[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Last attempt at TLS/SSL



well, heres my 2c... I'm only just getting going with ldap and tls so...

looking in your ldap.conf file, shouldnt you have the directive "ssl
start_tls" in there?

As to the two ldap.conf files for openldap and padl... this caught me
before and I'm still not 100% which is which!

G

On Thu, 2003-06-26 at 20:18, Lawrence, Mike (White Plains) wrote:
> Hi Kent - doesn't look like a permissions issue to me
> as the CA cert (and all the directories above it, in my
> case /var/tmp/certs) are all world readable.  
> 
> Here is some extra info, all the lines I have turned on
> in my slapd.conf file and also ldap.conf:
> 
> slapd.conf:
> 
> include         /usr/local/etc/openldap/schema/core.schema
> include         /usr/local/etc/openldap/schema/cosine.schema
> include         /usr/local/etc/openldap/schema/nis.schema
> include         /usr/local/etc/openldap/schema/solaris.schema
>  
> pidfile         /usr/local/var/slapd.pid
> argsfile        /usr/local/var/slapd.args
>  
> loglevel        9
>  
> TLSCipherSuite          HIGH:MEDIUM:+SSLv2
> TLSCertificateFile      /var/tmp/certs/ldapcert.pem
> TLSCertificateKeyFile   /var/tmp/certs/ldapkey.pem
> TLSCACertificateFile    /var/tmp/certs/demoCA/cacert.pem
> TLSVerifyClient         never
>  
> password-hash           {CRYPT}
>  
> access to attr=userPassword
>         by self write
>         by anonymous auth
>         by dn.base="cn=Authenticator,dc=webtech,dc=com" read
> access to * by * read
>  
> database        ldbm
> suffix          "dc=webtech,dc=com"
> rootdn          "cn=Manager,dc=webtech,dc=com"
> rootpw          {crypt}JOEdsf45uddHpilE
> directory       /usr/local/var/openldap-data
> mode            0600
>  
> index   objectClass     eq
> index   uid             pres,eq
> index   cn              pres,eq
> 
> 
> 
> ldap.conf:
> 
> host wp-app-3.webtech.com
> base dc=webtech,dc=com
> uri ldaps://wp-app-3.webtech.com
> binddn cn=Authenticator,dc=webtech,dc=com
> bindpw admin123
> port 636
> scope sub
> pam_password crypt
> nss_base_passwd         ou=People,dc=webtech,dc=com?one
> nss_base_shadow         ou=People,dc=webtech,dc=com?one
> ssl yes
> TLS_CACERT /var/tmp/certs/demoCA/cacert.pem
> 
> 
> I see the same problem if I change over to port 389 and
> don't run ldaps, but instead use "ssl start_tls".  Although
> when I use that, I can't even get openssl to verify the 
> cert.  I'm agnostic as to using ldaps or ldap and TLS, 
> which ever would actually work would be fine.
> 
> And I actually have a copy of your how to printed out sitting
> on my desk right now that I have been using it as a reference
> and am wondering why openldap hates me so much because this
> seems like it should be fairly easy to make work.
> 
> -----Original Message-----
> From: Kent Soper [mailto:dksoper@us.ibm.com]
> Sent: Thursday, June 26, 2003 3:00 PM
> To: Lawrence, Mike (White Plains)
> Cc: openldap-software@OpenLDAP.org; owner-openldap-software@OpenLDAP.org
> Subject: Re: Last attempt at TLS/SSL
> 
> 
> 
> 
> 
> 
> Hi Mike,
> 
> "So there's one piece of software, openssl, saying "your cert is cool".
> Now
> if I try to run ldapsearch
> and pass it -H "ldaps://wp-app-3.webtech.com", it will fail with this
> error:
> 
> ldap_bind: Can't contact LDAP server (81)
>         additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"
> 
> I had this same error after I upgraded my versions of OpenLDAP and
> Cyrus-SASL recently and did not create new certs that were used in the
> previous setup.
> Without creating new certs I got around this by copying the server CA cert
> to the client box because I was missing the old client CA cert.  On the
> client, TLS_REQCERT was "demand" in ldap.conf and a missing CA cert caused
> the cert verification to fail.  Even though you state you set the client
> and server certs to the same cert, you might have a permission problem on
> the client side.  A CA cert should be globally readable anyway.
> 
> Check permissions on all certs and keys.
> Check all config files (slapd.conf, ldap.conf, and ldaprc/.lpaprc if you
> have one) for the set values and for directives that are set (but unlisted)
> by default.
> 
> If all else fails, give
> "http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html"; a quick read,
> especially the configuration section.
> 
> "I've tried turning on tls_checkpeer"
> 
> I think this is an old and unused directive.  It's not in the OpenLDAP
> 2.1.21 man pages anymore.
> 
> Cheers,
> Kent
> 
> "You don't stop playing because you grow old ...
>        you grow old because you stop playing."
> 
> Linux Technology Center, Linux Security
> tie line:     678-9216
> external:  1-512-838-9216
> e-mail:  dksoper@us.ibm.com
> 
> This electronic message transmission contains information from the Company that may be proprietary, confidential and/or privileged.
> The information is intended only for the use of the individual(s) or entity named above.  If you are not the intended recipient, be
> aware that any disclosure, copying or distribution or use of the contents of this information is prohibited.  If you have received
> this electronic transmission in error, please notify the sender immediately by replying to the address listed in the "From:" field.
-- 
Greg Matthews
iTSS Wallingford	01491 692445