[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Problem with SSL/TLS
- To: OpenLDAP <openldap-software@OpenLDAP.org>
- Subject: Problem with SSL/TLS
- From: Laurent Mesuré <lmesure@nerim.net>
- Date: Wed, 28 Jul 2004 23:43:53 +0200
- User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fr-FR; rv:1.7) Gecko/20040616
Hi,
I have a problem setting up my LDAP with SSL/TLS.
I followed some different HOWTO, and checked archive but i didn't find
anything relevant to me :(
i've installed my LDAP with TLS. When i do the following query it worked
fine:
ldapsearch -b 'my base dn' -D 'my manager bind dn' -x -W
But i use this one, it don't work at all:
ldapsearch -b 'my base dn' -D 'my manager bind dn' -x -W -ZZ -H
ldap://my.ldap.url
The url used in -H option is the URL in common name of the server
certificate
I've create my CA with CA.sh -newca
My server certificate with
openssl req -newkey rsq:1024 -nodes -keyout newreq.pem -out newreq.pem
and i sign it with CA.sh -sign
I put my cacert my server cert and my server key in /etc/openldap/certs
i made chmod 400 on my server key
and i made a chown ldap:ldap on my server key
My server was startd with:
slapd -4 -d 1 -f /etc/openldap/slapd.conf -g ldap -u ldap -h 'ldap:///
ldaps:///'
Here is the logs obtained:
---------------------------------------START
LOG---------------------------------
slapd startup: initiated.
bdb_db_open: dbenv_open(/var/lib/ldap)
slapd starting
ldap_pvt_gethostbyname_a: host=wilfrid, r=0
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ber_scanf fmt (m) ber:
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
do_extended
ber_scanf fmt ({m) ber:
ber_get_next
ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 10
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS: can't accept.
connection_read(10): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=10 for close
connection_close: conn=0 sd=10
--------------------------------------END
LOG--------------------------------
Here is my slapd.conf file:
--------------------------------------BEGIN
FILE-----------------------------------------------------
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.6 2001/04/20
23:32:43 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
# Modified by Christian Zoffoli <czoffoli@linux-mandrake.com
# Version 0.2
#
include /usr/share/openldap/schema/core.schema
include /usr/share/openldap/schema/cosine.schema
include /usr/share/openldap/schema/corba.schema
include /usr/share/openldap/schema/inetorgperson.schema
include /usr/share/openldap/schema/java.schema
include /usr/share/openldap/schema/krb5-kdc.schema
include /usr/share/openldap/schema/kerberosobject.schema
include /usr/share/openldap/schema/nis.schema
include /usr/share/openldap/schema/openldap.schema
include /usr/share/openldap/schema/autofs.schema
include /usr/share/openldap/schema/samba.schema
include /usr/share/openldap/schema/kolab.schema
include /usr/share/openldap/schema/qmail.schema
include /etc/openldap/schema/local.schema
# Define global ACLs to disable default read access.
include /etc/openldap/slapd.access.conf
pidfile /var/run/ldap/slapd.pid
argsfile /var/run/ldap/slapd.args
modulepath /usr/lib/openldap
# To allow TLS-enabled connections, create /etc/ssl/openldap/ldap.pem
# and uncomment the following lines.
TLSRandFile /dev/random
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/openldap/certs/ldapcert.pem
TLSCertificateKeyFile /etc/openldap/certs/ldapkey.pem
TLSCACertificatePath /etc/openldap/certs/
TLSCACertificateFile /etc/openldap/certs/cacert.pem
TLSVerifyClient demand
# logging
loglevel 256
#######################################################################
# database definitions
#######################################################################
database bdb
suffix "my base dn"
rootdn "my rootdn"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw *****************
# The database directory MUST exist prior to running slapd AND
# should only be accessable by the slapd/tools. Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain
index objectClass,uid,uidNumber,gidNumber eq
index cn,mail,surname,givenname eq,subinitial
--------------------------------------END
FILE-----------------------------------------------------
Here is my /etc/ldap.conf file:
--------------------------------------BEGIN
FILE-----------------------------------------------------
# @(#)$Id: ldap.conf,v 2.28 2001/08/28 12:17:29 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#
# Your LDAP server. Must be resolvable without using LDAP.
host my.server.fqdn
# The distinguished name of the search base.
base <my base dn
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The search scope.
scope one
# Filter to AND with uid=%s
pam_filter objectclass=posixaccount
# The user ID attribute (defaults to uid)
pam_login_attribute uid
# Group member attribute
pam_member_attribute gid
pam_password crypt
# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
nss_base_passwd ou=People,dc=example,dc=com?one
nss_base_shadow ou=People,dc=example,dc=com?one
nss_base_group ou=Group,dc=example,dc=com?one
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
tls_cacertfile /etc/openldap/certs/cacert.pem
tls_cacertdir /etc/openldap/certs/
tls_reqcert demand
--------------------------------------END
FILE-----------------------------------------------------
Here is my user .ldaprc file:
--------------------------------------BEGIN
FILE-----------------------------------------------------
# @(#)$Id: ldap.conf,v 2.28 2001/08/28 12:17:29 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#
# Your LDAP server. Must be resolvable without using LDAP.
host my.server.fqdn
# The distinguished name of the search base.
base <my base dn
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The search scope.
scope one
# Filter to AND with uid=%s
pam_filter objectclass=posixaccount
# The user ID attribute (defaults to uid)
pam_login_attribute uid
# Group member attribute
pam_member_attribute gid
pam_password crypt
# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
nss_base_passwd ou=People,dc=example,dc=com?one
nss_base_shadow ou=People,dc=example,dc=com?one
nss_base_group ou=Group,dc=example,dc=com?one
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
tls_cacertfile /etc/openldap/certs/cacert.pem
tls_cacertdir /etc/openldap/certs/
# Client sertificate and key
# Use these, if your server requires client authentication.
tls_cert /home/lmesure/certs/ldap.client.pem
tls_key /home/lmesure/certs/keys/ldap.client.key.pem
tsl_reqcert demand
--------------------------------------END
FILE-----------------------------------------------------