[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAPS: What am I doing wrong?



I grabbed the source for the openldap2 packages from Debian for stable
(woody) and rebuilt the packages with the '--with-tls' option and then
overwrote the packages that I had installed.  So now I have ldap-utils,
libldap2, and slapd with TLS support.

I set up ldap and, while it works fine, what I want to use is ldaps.
>From the things I found on the net, it looked easy enough, but so far it
doesn't work for me.

I created a self-signed certificate (making sure to use my FQDN):
openssl req -new -x509 -nodes -out slapd.pem -keyout slapd.pem -days 365

I added the following lines to my /etc/ldap/slapd.conf:

TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile      /etc/ldap/ssl-cert/slapd.pem
TLSCertificateKeyFile   /etc/ldap/ssl-cert/slapd.pem
TLSCACertificateFile    /etc/ldap/ssl-cert/slapd.pem

I modified the startup script to start up ldaps on the internet
interface:

start-stop-daemon --start --quiet --pidfile "$pf" --exec /usr/sbin/slapd
-- -h "ldaps://66.96.209.177 ldap://127.0.0.1";

I restarted slapd and did an nmap on localhost and then an nmap on my
external interface.  Both services were running.

I checked to see if the certificate was valid:

openssl s_client -connect kudzu.sboss.net:636 -showcerts 

CONNECTED(00000003)
depth=0 /C=US/ST=PA/L=Scranton/O=SDN/OU=IT
Dept./CN=kudzu.sboss.net/Email=admin@sboss.net
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=PA/L=Scranton/O=SDN/OU=IT
Dept./CN=kudzu.sboss.net/Email=admin@sboss.net
verify return:1
---
Certificate chain
 0 s:/C=US/ST=PA/L=Scranton/O=SDN/OU=IT
Dept./CN=kudzu.sboss.net/Email=admin@sboss.net
   i:/C=US/ST=PA/L=Scranton/O=SDN/OU=IT
Dept./CN=kudzu.sboss.net/Email=admin@sboss.net
-----BEGIN CERTIFICATE-----
MIIDcTCCAtqgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBiDELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAlBBMREwDwYDVQQHEwhTY3JhbnRvbjEMMAoGA1UEChMDU0ROMREw
DwYDVQQLEwhJVCBEZXB0LjEYMBYGA1UEAxMPa3VkenUuc2Jvc3MubmV0MR4wHAYJ
KoZIhvcNAQkBFg9hZG1pbkBzYm9zcy5uZXQwHhcNMDIwOTEyMDAyNzQ3WhcNMDMw
OTEyMDAyNzQ3WjCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlBBMREwDwYDVQQH
EwhTY3JhbnRvbjEMMAoGA1UEChMDU0ROMREwDwYDVQQLEwhJVCBEZXB0LjEYMBYG
A1UEAxMPa3VkenUuc2Jvc3MubmV0MR4wHAYJKoZIhvcNAQkBFg9hZG1pbkBzYm9z
cy5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANNltl4yZ4YDUKMOzmKp
FrHLhblgcaJVFLuh7EASPKNH2gIPL7uGtQRrzg/Ay7O6uWOaWhxneEYI3c/Y89Oe
9cY+o5g07wuTqU2BRsebNH85MnnM9H7tYHefgC7sphJ1fd4WKOq5g90lmBhro0cD
USBnDj1CeyOqLpT7uug1foufAgMBAAGjgegwgeUwHQYDVR0OBBYEFF/x8ahPpUyu
cFCTUA/k54umgROyMIG1BgNVHSMEga0wgaqAFF/x8ahPpUyucFCTUA/k54umgROy
oYGOpIGLMIGIMQswCQYDVQQGEwJVUzELMAkGA1UECBMCUEExETAPBgNVBAcTCFNj
cmFudG9uMQwwCgYDVQQKEwNTRE4xETAPBgNVBAsTCElUIERlcHQuMRgwFgYDVQQD
Ew9rdWR6dS5zYm9zcy5uZXQxHjAcBgkqhkiG9w0BCQEWD2FkbWluQHNib3NzLm5l
dIIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GBAELCojVG3POB64WY
yq71DVdDr6jQNKofC52WTpUHZYmlvJdhUuU1p0U/VXfOYS+bEghdT7S0LO7/8VwY
3F/hf6eeM+hM3c12eXfVAxoCxpCFtc6oP7/MaGbSsl4fJT48pjO2RI3DS1iQEGL9
6jxjlKiwgsmYP1q10B78Z9xH0Er5
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=PA/L=Scranton/O=SDN/OU=IT
Dept./CN=kudzu.sboss.net/Email=admin@sboss.net
issuer=/C=US/ST=PA/L=Scranton/O=SDN/OU=IT
Dept./CN=kudzu.sboss.net/Email=admin@sboss.net
---
No client certificate CA names sent
---
SSL handshake has read 1039 bytes and written 314 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DES-CBC3-SHA
    Session-ID:
4E32D31FF2D3D6F49876D55E1A0B63C54CC2D1610431DA28CA2ADA3A936E4F66
    Session-ID-ctx:
    Master-Key:
2CAD6C5D9C6CD026A4721CA915C724B098243FCAB72B5D3A4298A43BCE56C3D4FA6B63C46E7A4FB0F3DB3D951EE1FDEC
    Key-Arg   : None
    Start Time: 1031842314
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)

So far, so good.  I made sure an entry for slapd was in my hosts.allow:

slapd: ALL

I fired up gq, told it to do ssl, pointed it toward my host and it said
it couldn't do SSL.  So I decided to test it out by stopping slapd and
then restarting it in the foreground with a debugging flag set.  I
search with MS Outlook 2K and utilizing SSL and this is what it
returned:

/usr/sbin/slapd -d 5 -h ldaps://kudzu.sboss.net

@(#) $OpenLDAP: slapd 2.0.23-Release (Wed Sep 11 21:16:21 EDT 2002) $
       
root@debian-devel:/root/openldap2-2.0.23/debian/build/servers/slapd
daemon_init: ldaps://kudzu.sboss.net
daemon_init: listen on ldaps://kudzu.sboss.net
daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldaps://kudzu.sboss.net)
daemon: initialized ldaps://kudzu.sboss.net
daemon_init: 1 listeners opened
slapd init: initiated server.
slap_sasl_init: initialized!
==>backsql_initialize()
<==backsql_initialize()
slapd startup: initiated.
slapd starting
ldap_pvt_gethostbyname_a: host=kudzu.sboss.net, r=0
connection_get(9)
connection_get(9): got connid=0
connection_read(9): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A


I've been through the faq-o-matic over at opendlap.org and haven't found
anything close to describing my situation, so I know I must be doing
something blatantly stupid, but I've yet to see what that is.  Anyone
else get SSL with LDAP going (under Debian woody) for simple,
addressbook queries that work with Outlook/OE?

-- 
Brian