[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: 2.1.22 not accepting self-signed SSL cert

Your client hosts need the appropriate settings in ldap.conf to accept the cert on the OpenLDAP server which would point to the CA cert for your self-signed certs.

<http://www.openldap.org/software/man.cgi?query=ldap.conf&apropos=0&sektion
=0&manpath=OpenLDAP+2.1-Release&format=html>

See the TLS_CACERT directive.

--Quanah

--On Wednesday, October 29, 2003 11:56 PM -0600 adamtheo@theoretic.com wrote:

Hello, all. I have installed OpenLDAP 2.1.22, pam_ldap 161, and nss_ldap
211 on a Gentoo GNU/Linux system. I have enabled debugging on all of those
packages. I have configured the directory and pam/nss modules, and
imported my base and groups ldif file, and rebooted the system just to
make sure everything is seen correctly. WARNING: Lots of configuration
file excerpts included from long experience with help forums, hope
everyone doesn't mind. Thanks in advance for this.

But, when I run 'getent group' to test my LDAP directory, I see only the
groups from '/etc/group' immediately followed by the below debug output
where the groups from the LDAP directory should be:

--------------------
nss_ldap: ==> _nss_ldap_ent_context_init
nss_ldap: ==> _nss_ldap_enter
nss_ldap: <== _nss_ldap_enter
nss_ldap: ==> _nss_ldap_leave
nss_ldap: <== _nss_ldap_leave
nss_ldap: <== _nss_ldap_ent_context_init
nss_ldap: ==> _nss_ldap_getent
nss_ldap: ==> _nss_ldap_ent_context_init
nss_ldap: ==> _nss_ldap_enter
nss_ldap: <== _nss_ldap_enter
nss_ldap: ==> _nss_ldap_leave
nss_ldap: <== _nss_ldap_leave
nss_ldap: <== _nss_ldap_ent_context_init
nss_ldap: ==> _nss_ldap_enter
nss_ldap: <== _nss_ldap_enter
nss_ldap: ==> _nss_ldap_search
nss_ldap: ==> do_open
nss_ldap: ==> do_close_no_unbind
nss_ldap: <== do_close_no_unbind (connection was not open)
nss_ldap: ==> ldap_initialize
nss_ldap: <== ldap_initialize
nss_ldap: ==> do_ssl_options
nss_ldap: <== do_ssl_options
nss_ldap: ==> do_bind
nss_ldap: <== do_bind
nss_ldap: ==> do_close
nss_ldap: <== do_close
nss_ldap: <== do_open
nss_ldap: <== _nss_ldap_search
nss_ldap: ==> _nss_ldap_leave
nss_ldap: <== _nss_ldap_leave
nss_ldap: <== _nss_ldap_getent
nss_ldap: ==> _nss_ldap_enter
nss_ldap: <== _nss_ldap_enter
nss_ldap: ==> _nss_ldap_ent_context_release
nss_ldap: <== _nss_ldap_ent_context_release
nss_ldap: ==> _nss_ldap_leave
nss_ldap: <== _nss_ldap_leave
--------------------

When I log in by root over SSH (I have not set up any posixAccount logins
in LDAP yet, just been testing with groups)(also, root is not in the LDAP
directory, it's still a '/etc/passwd' account, as I intend to keep it), I
get the following debug in the terminal (I am able to log in, it just
gives this debug before giving the prompt):

---------------------
nss_ldap: ==> _nss_ldap_enter
nss_ldap: <== _nss_ldap_enter
nss_ldap: ==> do_open
nss_ldap: ==> do_close_no_unbind
nss_ldap: <== do_close_no_unbind (connection was not open)
nss_ldap: ==> ldap_initialize
nss_ldap: <== ldap_initialize
nss_ldap: ==> do_ssl_options
nss_ldap: <== do_ssl_options
nss_ldap: ==> do_bind
nss_ldap: <== do_bind
nss_ldap: ==> do_close
nss_ldap: <== do_close
nss_ldap: <== do_open
nss_ldap: ==> _nss_ldap_leave
nss_ldap: <== _nss_ldap_leave
--------------------

When I try to do an 'ldapsearch -d -1 -b dc=theoretic,dc=com' command from
the SSH root login, I get the following debug (this is just the last
screen, there isa lott more before this, but I think this contains the
relevant part):

