[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS secure connection to an LDAP server



Hello all,

Here are my configuration files (I deleted comments).
You would have any remarq, please let me know. 

====================================================
/etc/openldap/slapd.conf
------------------------
  include         /etc/openldap/schema/core.schema
  include         /etc/openldap/schema/cosine.schema
  include         
/etc/openldap/schema/inetorgperson.schema
  include         /etc/openldap/schema/nis.schema
  include         /etc/openldap/schema/samba.schema
  include         /etc/openldap/schema/misc.schema
  include         /etc/openldap/schema/openldap.schema
  #include                 
/etc/openldap/schema/redhat/rfc822-MailMember.schema
  include        
/etc/openldap/schema/redhat/autofs.schema
                                                      
                           
  allow bind_v2
                                                      
                           
  pidfile /var/run/slapd.pid
  #argsfile       //var/run/slapd.args
                                                      
                           
   TLSCertPath /path/to/certs
   TLSCACertificateFile /path/to/certs/ca.pem
   TLSCertificateFile    
/path/to/certs/ldap.example.com.pem
   TLSCertificateKeyFile    
/path/to/keys/ldap.example.com.key
  
  #I set these ACLs just for testing, I'll change them
 later!  
  access to *
          by * write
          by * read
                                                      
                           
  #######################################
  # ldbm and/or bdb database definitions
  #######################################
                                                      
                           
  database        ldbm
  suffix          "dc=example,dc=com"
  rootdn          "cn=Manager,dc=example,dc=com"
  rootpw          {SSHA}rootdn_hashed_password
                                                      
                           
  # The database directory MUST exist prior to running
  slapd AND
  # should only be accessible by the slapd and slap  
tools.
  # Mode 700 recommended.
  directory       /var/lib/ldap
                                                      
                           
  # Indices to maintain for this database
  index objectClass                       eq,pres
  index ou,cn,mail,surname,givenname   eq,pres,sub
  index uidNumber,gidNumber,loginShell    eq,pres
  index uid,memberUid                     eq,pres,sub
  index nisMapName,nisMapEntry            eq,pres,sub
  index sambaSID,sambaDomainName,sambaPrimaryGroupSID 
eq

===================================================
The ldap client conf file (/etc/openldap/ldap.conf):
---------------------------------------------------
  HOST ldap.example.com
  BASE dc=examlpe,dc=com
  TLS_CACERT /path/to/certs/ca.pem
  TLS_CACERTDIR /path/to/certs

====================================================
The /etc/ldap.conf file:
-----------------------
  host ldap.example.com
                                                      
                           base dc=example,dc=com
                                                      
                         
  binddn cn=nssldap,ou=DSA,dc=example,dc=com
                                                      
                           bindpw
clear_text_nssldap_pwd
                                                      
                           
  rootbinddn cn=Manager,dc=example,dc=com
                                                      
                           
  #port 389
                                                      
                           
  nss_base_passwd         dc=example,dc=com?sub
  nss_base_shadow         dc=example,dc=com?sub
  nss_base_group           
ou=groups,dc=example,dc=com?one
                                                      
                           
  ssl start_tls
                                                      
                           
  #ssl on
                                                      
                           
  tls_checkpeer yes
                                                      
                                                      
                                                    
  tls_cacertfile /path/to/certs/ca.pem
  tls_cacertdir /path/to/certs
                                                      
                           
  # SSL cipher suite
  #tls_ciphers ALL
  pam_password md5
==================================================

I actually tryed to follow steps given on the
"smbldap-tools howto" document. I also reffered to
"OpenLDAP SSL/TLS how-to, D. Kent Soper" and many
other docs.

s_client to s_server works. Also ldapsearch to
s_server works.
But s_client to my slapd server does not work.

Now, if I try to connect the s_client to the slapd
server through the 636 port, the server returns the
following:
  TLS trace: SSL_accept:error in SSLv3 read client
hello B
  TLS: can't accept.
  TLS: error:1408A0C1:SSL   
routines:SSL3_GET_CLIENT_HELLO:no shared cipher  
s3_srvr.c:882

I tryed to run s_client with many values of the
-cipher option (also with -ssl3 or -tls1 options) but
the situation didn't improve.
=======================================

ldapsearch against slapd server returns:
  ldap_start_tls: Can't contact LDAP server (81)
          additional info: error:14077410:SSL  
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake 
 failure
  ldap_sasl_interactive_bind_s: Can't contact LDAP  
server (81)
          additional info: error:14077410:SSL  
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake 
 failure

I really would like to have any help.

Thanks.

