[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldaps does not authenticate



I'm trying to use openldap to authenticate over ldaps, I've created my own certificate and added the following lines to my slapd.conf

TLSCACertificateFile /usr/local/etc/openldap/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/servercrt.pem
TLSCertificateKeyFile /usr/local/etc/openldap/serverkey.pem

I also added this line to my ldap.conf on the clients machine

TLS_CACERT /usr/local/etc/openldap/cacert.pem

when I run the command slapd -d9 -h "ldaps:///" and try to authenticate a linux machine that has my generated certificate i get the follwoing error on the client:
##################################
[root@mymachine ~]# su testuser
su: incorrect password
[root@mymachine ~]#
####################################

the debug output during the transaction is:
############################################################
====> cache_return_entry_r( 1 ): returned (0)
=> id2entry_r( 18 )
====> cache_find_entry_id( 18 ) "uid=testuser,ou=Users,dc=TestDomain,dc=com" (found) (1 tries)
<= id2entry_r( 18 ) 0xf89f16f0 (cache)
=> send_search_entry: dn="uid=testuser,ou=Users,dc=TestDomain,dc=com"
ber_flush: 394 bytes to sd 8
<= send_search_entry
====> cache_return_entry_r( 18 ): returned (0)
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
send_ldap_result: conn=5 op=4 p=3
send_ldap_response: msgid=5 tag=101 err=0
ber_flush: 14 bytes to sd 8
daemon: activity on 1 descriptors
daemon: new connection on 15
daemon: added 15r
daemon: activity on:
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 15r
daemon: read activity on 15
connection_get(15): got connid=6
connection_read(15): checking for input on id=6
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(15): unable to get TLS client DN error=49 id=6
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 8r
daemon: read activity on 8
connection_get(8): got connid=5
connection_read(8): checking for input on id=5
ber_get_next
ber_get_next: tag 0x30 len 198 contents:
ber_get_next
ber_get_next on fd 8 failed errno=11 (Resource temporarily unavailable)
do_search
ber_scanf fmt ({miiiib) ber:
dnPrettyNormal: <dc=testdomain,dc=com>
=> ldap_bv2dn(dc=testdomain,dc=com,0)
<= ldap_bv2dn(dc=testdomain,dc=com,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(dc=testdomain,dc=com,272)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(dc=testdomain,dc=com,272)=0
<<< dnPrettyNormal: <dc=testdomain,dc=com>, <dc=testdomain,dc=com>
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({M}}) ber:
==> limits_get: conn=5 op=5 dn="[anonymous]"
=> ldbm_back_search
dn2entry_r: dn: "dc=testdomain,dc=com"
=> dn2id( "dc=testdomain,dc=com" )
====> cache_find_entry_ndn2id("dc=testdomain,dc=com"): 1 (1 tries)
<= dn2id 1 (in cache)
=> id2entry_r( 1 )
====> cache_find_entry_id( 1 ) "dc=TestDomain,dc=com" (found) (1 tries)
<= id2entry_r( 1 ) 0xf8a237b8 (cache)
search_candidates: base="dc=testdomain,dc=com" s=2 d=0
=> filter_candidates
=> list_candidates 0xa0
=> filter_candidates
=> dn2idl( "@dc=testdomain,dc=com" )
<= filter_candidates 20
=> filter_candidates
=> list_candidates 0xa1
=> filter_candidates
=> equality_candidates
=> ldbm_cache_open( "objectClass.dbb", 73, 600 )
<= ldbm_cache_open (cache 3)
=> key_read
<= index_read 0 candidates
<= equality_candidates NULL
<= equality_candidates 0
<= filter_candidates 0
=> filter_candidates
=> list_candidates 0xa0
=> filter_candidates
=> equality_candidates
=> ldbm_cache_open( "objectClass.dbb", 73, 600 )
<= ldbm_cache_open (cache 3)
=> key_read
<= index_read 4 candidates
<= equality_candidates 4
<= filter_candidates 4
=> filter_candidates
=> equality_candidates
=> ldbm_cache_open( "uid.dbb", 73, 600 )
<= ldbm_cache_open (cache 4)
=> key_read
<= index_read 1 candidates
<= equality_candidates 1
<= filter_candidates 1
<= list_candidates 1
<= filter_candidates 1
<= list_candidates 1
<= filter_candidates 1
<= list_candidates 1
<= filter_candidates 1
====> cache_return_entry_r( 1 ): returned (0)
=> id2entry_r( 18 )
====> cache_find_entry_id( 18 ) "uid=testuser,ou=Users,dc=TestDomain,dc=com" (found) (1 tries)
<= id2entry_r( 18 ) 0xf89f16f0 (cache)
=> send_search_entry: dn="uid=testuser,ou=Users,dc=TestDomain,dc=com"
ber_flush: 394 bytes to sd 8
<= send_search_entry
====> cache_return_entry_r( 18 ): returned (0)
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
send_ldap_result: conn=5 op=5 p=3
send_ldap_response: msgid=6 tag=101 err=0
ber_flush: 14 bytes to sd 8
daemon: activity on 2 descriptors
daemon: activity on: 8r 15r
daemon: read activity on 8
connection_get(8): got connid=5
connection_read(8): checking for input on id=5
ber_get_next
ber_get_next on fd 8 failed errno=0 (Success)
connection_read(8): input error=-2 id=5, closing.
connection_closing: readying conn=5 sd=8 for close
connection_close: conn=5 sd=8
daemon: removing 8
TLS trace: SSL3 alert write:warning:close notify
daemon: read activity on 15
connection_get(15): got connid=6
connection_read(15): checking for input on id=6
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 15 failed errno=0 (Success)
connection_read(15): input error=-2 id=6, closing.
connection_closing: readying conn=6 sd=15 for close
connection_close: conn=6 sd=15
daemon: removing 15
TLS trace: SSL3 alert write:warning:close notify
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
##################################################################3

