[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slurpd over ssl not tls

To: "Ran Li" <Ran.Li@sprint-canada.com>
Subject: Re: slurpd over ssl not tls
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Tue, 25 Oct 2005 19:27:00 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <B7632B2426EB33428FEC68D78B02295104307381@vpme2kb3.callnetcanada.com>
Organization: Telkom Internet
References: <B7632B2426EB33428FEC68D78B02295104307381@vpme2kb3.callnetcanada.com>
User-agent: KMail/1.8.2

On Tuesday 25 October 2005 15:41, Ran Li wrote:
> Hello list,
>
> Having searched and read the archive but still do not get a clue for my
> problem. Please see if you could provide a clue for troubleshooting. I m
> trying to configure replication between hosts lda01 and lda03, (OL
> 2.3.7, BDB 4.3.28, openssl-0.9.8) when using 389 replication was fine
> and I can do following to prove ldaps is working (slapd starts with -h
> "ldap:/// ldaps:///")
>
> lda01 # ldapsearch -x -D "cn=replica,ou=profile,o=mydomain.com" -w
> replica -H ldaps://lda03.mydomain.com  (over 636) or lda01 # ldapsearch
> -x -D "cn=replica,ou=profile,o=mydomain.com" -w replica -h
> lda03.mydomain.com -Z (over 389, but not sure whether it is encrypted or
> not, -d7 can see tls_read:....)
>
>
> lda03 # ldapsearch -x -D "cn=replica,ou=profile,o=mydomain.com" -w
> replica -H ldaps://lda01.mydomain.com  (over 636) or lda03 # ldapsearch
> -x -D "cn=replica,ou=profile,o=mydomain.com" -w replica -h
> lda01.mydomain.com -Z (over 389, but not sure whether it is encrypted or
> not, -d7 can see tls_read:....)
>
> I can use ldapadmin tools to connect the servers over port 636 too,
>
> openssl verify on both servers says
>
> # openssl s_client -connect lda03.mydomain.com:636 -showcerts -state
> -CAfile /usr/local/openssl/misc/var/ca/cacert.pem
> ......
>     Verify return code: 0 (ok)
>
> # openssl s_client -connect lda03.mydomain.com:636
> ......
>     Verify return code: 19 (self signed certificate in certificate
> chain)
>
> but when start the slurpd, the log complains
>
> [lda01 ~]# /usr/local/openldap/libexec/slurpd -f
> /usr/local/openldap/etc/openldap/slapd.conf -r /var/log/slapd.replog -d
> 1
> @(#) $OpenLDAP: slurpd 2.3.7 (Sep  7 2005 13:42:42) $
>         root@lda01.mydomain.com:/opt/src/openldap-2.3.7/servers/slurpd
>
> ldap_url_parse_ext(ldaps://lda03.mydomain.com)
> Warning: saved state for 10.1.4.133:389, not a known replica
> Warning: unknown replica 10.1.4.133:389 found in replication log Replica
> lda03.mydomain.com:636, skip repl record for ou=test123,ou=p
> rofile,o=mydomain.com (not mine) Replica lda03.mydomain.com:636, skip
> repl record for ou=test123,ou=profile,o=mydomain.com (not mine)
> ldap_create
> ldap_url_parse_ext(ldaps://lda03.mydomain.com)
> ldap_simple_bind_s
> ldap_sasl_bind_s
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP lda03.mydomain.com:636
> ldap_new_socket: 8
> ldap_prepare_socket: 8
> ldap_connect_to_host: Trying 10.1.4.133:636
> ldap_connect_timeout: fd: 8 tm: -1 async: 0
> ldap_ndelay_on: 8
> Warning: unknown replica lda03.mydomain.com:0 found in replication log
> ldap_is_sock_ready: 8
> ldap_ndelay_off: 8
> TLS trace: SSL_connect:before/connect initialization
> TLS trace: SSL_connect:SSLv2/v3 write client hello A
> TLS trace: SSL_connect:SSLv3 read server hello A
> TLS certificate verification: depth: 1, err: 19, subject:
> /C=ca/ST=ontario/L=tor onto/O=my
> corp/OU=mydomain.com/CN=mydomain.com/emailAddress=ran.li@sprint-canada.c
> om, issuer:
> /C=ca/ST=ontario/L=toronto/O=mydomain/OU=mydomain.com/CN=mydomain.com/em
> ailAddress=ran.li@sprint-canada.com
> TLS certificate verification: Error, self signed certificate in
> certificate chain
> TLS trace: SSL3 alert write:fatal:unknown CA
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect.
> ldap_err2string
> Error: ldap_simple_bind_s for lda03.mydomain.com:636 failed: Can't
> contact LDAP server
> ldap_unbind
>
> all configuration use the same cacert.pem but
> servercert.pem/serverkey.pem are different.
>
> on master(lda01)
> slapd.conf
> ...
> TLSCipherSuite  HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
> TLSCACertificateFile    /usr/local/openssl/misc/var/ca/cacert.pem
> TLSCertificateFile      /usr/local/openssl/misc/var/ca/servercert.pem
> TLSCertificateKeyFile   /usr/local/openssl/misc/var/ca/serverkey.pem
> ...
> replogfile      /var/log/slapd.replog
> replica         uri=ldaps://lda03.mydomain.com
>                 suffix="o=mydomain.com"
>                 binddn="cn=replica,ou=profile,o=mydomain.com"
>                 bindmethod=simple
>                 credentials=replica
> ...
>
> ldap.conf

