lib/openldap/slapd -d 1 -h "ldaps:///"
> and get:
> @(#) $OpenLDAP: slapd 2.0.7-Release (Mon Jun 18 20:50:20 GMT 2001) $
> root@Hahn:/usr/src/packages/BUILD/openldap-2.0.7/servers/slapd
> daemon_init: listen on ldaps:///
> daemon_init: 1 listeners to open...
> ldap_url_parse(ldaps:///)
> daemon: socket() failed errno=97 (Address family not supported by protocol)
> daemon: initialized ldaps:///
> daemon_init: 1 listeners opened
> slapd init: initiated server.
> slap_sasl_init: initialized!
> slapd startup: initiated.
> slapd starting
>
>
> I am a bit concerned about the daemon socket() error but don't know
> why it is happening.
>
> After starting the ldap server in this way I try to run an
> ldapsearch against it from a client:
> ldapsearch -H ldaps://ldapserver -x -b "" -s base
>
> And get a segmentation fault on the client.
> The output from from the slapd server debug is:
> ldap_pvt_gethostbyname_a: host=mcnode1.EraGen.com, r=0
> connection_get(9): got connid=0
> connection_read(9): checking for input on id=0
> TLS trace: SSL_accept:before/accept initialization
> TLS trace: SSL_accept:SSLv3 read client hello A
> TLS trace: SSL_accept:SSLv3 write server hello A
> TLS trace: SSL_accept:SSLv3 write certificate A
> TLS trace: SSL_accept:SSLv3 write server done A
> TLS trace: SSL_accept:SSLv3 flush data
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> connection_get(9): got connid=0
> connection_read(9): checking for input on id=0
> TLS trace: SSL_accept:SSLv3 read client key exchange A
> TLS trace: SSL_accept:SSLv3 read finished A
> TLS trace: SSL_accept:SSLv3 write change cipher spec A
> TLS trace: SSL_accept:SSLv3 write finished A
> TLS trace: SSL_accept:SSLv3 flush data
> connection_get(9): got connid=0
> connection_read(9): checking for input on id=0
> ber_get_next
> ber_get_next on fd 9 failed errno=0 (Success)
> connection_read(9): input error=-2 id=0, closing.
> connection_closing: readying conn=0 sd=9 for close
> connection_close: conn=0 sd=9
> TLS trace: SSL3 alert write:warning:close notify
>
>
> The two lines I think might be interesting is the "error in SSLv3
> read client certificate A" and the line:
> ber_get_next on fd 9 failed errno=0 (Success)
>
> ldap logins work if I don't use SSL so the problem must be with the
> SSL functionality.
>
> I have been looking through the mailing list archives and have seen
> people post with similar problems, but nobody seems to have
> posted a fix as far as I have seen.
>
> Has anyone actually gotten OpenLDAP over SSL/TLS working? If so,
> could you please let me know what your config files look like? What
> you did differently than me?
> Also, if someone could tell me what some of the error messages
> from the debug output mean, I might be able to try a few things
> and try to track it down. If I do find a fix and get this working,
> I will post my solution.
>
> Thanks.
>
> Chris
>
>
Attachment:
pgpbYGOWRzhYq.pgp
Description: PGP signature