[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problem with SSL/TLS



Hi,

I have a problem setting up my LDAP with SSL/TLS.
I followed some different HOWTO, and checked archive but i didn't find anything relevant to me :(


i've installed my LDAP with TLS. When i do the following query it worked fine:

ldapsearch -b 'my base dn' -D 'my manager bind dn' -x -W

But i use this one, it don't work at all:

ldapsearch -b 'my base dn' -D 'my manager bind dn' -x -W -ZZ -H ldap://my.ldap.url

The url used in -H option is the URL in common name of the server certificate

I've create my CA with CA.sh -newca

My server certificate with

openssl req -newkey rsq:1024 -nodes -keyout newreq.pem -out newreq.pem

and i sign it with CA.sh -sign

I put my cacert my server cert and my server key in /etc/openldap/certs

i made chmod 400 on my server key

and i made a chown ldap:ldap on my server key

My server was startd with:

slapd -4 -d 1 -f /etc/openldap/slapd.conf -g ldap -u ldap -h 'ldap:/// ldaps:///'

Here is the logs obtained:

---------------------------------------START LOG---------------------------------
slapd startup: initiated.
bdb_db_open: dbenv_open(/var/lib/ldap)
slapd starting
ldap_pvt_gethostbyname_a: host=wilfrid, r=0
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ber_scanf fmt (m) ber:
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
do_extended
ber_scanf fmt ({m) ber:
ber_get_next
ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 10
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS: can't accept.
connection_read(10): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=10 for close
connection_close: conn=0 sd=10
--------------------------------------END LOG--------------------------------


Here is my slapd.conf file:

--------------------------------------BEGIN FILE-----------------------------------------------------
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.6 2001/04/20 23:32:43 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
# Modified by Christian Zoffoli <czoffoli@linux-mandrake.com
# Version 0.2
#


include /usr/share/openldap/schema/core.schema
include /usr/share/openldap/schema/cosine.schema
include /usr/share/openldap/schema/corba.schema
include /usr/share/openldap/schema/inetorgperson.schema
include /usr/share/openldap/schema/java.schema
include /usr/share/openldap/schema/krb5-kdc.schema
include /usr/share/openldap/schema/kerberosobject.schema
include /usr/share/openldap/schema/nis.schema
include /usr/share/openldap/schema/openldap.schema
include /usr/share/openldap/schema/autofs.schema
include /usr/share/openldap/schema/samba.schema
include /usr/share/openldap/schema/kolab.schema
include /usr/share/openldap/schema/qmail.schema

include /etc/openldap/schema/local.schema

# Define global ACLs to disable default read access.
include         /etc/openldap/slapd.access.conf

pidfile         /var/run/ldap/slapd.pid
argsfile        /var/run/ldap/slapd.args

modulepath      /usr/lib/openldap

# To allow TLS-enabled connections, create /etc/ssl/openldap/ldap.pem
# and uncomment the following lines.
TLSRandFile            /dev/random
TLSCipherSuite         HIGH:MEDIUM:+SSLv2
TLSCertificateFile      /etc/openldap/certs/ldapcert.pem
TLSCertificateKeyFile   /etc/openldap/certs/ldapkey.pem
TLSCACertificatePath   /etc/openldap/certs/
TLSCACertificateFile    /etc/openldap/certs/cacert.pem

TLSVerifyClient demand

# logging
loglevel 256

#######################################################################
# database definitions
#######################################################################

database        bdb
suffix          "my base dn"
rootdn          "my rootdn"

# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          *****************

# The database directory MUST exist prior to running slapd AND
# should only be accessable by the slapd/tools. Mode 700 recommended.
directory       /var/lib/ldap

# Indices to maintain
index   objectClass,uid,uidNumber,gidNumber     eq
index   cn,mail,surname,givenname               eq,subinitial

--------------------------------------END FILE-----------------------------------------------------

Here is my /etc/ldap.conf file:

--------------------------------------BEGIN FILE-----------------------------------------------------
# @(#)$Id: ldap.conf,v 2.28 2001/08/28 12:17:29 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#


# Your LDAP server. Must be resolvable without using LDAP.
host my.server.fqdn

# The distinguished name of the search base.
base <my base dn

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# The search scope.
scope one

# Filter to AND with uid=%s
pam_filter objectclass=posixaccount

# The user ID attribute (defaults to uid)
pam_login_attribute uid

# Group member attribute
pam_member_attribute gid

pam_password crypt

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX          base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd       ou=People,
# to append the default base DN but this
# may incur a small performance impact.
nss_base_passwd ou=People,dc=example,dc=com?one
nss_base_shadow ou=People,dc=example,dc=com?one
nss_base_group          ou=Group,dc=example,dc=com?one

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
tls_cacertfile  /etc/openldap/certs/cacert.pem
tls_cacertdir   /etc/openldap/certs/
tls_reqcert     demand

--------------------------------------END FILE-----------------------------------------------------

Here is my user .ldaprc file:

--------------------------------------BEGIN FILE-----------------------------------------------------
# @(#)$Id: ldap.conf,v 2.28 2001/08/28 12:17:29 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#


# Your LDAP server. Must be resolvable without using LDAP.
host my.server.fqdn

# The distinguished name of the search base.
base <my base dn

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# The search scope.
scope one

# Filter to AND with uid=%s
pam_filter objectclass=posixaccount

# The user ID attribute (defaults to uid)
pam_login_attribute uid

# Group member attribute
pam_member_attribute gid

pam_password crypt

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX          base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd       ou=People,
# to append the default base DN but this
# may incur a small performance impact.
nss_base_passwd ou=People,dc=example,dc=com?one
nss_base_shadow ou=People,dc=example,dc=com?one
nss_base_group          ou=Group,dc=example,dc=com?one

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
tls_cacertfile  /etc/openldap/certs/cacert.pem
tls_cacertdir   /etc/openldap/certs/

# Client sertificate and key
# Use these, if your server requires client authentication.
tls_cert /home/lmesure/certs/ldap.client.pem
tls_key /home/lmesure/certs/keys/ldap.client.key.pem
tsl_reqcert demand
--------------------------------------END FILE-----------------------------------------------------