--------------------
  0000:  0b 00 03 53 00 03 50 00  03 4d 30 82 03 49 30 82
...S..P..M0..I0.   0010:  02 b2 a0 03 02 01 02 02  01 00 30 0d 06 09 2a
86   ..........0...*.   0020:  48 86 f7 0d 01 01 04 05  00 30 7c 31 0b 30
09 06   H........0|1.0..   0030:  03 55 04 06 13 02 55 53  31 10 30 0e 06
03 55 04   .U....US1.0...U.   0040:  08 13 07 46 6c 6f 72 69  64 61 31 1c
30 1a 06 03   ...Florida1.0...   0050:  55 04 0a 13 13 54 68 65  6f 72 65
74 69 63 20 53   U....Theoretic S   0060:  6f 6c 75 74 69 6f 6e 73  31 1a
30 18 06 03 55 04   olutions1.0...U.   0070:  03 13 11 6e 65 77 2e 74  68
65 6f 72 65 74 69 63   ...new.theoretic   0080:  2e 63 6f 6d 31 21 30 1f
06 09 2a 86 48 86 f7 0d   .com1!0...*.H...   0090:  01 09 01 16 12 72 6f
6f  74 40 74 68 65 6f 72 65   .....root@theore   00a0:  74 69 63 2e 63 6f
6d 30  1e 17 0d 30 33 30 39 30   tic.com0...03090   00b0:  35 30 32 32 38
32 32 5a  17 0d 31 33 30 39 30 32   5022822Z..130902   00c0:  30 32 32 38
32 32 5a 30  7c 31 0b 30 09 06 03 55   022822Z0|1.0...U   00d0:  04 06 13
02 55 53 31 10  30 0e 06 03 55 04 08 13   ....US1.0...U...   00e0:  07 46
6c 6f 72 69 64 61  31 1c 30 1a 06 03 55 04   .Florida1.0...U.   00f0:  0a
13 13 54 68 65 6f 72  65 74 69 63 20 53 6f 6c   ...Theoretic Sol   0100:
75 74 69 6f 6e 73 31 1a  30 18 06 03 55 04 03 13   utions1.0...U...
0110:  11 6e 65 77 2e 74 68 65  6f 72 65 74 69 63 2e 63   .new.theoretic.c
  0120:  6f 6d 31 21 30 1f 06 09  2a 86 48 86 f7 0d 01 09
om1!0...*.H.....   0130:  01 16 12 72 6f 6f 74 40  74 68 65 6f 72 65 74
69   ...root@theoreti   0140:  63 2e 63 6f 6d 30 81 9f  30 0d 06 09 2a 86
48 86   c.com0..0...*.H.   0150:  f7 0d 01 01 01 05 00 03  81 8d 00 30 81
89 02 81   ...........0....   0160:  81 00 d5 48 0d cc 40 98  30 d2 f4 d6
03 a0 72 71   ...H..@.0.....rq   0170:  1c 52 38 85 b1 4f f5 00  3c a6 16
c5 5a 86 0c b8   .R8..O..<...Z...   0180:  87 cc 4d 90 6c 53 8c bc  06 a2
05 bc 30 d1 0c 90   ..M.lS......0...   0190:  89 7d 8e c6 6d 7e 48 f5  03
35 81 8f 6a cd d5 32   .}..m~H..5..j..2   01a0:  46 95 69 4f 59 4c 20 0b
e1 cf 4f d9 dc 11 37 38   F.iOYL ...O...78   01b0:  97 ce 42 9b 26 3b 66
da  3f 7b c6 ef 01 e6 01 76   ..B.&;f.?{.....v   01c0:  25 bc 3b c4 06 2a
98 44  f5 b3 11 dd e3 f1 33 e5   %.;..*.D......3.   01d0:  10 e5 76 3e ce
03 1c 14  88 17 a8 00 f1 ea 17 45   ..v>...........E   01e0:  ef 5f 02 03
01 00 01 a3  81 da 30 81 d7 30 1d 06   ._........0..0..   01f0:  03 55 1d
0e 04 16 04 14  46 4f 74 83 4f 6a cc 86   .U......FOt.Oj..   0200:  34 e9
88 e0 41 60 0b 30  f4 55 22 fc 30 81 a7 06   4...A`.0.U".0...   0210:  03
55 1d 23 04 81 9f 30  81 9c 80 14 46 4f 74 83   .U.#...0....FOt.   0220:
4f 6a cc 86 34 e9 88 e0  41 60 0b 30 f4 55 22 fc   Oj..4...A`.0.U".
0230:  a1 81 80 a4 7e 30 7c 31  0b 30 09 06 03 55 04 06   ....~0|1.0...U..
  0240:  13 02 55 53 31 10 30 0e  06 03 55 04 08 13 07 46
..US1.0...U....F   0250:  6c 6f 72 69 64 61 31 1c  30 1a 06 03 55 04 0a
13   lorida1.0...U...   0260:  13 54 68 65 6f 72 65 74  69 63 20 53 6f 6c
75 74   .Theoretic Solut   0270:  69 6f 6e 73 31 1a 30 18  06 03 55 04 03
13 11 6e   ions1.0...U....n   0280:  65 77 2e 74 68 65 6f 72  65 74 69 63
2e 63 6f 6d   ew.theoretic.com   0290:  31 21 30 1f 06 09 2a 86  48 86 f7
0d 01 09 01 16   1!0...*.H.......   02a0:  12 72 6f 6f 74 40 74 68  65 6f
72 65 74 69 63 2e   .root@theoretic.   02b0:  63 6f 6d 82 01 00 30 0c  06
03 55 1d 13 04 05 30   com...0...U....0   02c0:  03 01 01 ff 30 0d 06 09
2a 86 48 86 f7 0d 01 01   ....0...*.H.....   02d0:  04 05 00 03 81 81 00
39  75 00 9e 79 83 01 fd ac   .......9u..y....   02e0:  7a 48 fb f2 39 c0
e8 7b  b1 5e 37 05 98 2a 2f fb   zH..9..{.^7..*/.   02f0:  2f 09 6c 03 d0
2a 88 bd  50 04 01 3f 39 21 fe 7f   /.l..*..P..?9!..   0300:  6f 59 a5 fb
fa 05 59 b0  68 0a a7 ff 5b bf 5e 26   oY....Y.h...[.^&   0310:  2a ce 36
14 8a 38 24 b9  17 57 ed 2d 20 db 08 1e   *.6..8$..W.- ...   0320:  f3 b7
20 f0 9b 98 22 b7  1f cc a4 4c 70 42 6c 89   .. ..."....LpBl.   0330:  9c
62 24 19 07 15 55 18  5a 91 e4 2d ea 4f 81 97   .b$...U.Z..-.O..   0340:
62 cd 6e 12 bf 28 09 ba  78 a0 ec 47 e0 ea b3 9c   b.n..(..x..G....
0350:  4c d4 eb 32 b3 3a 9c                               L..2.:. TLS
certificate verification: depth: 0, err: 18, subject:
/C=US/ST=Florida/O=Theoretic
Solutions/CN=new.theoretic.com/Email=root@theoretic.com, issuer:
/C=US/ST=Florida/O=Theoretic
Solutions/CN=new.theoretic.com/Email=root@theoretic.com
TLS certificate verification: Error, self signed certificate
tls_write: want=7, written=7
  0000:  15 03 01 00 02 02 30                               ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_sasl_interactive_bind_s: Can't contact LDAP server (81)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
--------------------

