[Date Prev][Date Next] [Chronological] [Thread] [Top]

Questions about SSL/TLS - yes, I read openldap.org



# /usr/local/libexec/slapd -V
@(#) $OpenLDAP: slapd 2.2.5 (Feb 23 2004 21:44:25) $

root@XXX.com:/usr/ports/net/openldap22-server/work/openldap-2.2.5/servers/sl
apd

Hi, I am trying to follow along the SSL/TLS setup in Carter's _LDAP System
Administrator_. A few things..

Carter does not setup a CA cert. He only defines:

LSCipherSuite HIGH
TLSCertificateFile /usr/local/etc/openldap/ssl/slapd-cert.pem
TLSCertificateKeyFile /usr/local/etc/openldap/ssl/slapd-key.pem

(The paths are altered to fit my FreeBSD system, but the idea is the same.)

I created slapd-*.pem using CA.pl.

It seems to work fine for ldapsearch:

# ldapsearch -x -h XXX.com -ZZ
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#

# example.com
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
...

In ldap.conf I just pointed to /usr/local/etc/openldap/ssl/slapd-cert.pem:

TLS_CACERT      /usr/local/etc/openldap/ssl/slapd-cert.pem

Is this wrong? It seems to work. openldap.org seems to rely on TLS_CACERT
pointing to slapd-ca.pem. (openldap.org points to three files, including
cert, key, and ca.)

I am trying to reconcile the differences between the documentation in the
book and the site.

I am starting slapd with -h "ldap:/// ldaps:///". The FAQ on the site
indicates that this method is deprecated
(http://www.openldap.org/faq/data/cache/605.html). Instead, it mentions the
use of Start TLS. I wonder if that is the other problem I'm having. I am
trying to test remote connections over SSL with Softerra's free LDAP Browser
2.5. I can connect fine over LDAP, but if I enable "Try to use secure
connection (only LDAP v.3) then I get the error "Can't contact LDAP server"
from the browser, and this error from slapd:

connection_get(12): got connid=2
connection_read(12): checking for input on id=2
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(12): got connid=2
connection_read(12): checking for input on id=2
TLS trace: SSL3 alert read:fatal:unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:1052
connection_read(12): TLS accept error error=-1 id=2, closing
connection_closing: readying conn=2 sd=12 for close
connection_close: conn=2 sd=12

I am thinking that Softerra's LDAP Browser is trying to use Start TLS
instead of trying to connect with LDAPS over port 636. Correct?

And why does ldapsearch need the CA cert, but Softerra's LDAP Browser not
need one in the config?

Background:
Long-term, we will be using openldap for user authentication. Because of
this we will probably want both the client and server to confirm identity
using TLS. For now I just want to test and play and get this working in
various configurations.