The packet transaction during this time as outputed from ethereal:
####################################################################
No.     Time        Source                Destination           Protocol Info
 1079 5.825733    172.16.5.84           172.16.5.109          TCP      1110 > ldaps [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=27335451 TSER=0 WS=2
No.     Time        Source                Destination           Protocol Info
  1080 5.826043    172.16.5.109          172.16.5.84           TCP      ldaps > 1110 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=4658052 TSER=27335451 WS=2
No.     Time        Source                Destination           Protocol Info
  1081 5.826154    172.16.5.84           172.16.5.109          TCP      1110 > ldaps [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=27335452 TSER=4658052
No.     Time        Source                Destination           Protocol Info
  1095 5.851707    172.16.5.84           172.16.5.109          SSLv2    Client Hello
No.     Time        Source                Destination           Protocol Info
  1096 5.851995    172.16.5.109          172.16.5.84           TCP      ldaps > 1110 [ACK] Seq=1 Ack=143 Win=5792 Len=0 TSV=4658126 TSER=27335477
No.     Time        Source                Destination           Protocol Info
  1139 5.912199    172.16.5.109          172.16.5.84           TLS      Server Hello, Certificate, Server Hello Done
No.     Time        Source                Destination           Protocol Info
  1140 5.912418    172.16.5.84           172.16.5.109          TCP      1110 > ldaps [ACK] Seq=143 Ack=964 Win=7768 Len=0 TSV=27335538 TSER=4658249
No.     Time        Source                Destination           Protocol Info
  1143 5.917665    172.16.5.84           172.16.5.109          TLS      Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
No.     Time        Source                Destination           Protocol Info
  1144 5.917866    172.16.5.109          172.16.5.84           TCP      ldaps > 1110 [ACK] Seq=964 Ack=341 Win=6864 Len=0 TSV=4658254 TSER=27335543
No.     Time        Source                Destination           Protocol Info
  1205 6.000107    172.16.5.109          172.16.5.84           TLS      Change Cipher Spec, Encrypted Handshake Message
No.     Time        Source                Destination           Protocol Info
  1206 6.000466    172.16.5.84           172.16.5.109          TLS      Application Data, Application Data
No.     Time        Source                Destination           Protocol Info
  1207 6.000871    172.16.5.109          172.16.5.84           TCP      ldaps > 1110 [ACK] Seq=1023 Ack=431 Win=6864 Len=0 TSV=4658334 TSER=27335626
No.     Time        Source                Destination           Protocol Info
  1242 6.083182    172.16.5.109          172.16.5.84           TLS      Application Data, Application Data
No.     Time        Source                Destination           Protocol Info
  1243 6.083653    172.16.5.84           172.16.5.109          TLS      Application Data, Application Data
No.     Time        Source                Destination           Protocol Info
  1244 6.083941    172.16.5.109          172.16.5.84           TCP      ldaps > 1110 [ACK] Seq=1113 Ack=697 Win=7936 Len=0 TSV=4658425 TSER=27335709
No.     Time        Source                Destination           Protocol Info
  1447 6.426646    172.16.5.109          172.16.5.84           TLS      Application Data, Application Data
No.     Time        Source                Destination           Protocol Info
  1470 6.453408    172.16.5.109          172.16.5.84           TLS      Application Data, Application Data
No.     Time        Source                Destination           Protocol Info
  1484 6.465891    172.16.5.84           172.16.5.109          TCP      1110 > ldaps [ACK] Seq=697 Ack=1661 Win=9692 Len=0 TSV=27336092 TSER=4658842
No.     Time        Source                Destination           Protocol Info
  1854 8.705639    172.16.5.84           172.16.5.109          TLS      Application Data, Application Data
