[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
openldap and tls or ssl
Hello,
I'm trying (for a week now....) to add SSL and TLS to my openldap
server, which works well in uncrypted mode (used it from gq (ldap client
for Gnome) and from pam-ldap).
Waiting for an official cert/key from my CA (still waiting...), I used
openssl and the CA.pl script to create a CA cert and a cert/key for my
server.
1 - Create a CA cert:
CA.pl -newCA (used the dns of the openldap server as common name)
2 - Create a priv key for my server
CA.pl -newreq (used also the dns of the openldap server as common name)
3 - Create the cert
CA.pl -sign
Then, I uncrypted the key file in order to use it with openldap (seen
somewhere it had to be uncrypted)
Then, I configure slapd.conf in order to use these PEM files
(cacert.pem, uncryptedkey and certificate)
...
########################
# certificats et clefs
TLSCertificateKeyFile /opt/openldap/pem/uncryptprivatekey.pem
TLSCertificateFile /usr/sss/demoCA/certs/certificat.pem
TLSCACertificateFile /usr/ssl/demoCA/cacert.pem
...
Then I tested it with ldapsearch:
clear:
./ldapsearch -x -LLL "cn=*BLIN*" cn
tls:
./ldapsearch -x -LLL "cn=*BLIN*" -ZZZ cn
ssl:
./ldapsearch -H"ldaps://servername" -x -b"dc=..." -LLL "cn=*BLIN*" cn
I get the results, but the openldap server tells me:
connection_read(10): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
I suppose these 2 last lines are because my client (ie the ldapsearch
commands) have'nt certs/keys... If I'm right, is there a way telling
ldapsearch to use a certificate??
My problem is by using pam_ldap or gq. It works in no SSL mode, but when
I try to use TLS (or SSL with pamldap), it fails.
I've generated another couple cert/key for pamldap.
The pamldap conf file:
--------------------------------------------------
...
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
#ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
tls_cacertfile /usr/ssl/demoCA/cacert.pem
tls_cacertdir /usr/ssl/demoCA/certs
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
tls_cert /usr/ssl/certs/privcertest.pem
tls_key /usr/ssl/privkeytest.pem
-----------------------------------------------------
and when i try to connect, pamldap asks me for the PEM phrase(!!!) and
then failes. The slapd server tells me:
------------
connection_get(15): got connid=4
connection_read(15): checking for input on id=4
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
ber_get_next on fd 15 failed errno=11 (Resource temporarily unavailable)
do_extended
ber_scanf fmt ({a) ber:
send_ldap_extended 0: (0)
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 15
<< here, he waits for the PEM phrase....
connection_get(15): got connid=4
connection_read(15): checking for input on id=4
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
connection_get(15): got connid=4
connection_read(15): checking for input on id=4
TLS: can't accept.
connection_read(15): TLS accept error error=-1 id=4, closing
connection_closing: readying conn=4 sd=15 for close
connection_close: conn=4 sd=15
---------------------------------------------------------------------------------------------------------------------------
Does anyone has an idea of where is the problem??
Thanks in advance.
Laurent BLIN
Montpellier - France