[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: TLS / SSL






TLS_CERT and TLS_KEY don't belong in ldap.conf.  They are user-specific
directives that go into a file called
a) ldaprc
or
b) .ldaprc
which is located in either the user's home dir or the current working dir.
Home dir is usually the best place.

This shouldn't be your problem with TLSVerifyCLient not set, but it will be
a problem in the future if not corrected.

Also, "ssl yes" in the conf files won't turn on SSL.  All you have to do is
access ldaps://your.server and port 636 is the default ldaps:// port.

Do you have more than one slapd.conf or ldap.conf that can be the problem?
If you are changing conf files, restarting the server, and not seeing
different debug output, then I'd locate all of the LDAP conf files and
verify  the correct ones are being altered.  A PAM ldap.conf (usually
/etc/ldap.conf) can cause many OpenLDAP problems when it's mistaken for the
OpenLDAP ldap.conf file.

Sorry, that I don't have more info for you.

Cheers,
Kent Soper

"You don't stop playing because you grow old ...
       you grow old because you stop playing."

Linux Technology Center, Linux Security
phone:  1-512-838-9216
e-mail:  dksoper@us.ibm.com




                                                                                                                             
                      "Ron Wahler"                                                                                           
                      <ron@rovingplanet        To:       Kent Soper/Austin/IBM@IBMUS                                         
                      .com>                    cc:                                                                           
                                               Subject:  RE: TLS / SSL                                                       
                      07/01/2003 12:29                                                                                       
                      PM                                                                                                     
                                                                                                                             
                                                                                                                             






Thanks kent, thanks for the help.
I modified the files to be this but still don't connect.

Slapd.conf


ssl yes
port 636
TLSCipherSuite          HIGH:MEDIUM:+SSLv3
TLSCertificateFile      /opt/LocalCA/server_crt.pem
TLSCertificateKeyFile   /opt/LocalCA/server_key.pem
TLSCACertificateFile    /opt/LocalCA/cacert.pem
#TLSVerifyClient         never



ldap.conf

ssl yes
port 636
ssl             start_tls
TLS_CACERT  /opt/LocalCA/cacert.pem
TLS_CERT    /opt/LocalCA/server_crt.pem
TLS_KEY    /opt/LocalCA/server_key.pem
#TLS_REQCERT demand

I also tried commenting out TLS_CACERT TLS_CERT and TLS_KEY with the
same result...


Ron.


SERVER:


TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(13): unable to get TLS client DN error=49 id=0
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 13 failed errno=0 (Success)
connection_read(13): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=13 for close
connection_close: conn=0 sd=13
TLS trace: SSL3 alert write:warning:close notify