No.     Time        Source                Destination           Protocol Info
  1855 8.705922    172.16.5.109          172.16.5.84           TCP      ldaps > 1110 [ACK] Seq=1661 Ack=963 Win=9008 Len=0 TSV=4661351 TSER=27338332
No.     Time        Source                Destination           Protocol Info
  2024 8.986494    172.16.5.109          172.16.5.84           TLS      Application Data, Application Data
No.     Time        Source                Destination           Protocol Info
  2025 8.986656    172.16.5.84           172.16.5.109          TCP      1110 > ldaps [ACK] Seq=963 Ack=2119 Win=11620 Len=0 TSV=27338613 TSER=4661688
No.     Time        Source                Destination           Protocol Info
  2067 9.042867    172.16.5.109          172.16.5.84           TLS      Application Data, Application Data
No.     Time        Source                Destination           Protocol Info
  2068 9.042957    172.16.5.84           172.16.5.109          TCP      1110 > ldaps [ACK] Seq=963 Ack=2209 Win=11620 Len=0 TSV=27338669 TSER=4661756
No.     Time        Source                Destination           Protocol Info
  2069 9.043806    172.16.5.84           172.16.5.109          TLS      Application Data, Application Data
No.     Time        Source                Destination           Protocol Info
  2070 9.044165    172.16.5.109          172.16.5.84           TCP      ldaps > 1110 [ACK] Seq=2209 Ack=1245 Win=9008 Len=0 TSV=4661761 TSER=27338670
No.     Time        Source                Destination           Protocol Info
  2256 9.324858    172.16.5.109          172.16.5.84           TLS      Application Data, Application Data
No.     Time        Source                Destination           Protocol Info
  2272 9.356081    172.16.5.109          172.16.5.84           TLS      Application Data, Application Data
No.     Time        Source                Destination           Protocol Info
  2273 9.356172    172.16.5.84           172.16.5.109          TCP      1110 > ldaps [ACK] Seq=1245 Ack=2501 Win=13544 Len=0 TSV=27338983 TSER=4662090
No.     Time        Source                Destination           Protocol Info
  2274 9.357729    172.16.5.84           172.16.5.109          TCP      1111 > ldaps [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=27338984 TSER=0 WS=2
No.     Time        Source                Destination           Protocol Info
  2275 9.358104    172.16.5.109          172.16.5.84           TCP      ldaps > 1111 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=4662124 TSER=27338984 WS=2
No.     Time        Source                Destination           Protocol Info
  2276 9.358218    172.16.5.84           172.16.5.109          TCP      1111 > ldaps [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=27338985 TSER=4662124
No.     Time        Source                Destination           Protocol Info
  2312 9.419008    172.16.5.84           172.16.5.109          SSLv2    Client Hello
No.     Time        Source                Destination           Protocol Info
  2313 9.419283    172.16.5.109          172.16.5.84           TCP      ldaps > 1111 [ACK] Seq=1 Ack=143 Win=5792 Len=0 TSV=4662253 TSER=27339045
No.     Time        Source                Destination           Protocol Info
  2329 9.440490    172.16.5.109          172.16.5.84           TLS      Server Hello, Certificate, Server Hello Done
No.     Time        Source                Destination           Protocol Info
  2330 9.440697    172.16.5.84           172.16.5.109          TCP      1111 > ldaps [ACK] Seq=143 Ack=964 Win=7768 Len=0 TSV=27339067 TSER=4662276
No.     Time        Source                Destination           Protocol Info
  2331 9.442980    172.16.5.84           172.16.5.109          TLS      Alert (Level: Fatal, Description: Bad Certificate)
No.     Time        Source                Destination           Protocol Info
  2354 9.476487    172.16.5.109          172.16.5.84           TCP      ldaps > 1111 [FIN, ACK] Seq=964 Ack=150 Win=5792 Len=0 TSV=4662307 TSER=27339069
