[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS server side auth problem



Hi Pet
I had problems as well when using ldapsearch and similar. that's wy I created http://ldap.ayni.com, which you may use as well and no more problems. Pay attention however http://ldap.ayni.com does a TLS on port 636.


I run 4 openldap servers, whereof two of them are slurpd-synchronized. slurpd (on violina) connects to the secondary (on propic) using TLS. I used to sync a third server (mileni) before, but then decided, it should be more of a development server.... but the sync worked well, except that the ldap database was not synced with the primary ldap host at the beginning, which gave me many errors (32). so i decided to cut short with that sync.

My slapd.conf (extracts only):

# TLS
TLSCertificateFile /usr/local/openldap/cert/ldap.cert.pem
TLSCertificateKeyFile /usr/local/openldap/cert/ldap.cert.key
TLSCACertificateFile /etc/ssl/certs/ca-cert.pem
TLSVerifyClient never

......

database        ldbm
suffix          "dc=ayni,dc=com"
rootdn          "cn=Manager,dc=ayni,dc=com"

rootpw          jawiiesodenn

directory       /var/ldap

index cn,sn,uid pres,eq,sub
index objectClass eq

password-hash   {SHA}

sasl-realm      ldap
sasl-host       violina.ayni.com
sasl-secprops   none

sasl-regexp uid=(.*),cn=.*,cn=.*,cn=auth
       cn=$1,ou=pam-ldap,dc=ayni,dc=com

# slurpd replication parameters

replogfile /var/ldap/replog

#replica host="mileni.ayni.com" tls=yes
# bindmethod=sasl authcid=suomi credentials="jajetzund" SASLmech="DIGEST-MD5"


replica host="propic.ayni.com" tls=yes
binddn="cn=manager,dc=ayni,dc=com"
bindmethod=simple credentials=heiterebeck


good luck suomi


peter pan wrote:

I still haven't made any progress on this.  No one
replied to my post below, is this because:

- no one knows
- my post is not appropriate in some way
- I'm a berk for not spotting something obvious :)

I can't move forward with our LDAP rollout until this
is resolved - does any one have any suggestions?

Pete.

--- peter pan <lanwanhr@yahoo.com> wrote:


I'm planning to use our replicated LDAP directory
for
user authentication purposes soon.  Because of this
I
want to ensure all slurpd's communication with the
slave LDAP servers are encrypted.

I'm having a problem with getting TLS communications
working.  I have followed the instrcutions using



http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html


but cannot get ldapsearch -ZZ to work without a
client
certificate (which I don't want to use).

If I put the serverkey and servercert in the .ldaprc
file (I know this is for the client certs but as a
test..) then ldapsearch -ZZ -x -h <FQDN> works.  If
I
take them out of .ldaprc it fails:

[root@test root]# ldapsearch -ZZ -x -H
ldap://test.mydomain.com
ldap_start_tls: Connect error
       additional info: error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake
failure

slapd shows:

TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client
hello
B
TLS trace: SSL_accept:error in SSLv3 read client
hello
B
TLS: can't accept.
TLS: error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
s3_srvr.c:772
connection_read(16): TLS accept error error=-1 id=8,
closing




The openssh client_s test also fails:

[root@test root]# openssl s_client -connect
192.168.0.1:ldap -showcerts -state -CAfile
/etc/openldap/cacert.pem


CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
9521:error:140790E5:SSL routines:SSL23_WRITE:ssl
handshake failure:s23_lib.c:226:

Maybe because I'm connecting to the normal ldap port
(not sure if the openssh is valid for ldap port
maybe
only TLS with start_tls?)

If I repeat the openssh s_client test on ldaps:

[root@test root]# openssl s_client -connect
192.168.0.1:ldaps -showcerts -state -CAfile
/etc/openldap/cacert.pem

CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL3 alert read:fatal:handshake failure
SSL_connect:error in SSLv2/v3 read server hello A
9758:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake
failure:s23_clnt.c:455:

Slightly different. Using the FQDN instead of IP
makes
no difference.

If I put the certs in .ldaprc the openssh test works
with IP:ldaps but not IP:ldap (I assume this is
normal).

I'm using openldap 2.0.27 on RedHat 7.2 (using the
2.0.27-2.7.3 rpm).

Don't understand why specifying a client cert (the
same as the server's as this is all the same box)
works.  Theres no TLSVerifyClient in my slapd.conf
or
anything).

Any help appreciated.

Pete


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site
design software
http://sitebuilder.yahoo.com




__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com