[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
TLS secure connection to an LDAP server
Hello all,
Here are my configuration files (I deleted comments).
You would have any remarq, please let me know.
====================================================
/etc/openldap/slapd.conf
------------------------
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include
/etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/openldap.schema
#include
/etc/openldap/schema/redhat/rfc822-MailMember.schema
include
/etc/openldap/schema/redhat/autofs.schema
allow bind_v2
pidfile /var/run/slapd.pid
#argsfile //var/run/slapd.args
TLSCertPath /path/to/certs
TLSCACertificateFile /path/to/certs/ca.pem
TLSCertificateFile
/path/to/certs/ldap.example.com.pem
TLSCertificateKeyFile
/path/to/keys/ldap.example.com.key
#I set these ACLs just for testing, I'll change them
later!
access to *
by * write
by * read
#######################################
# ldbm and/or bdb database definitions
#######################################
database ldbm
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw {SSHA}rootdn_hashed_password
# The database directory MUST exist prior to running
slapd AND
# should only be accessible by the slapd and slap
tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index sambaSID,sambaDomainName,sambaPrimaryGroupSID
eq
===================================================
The ldap client conf file (/etc/openldap/ldap.conf):
---------------------------------------------------
HOST ldap.example.com
BASE dc=examlpe,dc=com
TLS_CACERT /path/to/certs/ca.pem
TLS_CACERTDIR /path/to/certs
====================================================
The /etc/ldap.conf file:
-----------------------
host ldap.example.com
base dc=example,dc=com
binddn cn=nssldap,ou=DSA,dc=example,dc=com
bindpw
clear_text_nssldap_pwd
rootbinddn cn=Manager,dc=example,dc=com
#port 389
nss_base_passwd dc=example,dc=com?sub
nss_base_shadow dc=example,dc=com?sub
nss_base_group
ou=groups,dc=example,dc=com?one
ssl start_tls
#ssl on
tls_checkpeer yes
tls_cacertfile /path/to/certs/ca.pem
tls_cacertdir /path/to/certs
# SSL cipher suite
#tls_ciphers ALL
pam_password md5
==================================================
I actually tryed to follow steps given on the
"smbldap-tools howto" document. I also reffered to
"OpenLDAP SSL/TLS how-to, D. Kent Soper" and many
other docs.
s_client to s_server works. Also ldapsearch to
s_server works.
But s_client to my slapd server does not work.
Now, if I try to connect the s_client to the slapd
server through the 636 port, the server returns the
following:
TLS trace: SSL_accept:error in SSLv3 read client
hello B
TLS: can't accept.
TLS: error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
s3_srvr.c:882
I tryed to run s_client with many values of the
-cipher option (also with -ssl3 or -tls1 options) but
the situation didn't improve.
=======================================
ldapsearch against slapd server returns:
ldap_start_tls: Can't contact LDAP server (81)
additional info: error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure
ldap_sasl_interactive_bind_s: Can't contact LDAP
server (81)
additional info: error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure
I really would like to have any help.
Thanks.
--- fatima riadi <ftmriadi@yahoo.fr> a écrit :
> Date: Thu, 24 Mar 2005 12:50:48 +0100 (CET)
> De: fatima riadi <ftmriadi@yahoo.fr>
> Objet: Fwd: Re: TLS secure connection to an LDAP
> server
> À: openldap-software@OpenLDAP.org, "Kurt D.
> Zeilenga" <Kurt@OpenLDAP.org>,
> gary_tay@platts.com, openssl-users@openssl.org
>
> Ldapsearch (ldapsearch -d3 -x -H
> ldaps://ldap_srv.domain.com:636) to s_server
> (openssl
> s_server -debug -accept 636 -state -cert
> /path/to/ldap_srv_cert.pem -key
> /path/to/ldap_srv_key.key -CAfile /path/to/ca.pem
> ) works fine.
> But, when I run my ldap server (slapd -d5 -h
> "ldap:///
> ldaps:///") and I try testing s_client connection to
> it, I get this error messages:
>
> From the s_client output:
> ------------------------
> SSL_connect:SSLv2/v3 write client hello A
> ...
> ...