No.     Time        Source                Destination           Protocol Info
  2371 9.516067    172.16.5.84           172.16.5.109          TCP      1111 > ldaps [ACK] Seq=150 Ack=965 Win=7768 Len=0 TSV=27339143 TSER=4662307
No.     Time        Source                Destination           Protocol Info
  3107 14.123358   172.16.5.84           172.16.5.109          TLS      Application Data, Application Data
No.     Time        Source                Destination           Protocol Info
  3108 14.123807   172.16.5.109          172.16.5.84           TCP      ldaps > 1110 [ACK] Seq=2501 Ack=1511 Win=9008 Len=0 TSV=4667507 TSER=27343751
No.     Time        Source                Destination           Protocol Info
  3126 14.152014   172.16.5.109          172.16.5.84           TLS      Application Data, Application Data
No.     Time        Source                Destination           Protocol Info
  3131 14.158697   172.16.5.109          172.16.5.84           TLS      Application Data, Application Data
No.     Time        Source                Destination           Protocol Info
  3132 14.159480   172.16.5.84           172.16.5.109          TLS      Application Data, Application Data
No.     Time        Source                Destination           Protocol Info
  3133 14.159751   172.16.5.109          172.16.5.84           TCP      ldaps > 1110 [ACK] Seq=3049 Ack=1793 Win=9008 Len=0 TSV=4667569 TSER=27343787
No.     Time        Source                Destination           Protocol Info
  3187 14.276238   172.16.5.109          172.16.5.84           TLS      Application Data, Application Data
No.     Time        Source                Destination           Protocol Info
 3190 14.282391   172.16.5.109          172.16.5.84           TLS      Application Data, Application Data
No.     Time        Source                Destination           Protocol Info
 3213 14.315758   172.16.5.84           172.16.5.109          TCP      1110 > ldaps [ACK] Seq=1793 Ack=3341 Win=17396 Len=0 TSV=27343944 TSER=4667669
No.     Time        Source                Destination           Protocol Info
  3914 18.604881   172.16.5.84           172.16.5.109          TCP      1111 > ldaps [FIN, ACK] Seq=150 Ack=965 Win=7768 Len=0 TSV=27348234 TSER=4662307
No.     Time        Source                Destination           Protocol Info
  3915 18.604908   172.16.5.84           172.16.5.109          TCP      1111 > ldaps [RST, ACK] Seq=151 Ack=965 Win=7768 Len=0 TSV=27348234 TSER=4662307
No.     Time        Source                Destination           Protocol Info
  3918 18.606095   172.16.5.84           172.16.5.109          TCP      1110 > ldaps [FIN, ACK] Seq=1793 Ack=3341 Win=17396 Len=0 TSV=27348235 TSER=4667669
No.     Time        Source                Destination           Protocol Info
  3919 18.611358   172.16.5.109          172.16.5.84           TCP      ldaps > 1111 [ACK] Seq=965 Ack=151 Win=5792 Len=0 TSV=4672667 TSER=27348234
No.     Time        Source                Destination           Protocol Info
  3920 18.611469   172.16.5.84           172.16.5.109          TCP      1111 > ldaps [RST] Seq=151 Ack=518357715 Win=0 Len=0
No.     Time        Source                Destination           Protocol Info
  3934 18.627992   172.16.5.109          172.16.5.84           TLS      Encrypted Alert
No.     Time        Source                Destination           Protocol Info
  3935 18.628094   172.16.5.84           172.16.5.109          TCP      1110 > ldaps [RST] Seq=1794 Ack=515703626 Win=0 Len=0
############################################################################################
I'm running Fedora Core 3, with $OpenLDAP: slapd 2.2.13
I've never used ldap before and i'm trying to build a secure communication channel between my ldap server and other services that are going to use it, such SAMBA.
even when i use TLS/SSL instead of ldaps i get the same errors, i created the certificated using the appropriate DN and copied it to the client machines.
can someone please tell me what am i doing wrong, i'll supply any additional info if you feel the information is insuffecient.