> -----Original Message-----
> From: Kent Soper [mailto:dksoper@us.ibm.com]
> Sent: Tuesday, July 01, 2003 11:12 AM
> To: Ron Wahler
> Cc: openldap-software@OpenLDAP.org
> Subject: RE: TLS / SSL
>
>
>
>
>
> Hi Ron,
>
> Have you tried using only server-side authentication first (no client
> cert)?  If you can get that working, then adding client certs to an
ldaprc
> would be the next step.
>
> In slapd.conf, try using only these directives:
> TLSCipherSuite  <settings>
> TLSCertificateFile  <server cert>
> TLSCACertificateFile <ca cert>
> (no TLSVerifyClient directive)
>
> In ldap.conf:
> Nothing or "TLS_REQCERT  demand" which is the default.
> You don't need a client CA cert for TLS/SSL, but you can have it
listed
> too.
>
> After success you can add client auth entries to slapd.conf and ldaprc
> (see man pages for *.conf or the document Pierre pointed you to).
>
> I don't know much about your setup, so please pardon me if this is a
> Netscape or other issue that I'm not aware of.
>
> Cheers,
> Kent Soper
>
> "You don't stop playing because you grow old ...
>        you grow old because you stop playing."
>
> Linux Technology Center, Linux Security
> phone:  1-512-838-9216
> e-mail:  dksoper@us.ibm.com
>
>
>
>
>
>                       "Ron Wahler"
>                       <ron@rovingplanet.com>           To:
> <freeradius-users@lists.cistron.nl>, "Lawrence, Mike (White
>                       Sent by:                          Plains)"
> <Mike.Lawrence@starwoodhotels.com>,
>                       owner-openldap-software@O         <openldap-
> software@OpenLDAP.org>
>                       penLDAP.org                      cc:
>                                                        Subject:  RE:
TLS /
> SSL
>
>                       07/01/2003 11:46 AM
>
>
>
>
>
>
>
> I also get this when I allow SSLv3 on the ldap side
>
> ldap_pvt_gethostbyname_a: host=fido, r=0
> put_filter: "(objectclass=*)"
> put_filter: simple
> put_simple_filter: "objectclass=*"
> ber_scanf fmt (m) ber:
> connection_get(13): got connid=0
> connection_read(13): checking for input on id=0
> TLS trace: SSL_accept:before/accept initialization
> TLS trace: SSL_accept:SSLv3 read client hello A
> TLS trace: SSL_accept:SSLv3 write server hello A
> TLS trace: SSL_accept:SSLv3 write certificate A
> TLS trace: SSL_accept:SSLv3 write server done A
> TLS trace: SSL_accept:SSLv3 flush data
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> connection_get(13): got connid=0
> connection_read(13): checking for input on id=0
> TLS trace: SSL_accept:SSLv3 read client key exchange A
> TLS trace: SSL_accept:SSLv3 read finished A
> TLS trace: SSL_accept:SSLv3 write change cipher spec A
> TLS trace: SSL_accept:SSLv3 write finished A
> TLS trace: SSL_accept:SSLv3 flush data
> connection_read(13): unable to get TLS client DN error=49 id=0
> connection_get(13): got connid=0
> connection_read(13): checking for input on id=0
> ber_get_next
> TLS trace: SSL3 alert read:warning:close notify
> ber_get_next on fd 13 failed errno=0 (Success)
> connection_read(13): input error=-2 id=0, closing.
> connection_closing: readying conn=0 sd=13 for close
> connection_close: conn=0 sd=13
> TLS trace: SSL3 alert write:warning:close notify
>
>
>
>
> > -----Original Message-----
> > From: Ron Wahler
> > Sent: Tuesday, July 01, 2003 10:30 AM
> > To: Lawrence, Mike (White Plains);
freeradius-users@lists.cistron.nl;
> > openldap-software@OpenLDAP.org
> > Subject: RE: TLS / SSL
> >
> >
> >
> > Getting this but the client can't connect at port 636
> >
> > CLIENT
> > m_ldap: setting TLS mode to 1
> > rlm_ldap: bind as cn=Manager,dc=fido,dc=com/secret to 10.0.0.94:636
> > rlm_ldap: cn=Manager,dc=fido,dc=com bind to 10.0.0.94:636 failed:
> Can't
> > contact LDAP server
> > rlm_ldap: (re)connection attempt failed
> >
> >
> >
> > SERVER:
> >
> > ldap_pvt_gethostbyname_a: host=fido, r=0
> > put_filter: "(objectclass=*)"
> > put_filter: simple
> > put_simple_filter: "objectclass=*"
> > ber_scanf fmt (m) ber:
> > connection_get(13): got connid=0
> > connection_read(13): checking for input on id=0
> > TLS trace: SSL_accept:before/accept initialization
> > TLS trace: SSL_accept:SSLv3 read client hello A
> > TLS trace: SSL_accept:SSLv3 write server hello A
> > TLS trace: SSL_accept:SSLv3 write certificate A
> > TLS trace: SSL_accept:SSLv3 write server done A
> > TLS trace: SSL_accept:SSLv3 flush data
> > TLS trace: SSL_accept:error in SSLv3 read client certificate A
> > TLS trace: SSL_accept:error in SSLv3 read client certificate A
> > connection_get(13): got connid=0
> > connection_read(13): checking for input on id=0
> > TLS trace: SSL_accept:SSLv3 read client key exchange A
> > TLS trace: SSL_accept:SSLv3 read finished A
> > TLS trace: SSL_accept:SSLv3 write change cipher spec A
> > TLS trace: SSL_accept:SSLv3 write finished A
> > TLS trace: SSL_accept:SSLv3 flush data
> > connection_read(13): unable to get TLS client DN error=49 id=0
> > connection_get(13): got connid=0
> > connection_read(13): checking for input on id=0
> > ber_get_next
> > TLS trace: SSL3 alert read:warning:close notify
> > ber_get_next on fd 13 failed errno=0 (Success)
> > connection_read(13): input error=-2 id=0, closing.
> > connection_closing: readying conn=0 sd=13 for close
> > connection_close: conn=0 sd=13
> > TLS trace: SSL3 alert write:warning:close notify
> >
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: Lawrence, Mike (White Plains)
> > > [mailto:Mike.Lawrence@starwoodhotels.com]
> > > Sent: Tuesday, July 01, 2003 9:01 AM
> > > To: Ron Wahler
> > > Subject: RE: TLS / SSL
> > >
> > >
> > > Hi Ron - I see that error as well and what it means is that
> > > the server was unable to get a client certificate.  It doesn't
> > > need one to do ssl/tls, but it will still give the error if
> > > it doesn't have one, so it's basically a noise error and not
> > > a big deal unless you do have a client cert and are trying to
> > > use it.
> > >
> > > -----Original Message-----
> > > From: Ron Wahler [mailto:ron@rovingplanet.com]
> > > Sent: Monday, June 30, 2003 4:01 PM
> > > To: openldap-software@OpenLDAP. org
> > > Subject: TLS / SSL
> > >
> > >
> > >
> > > I am getting the following error when trying to connect
> > > From FreeRadius to OpenLDAP on SSL port 636.  Is there
> > > Something here I can look at in the configuration files?
> > >
> > > Ron.
> > >
> > >
> > >
> > > connection_get(13): got connid=0
> > > connection_read(13): checking for input on id=0
> > > TLS trace: SSL_accept:SSLv3 read client key exchange A
> > > TLS trace: SSL_accept:SSLv3 read finished A
> > > TLS trace: SSL_accept:SSLv3 write change cipher spec A
> > > TLS trace: SSL_accept:SSLv3 write finished A
> > > TLS trace: SSL_accept:SSLv3 flush data
> > > connection_read(13): unable to get TLS client DN error=49 id=0
> > > connection_get(13): got connid=0
> > > connection_read(13): checking for input on id=0
> > > ber_get_next
> > > TLS trace: SSL3 alert read:warning:close notify
> > > ber_get_next on fd 13 failed errno=0 (Success)
> > > connection_read(13): input error=-2 id=0, closing.
> > > connection_closing: readying conn=0 sd=13 for close
> > > connection_close: conn=0 sd=13
> > > TLS trace: SSL3 alert write:warning:close notify
> > >
> > >
> > > This electronic message transmission contains information from the
> > Company
> > > that may be proprietary, confidential and/or privileged.
> > > The information is intended only for the use of the individual(s)
or
> > > entity named above.  If you are not the intended recipient, be
> > > aware that any disclosure, copying or distribution or use of the
> > contents
> > > of this information is prohibited.  If you have received
> > > this electronic transmission in error, please notify the sender
> > > immediately by replying to the address listed in the "From:"
field.
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
>
>