> SSL3 alert read:fatal:handshake failure
> SSL_connect:error in SSLv2/v3 read server hello A
> 2151:error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> handshake
> failure:s23_clnt.c:470:
>
> From the slapd debug output:
> ---------------------------
> TLS trace: SSL_accept:before/accept initialization
> TLS trace: SSL3 alert write:fatal:handshake
> failure
> TLS trace: SSL_accept:error in SSLv3 read client
> hello B
> TLS trace: SSL_accept:error in SSLv3 read client
> hello B
> TLS: can't accept.
> TLS: error:1408A0C1:SSL
> routines:SSL3_GET_CLIENT_HELLO:no shared cipher
> s3_srvr.c:882
> connection_read(8): TLS accept error error=-1
> id=0,
> closing
> connection_closing: readying conn=0 sd=8 for close
> connection_close: conn=0 sd=8
>
> Ldapsearch to slapd:
> -------------------
> When I run "ldapsearch -d3 -x -H
> ldaps://ldap_srv.domain.com:636" I get:
>
> TLS trace: SSL_connect:SSLv2/v3 write client hello
> A
> tls_read: want=7, got=7
> .....
> TLS trace: SSL3 alert read:fatal:handshake failure
> TLS trace: SSL_connect:error in SSLv2/v3 read
> server
> hello A
> TLS: can't connect.
> ldap_perror
> ldap_bind: Can't contact LDAP server (81)
> additional info: error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> handshake
> failure
> ====================================================
>
> I didn't set any TLSCipherSuite into the slapd.conf
> file. I also didn't set any value to the tls_ciphers
> into the /etc/ldap.conf file.
>
> I would appriciate any suggestion.
> Thanks for you all.
>
> --- fatima riadi <ftmriadi@yahoo.fr> wrote:
> > Hi all,
> >
> > --- "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote:
> > > Have you gotten s_client to work with s_server?
> > If
> > > not,
> > > there is no reason to expect OpenLDAP Software
> to
> > > work.
> >
> > I've gotten s_client to work with s_server.
> >
> > Here is a sample of my s_server debug output:
> >
> > Using default temp DH parameters
> > ACCEPT
> > SSL_accept:before/accept initialization
> > ....
> > SSL_accept:SSLv3 read client hello A
> > ....
> > SSL_accept:SSLv3 write server hello A
> > ....
> > SSL_accept:SSLv3 write key exchange A
> > ....
> > SSL_accept:SSLv3 write server done A
> > SSL_accept:SSLv3 flush data
> > ....
> > SSL_accept:SSLv3 write finished A
> > SSL_accept:SSLv3 flush data
> > ....
> >
> >
>
======================================================
> > And this is a part of my s_client output:
> >
> > SSL_connect:SSLv3 read server certificate A
> > SSL_connect:SSLv3 read server key exchange A
> > SSL_connect:SSLv3 read server done A
> > SSL_connect:SSLv3 write client key exchange A
> > SSL_connect:SSLv3 write change cipher spec A
> > SSL_connect:SSLv3 write finished A
> > SSL_connect:SSLv3 flush data
> > SSL_connect:SSLv3 read finished A
> > ---
> > Certificate chain
> > ...
> > ...
> > ...
> > -----END CERTIFICATE-----
> > ---
> > Server certificate
> > ---
> > No client certificate CA names sent
> > ---
> > SSL handshake has read 2043 bytes and written
> 276
> > bytes
> > ---
> > New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> > Server public key is 1024 bit
> > SSL-Session:
> > Protocol : TLSv1
> > Cipher : DHE-RSA-AES256-SHA
> > Session-ID: xxxxxxxxxxxxxxxxxx
> > Session-ID-ctx:
> > Master-Key: xxxxxxxxxxxxxxx
> > Key-Arg : None
> > Krb5 Principal: None
> > Start Time: 1111619531
> > Timeout : 300 (sec)
> > Verify return code: 0 (ok)
> > ---
> >
> ====================================================
> > However, s_client's connection to my ldap server
> > still
> > failes.
> >
> > What may I do to solve this problem please?
> >
> > Thanks
> >
> >
> >
> >
> >
> >
> >
>
__________________________________________________________________
> > Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace
> > de stockage pour vos mails !
> > Créez votre Yahoo! Mail sur
> > http://fr.mail.yahoo.com/
> >
>
>
>
>
>
>
>
__________________________________________________________________
> Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace
> de stockage pour vos mails !
> Créez votre Yahoo! Mail sur
> http://fr.mail.yahoo.com/
>
__________________________________________________________________
Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails !
Créez votre Yahoo! Mail sur http://fr.mail.yahoo.com/