 --- fatima riadi <ftmriadi@yahoo.fr> a écrit : 
> Date: Thu, 24 Mar 2005 12:50:48 +0100 (CET)
> De: fatima riadi <ftmriadi@yahoo.fr>
> Objet: Fwd: Re: TLS secure connection to an LDAP
> server
> À: openldap-software@OpenLDAP.org, "Kurt D.
> Zeilenga" <Kurt@OpenLDAP.org>, 
>     gary_tay@platts.com, openssl-users@openssl.org
> 
> Ldapsearch (ldapsearch -d3 -x -H
> ldaps://ldap_srv.domain.com:636) to s_server
> (openssl
> s_server -debug -accept 636 -state -cert
> /path/to/ldap_srv_cert.pem -key
> /path/to/ldap_srv_key.key -CAfile /path/to/ca.pem
> ) works fine.
> But, when I run my ldap server (slapd -d5 -h
> "ldap:///
> ldaps:///") and I try testing s_client connection to
> it, I get this error messages:
> 
> From the s_client output:
> ------------------------
>   SSL_connect:SSLv2/v3 write client hello A
>   ...
>   ...
>   SSL3 alert read:fatal:handshake failure
>   SSL_connect:error in SSLv2/v3 read server hello A
>   2151:error:14077410:SSL  
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> handshake 
>  failure:s23_clnt.c:470:
> 
> From the slapd debug output:
> ---------------------------
>   TLS trace: SSL_accept:before/accept initialization
>   TLS trace: SSL3 alert write:fatal:handshake
> failure
>   TLS trace: SSL_accept:error in SSLv3 read client
> hello B
>   TLS trace: SSL_accept:error in SSLv3 read client
> hello B
>   TLS: can't accept.
>   TLS: error:1408A0C1:SSL  
> routines:SSL3_GET_CLIENT_HELLO:no shared cipher  
> s3_srvr.c:882
>   connection_read(8): TLS accept error error=-1
> id=0, 
>  closing
>   connection_closing: readying conn=0 sd=8 for close
>   connection_close: conn=0 sd=8
> 
> Ldapsearch to slapd:
> -------------------
> When I run "ldapsearch -d3 -x -H
> ldaps://ldap_srv.domain.com:636" I get:
> 
>   TLS trace: SSL_connect:SSLv2/v3 write client hello
> A
>   tls_read: want=7, got=7
>     .....
>   TLS trace: SSL3 alert read:fatal:handshake failure
>   TLS trace: SSL_connect:error in SSLv2/v3 read
> server
>   hello A 
>   TLS: can't connect.
>   ldap_perror
>   ldap_bind: Can't contact LDAP server (81)
>           additional info: error:14077410:SSL  
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> handshake 
>  failure
> ====================================================
> 
> I didn't set any TLSCipherSuite into the slapd.conf
> file. I also didn't set any value to the tls_ciphers
> into the /etc/ldap.conf file.
> 
> I would appriciate any suggestion.
> Thanks for you all.
> 
> --- fatima riadi <ftmriadi@yahoo.fr> wrote:
> > Hi all,
> > 
> > --- "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote:
> > > Have you gotten s_client to work with s_server? 
> > If
> > > not,
> > > there is no reason to expect OpenLDAP Software
> to
> > > work.
> > 
> > I've gotten s_client to work with s_server.
> > 
> > Here is a sample of my s_server debug output:
> > 
> >   Using default temp DH parameters
> >   ACCEPT
> >   SSL_accept:before/accept initialization
> >   ....
> >   SSL_accept:SSLv3 read client hello A
> >   ....
> >   SSL_accept:SSLv3 write server hello A
> >   ....
> >   SSL_accept:SSLv3 write key exchange A
> >   ....
> >   SSL_accept:SSLv3 write server done A
> >   SSL_accept:SSLv3 flush data
> >   ....
> >   SSL_accept:SSLv3 write finished A
> >   SSL_accept:SSLv3 flush data
> >   ....
> > 
> >
>
======================================================
> > And this is a part of my s_client output:
> > 
> >   SSL_connect:SSLv3 read server certificate A
> >   SSL_connect:SSLv3 read server key exchange A
> >   SSL_connect:SSLv3 read server done A
> >   SSL_connect:SSLv3 write client key exchange A
> >   SSL_connect:SSLv3 write change cipher spec A
> >   SSL_connect:SSLv3 write finished A
> >   SSL_connect:SSLv3 flush data
> >   SSL_connect:SSLv3 read finished A
> >   ---
> >   Certificate chain
> >   ...
> >   ...
> >   ...
> >   -----END CERTIFICATE-----
> >   ---
> >   Server certificate
> >   ---
> >   No client certificate CA names sent
> >   ---
> >   SSL handshake has read 2043 bytes and written
> 276 
> > bytes
> >   ---
> >   New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> >   Server public key is 1024 bit
> >   SSL-Session:
> >       Protocol  : TLSv1
> >       Cipher    : DHE-RSA-AES256-SHA
> >       Session-ID: xxxxxxxxxxxxxxxxxx  
> >       Session-ID-ctx:
> >       Master-Key: xxxxxxxxxxxxxxx
> >       Key-Arg   : None
> >       Krb5 Principal: None
> >       Start Time: 1111619531
> >       Timeout   : 300 (sec)
> >       Verify return code: 0 (ok)
> >   ---
> >
> ====================================================
> > However, s_client's connection to my ldap server
> > still
> > failes.
> > 
> > What may I do to solve this problem please?
> > 
> > Thanks
> > 
> > 
> > 	
> > 
> > 	
> > 		
> >
>
__________________________________________________________________
> > Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace
> > de stockage pour vos mails ! 
> > Créez votre Yahoo! Mail sur
> > http://fr.mail.yahoo.com/
> > 
> 
> 
> 	
> 
> 	
> 		
>
__________________________________________________________________
> Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace
> de stockage pour vos mails ! 
> Créez votre Yahoo! Mail sur
> http://fr.mail.yahoo.com/
>  


	

	
		
__________________________________________________________________
Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails ! 
Créez votre Yahoo! Mail sur http://fr.mail.yahoo.com/