These would be the pam_ldap/nss_ldap ldap.conf (by the fact that the 
directives are in lower case):

> ...
> tls_reqcert allow
> tls_cacert /usr/local/openssl/misc/var/ca/cacert.pem
> tls_cacertdir /usr/local/openssl/misc/var/ca
>
> on slave(lda03)
> slapd.conf
> ...
> TLSCipherSuite  HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
> TLSCACertificateFile    /usr/local/openssl/misc/var/ca/cacert.pem
> TLSCertificateFile      /usr/local/openssl/misc/var/ca/servercert.pem
> TLSCertificateKeyFile   /usr/local/openssl/misc/var/ca/serverkey.pem
> ...
> updatedn        "cn=replica,ou=profile,o=mydomain.com"
> updateref       ldaps://lda01.mydomain.com
>
> slurpd over ssl is not working, however, below configuration works, not
> sure if I can say slurpd over tls is working,
>
> on master(lda01)
> slapd.conf
> ...
> TLSCipherSuite  HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
> TLSCACertificateFile    /usr/local/openssl/misc/var/ca/cacert.pem
> TLSCertificateFile      /usr/local/openssl/misc/var/ca/servercert.pem
> TLSCertificateKeyFile   /usr/local/openssl/misc/var/ca/serverkey.pem
> ...
> replogfile      /var/log/slapd.replog
> replica         host=lda03.mydomain.com:389
>                 suffix="o=mydomain.com"
>                 binddn="cn=replica,ou=profile,o=mydomain.com"
>                 credentials=replica
>                 bindmethod=simple
>                 tls=yes
> ldap.conf

pam_ldap/nss_ldap

> ...
> tls_reqcert allow
> tls_cacert /usr/local/openssl/misc/var/ca/cacert.pem
> tls_cacertdir /usr/local/openssl/misc/var/ca
>
> on slave(lda03)
> slapd.conf
> ...
> TLSCipherSuite  HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
> TLSCACertificateFile    /usr/local/openssl/misc/var/ca/cacert.pem
> TLSCertificateFile      /usr/local/openssl/misc/var/ca/servercert.pem
> TLSCertificateKeyFile   /usr/local/openssl/misc/var/ca/serverkey.pem
> ...
> updatedn        "cn=replica,ou=profile,o=mydomain.com"
> updateref       ldaps://lda01.mydomain.com
>
> Please comment, thanks in advance.


Specify the CA cert to the ldap library, with something like this (in 
OpenLDAP's ldap.conf):
TLS_CACERT /usr/local/openssl/misc/var/ca/cacert.pem

-- 
Buchan Milne
ISP Systems Specialist
B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)

Attachment: pgpRyVV7d9cgz.pgp
Description: PGP signature

References:
- slurpd over ssl not tls
  - From: "Ran Li" <Ran.Li@sprint-canada.com>

Prev by Date: Slow when logging.
Next by Date: Re: TLS: hostname does not match CN in peer certificate
Index(es):
- Chronological
- Thread