It seems to my untrained eye that the OpenLDAP client is rejecting the SSL
certificate because it is self-signed. I have read up on this, and changed
some parameters, but it still seems to be acting this way. Here are my
configuration files:

/etc/openldap/slapd.conf:
--------------------
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
TLSCertificateFile      /site/theoretic/ssl/key.pem
TLSCertificateKeyFile   /site/theoretic/ssl/key.pem
TLSCACertificateFile    /site/theoretic/ssl/key.pem
TLSCipherSuite HIGH:+MEDIUM:!LOW
TLSVerifyClient never
database        ldbm
suffix          "dc=theoretic,dc=com"
rootdn          **********
rootpw          **********
directory       /site/theoretic/ldap
index           objectClass,uid,uidNumber,gidNumber   eq
index           cn,surname,givenname                  eq,subinitial
# The access-control for this directory.
# Set control on the userPassword attribute.
access to dn=".*,ou=Persons,dc=theoretic,dc=com"
  attrs=userPassword
  by self write
  by * auth
  by dn="cn=root,dc=theoretic,dc=com" write
# Simple control granting read access to the world
access to *
     by * read
--------------------

/etc/openldap/ldap.conf:
--------------------
BASE    dc=theoretic,dc=com
URI     ldaps://new.theoretic.com:636/
--------------------

/etc/ldap.conf:
--------------------
# host new.theoretic.com
base dc=theoretic,dc=com
uri ldaps:/// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock
ldap_version 3
port 636
scope one
timelimit 30
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute gid
pam_password clear
nss_base_passwd         ou=Persons,dc=theoretic,dc=com?one
nss_base_shadow         ou=Persons,dc=theoretic,dc=com?one
nss_base_group          ou=Groups,dc=theoretic,dc=com?one
ssl start_tls
ssl on
TLS_REQCERT never
--------------------

/etc/nsswitch.conf:
--------------------
passwd:         files ldap
shadow:         files ldap
group:          files ldap
--------------------

/etc/pam.d/system-auth:
--------------------
auth       sufficient   /lib/security/pam_ldap.so use_first_pass
auth       required     /lib/security/pam_env.so
auth       sufficient   /lib/security/pam_unix.so likeauth nullok nodelay
auth       required     /lib/security/pam_deny.so

account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_unix.so

password   sufficient   /lib/security/pam_ldap.so use_authtok
password   required     /lib/security/pam_cracklib.so retry=3
password   sufficient   /lib/security/pam_unix.so nullok md5 shadow
use_authtok
password   required     /lib/security/pam_deny.so

session    optional     /lib/security/pam_ldap.so
session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel/
umask=0
session    required     /lib/security/pam_limits.so
session    required     /lib/security/pam_unix.so
--------------------

/etc/conf.d/slapd:
--------------------
OPTS="-h 'ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
--------------------

I'm hoping this level of detail can help someone help me, I'becomingng
very perplexed and frustrated by trying to solve this on my own.







--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html