Re: openldap and tls

[Tony Earnshaw <tonni@hetnet.nl>]

Dave skrev, on 14-02-2008 09:36:
> Hello,
>    I'm still having issues with tls, getting a openldap 2.4 client and 
> server to talk tls to each other. If anyone has a sanitized working 
> configuration i'd like to see it. I'm starting to wonder if i have to 
> apply any security settings? I'm getting the below with tls now.
>    Thanks.
> Dave.
>
> #/usr/local/libexec/slapd -d 5 -h ldap://0.0.0.0
> @(#) $OpenLDAP: slapd 2.4.7 (Jan 20 2008 00:56:58) $
> root@ldap1:/var/ports/basejail/usr/ports/net/openldap24-server/work/openldap-2.4.7/servers/slapdldap_pvt_gethostbyname_a: 
> host=ldap, r=0daemon_init: ldap://0.0.0.0daemon_init: listen on 
> ldap://0.0.0.0daemon_init: 1 listeners to 
> open...ldap_url_parse_ext(ldap://0.0.0.0)daemon: listener initialized 
> ldap://0.0.0.0daemon_init: 1 listeners openedldap_createslapd init: 
> initiated server.bdb_back_initialize: initialize BDB 
> backendbdb_back_initialize: Berkeley DB 4.6.21: (September 27, 
> 2007)bdb_db_init: Initializing BDB database>>> dnPrettyNormal: 
> <dc=davemehler,dc=com>=> ldap_bv2dn(dc=davemehler,dc=com,0)<= 
> ldap_bv2dn(dc=davemehler,dc=com)=0=> ldap_dn2bv(272)<= 
> ldap_dn2bv(dc=davemehler,dc=com)=0=> ldap_dn2bv(272)<= 
> ldap_dn2bv(dc=davemehler,dc=com)=0<<< dnPrettyNormal: 
> <dc=davemehler,dc=com>, <dc=davemehler,dc=com>>>> dnPrettyNormal: 
> <cn=Manager,dc=davemehler,dc=com>=> 
> ldap_bv2dn(cn=Manager,dc=davemehler,dc=com,0)<= 
> ldap_bv2dn(cn=Manager,dc=davemehler,dc=com)=0=> ldap_dn2bv(272)<= l!
> dap_dn2bv(cn=Manager,dc=davemehler,dc=com)=0=> ldap_dn2bv(272)<= 
> ldap_dn2bv(cn=manager,dc=davemehler,dc=com)=0<<< dnPrettyNormal: 
> <cn=Manager,dc=davemehler,dc=com>,<cn=manager,dc=davemehler,dc=com>>>> 
> dnNormalize: <cn=Subschema>=> ldap_bv2dn(cn=Subschema,0)<= 
> ldap_bv2dn(cn=Subschema)=0=> ldap_dn2bv(272)<= 
> ldap_dn2bv(cn=subschema)=0<<< dnNormalize: 
> <cn=subschema>matching_rule_use_init    1.2.840.113556.1.4.804 
> (integerBitOrMatch): matchingRuleUse: (1.2.840.113556.1.4.804 NAME 
> 'integerBitOrMatch' APPLIES (supportedLDAPVersion $ entryTtl $ uidNumber 
> $ gidNumber $mailPreferenceOption $ shadowLastChange $ shadowMin $ 
> shadowMax $shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ 
> ipServicePort $ipProtocolNumber $ oncRpcNumber ) )    
> 1.2.840.113556.1.4.803 (integerBitAndMatch): matchingRuleUse: 
> (1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES 
> (supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber 
> $mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax !
> $shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServic
>
> ePort $ipProtocolNumber $ oncRpcNumber ) )    1.3.6.1.4.1.1466.109.114.2 
> (caseIgnoreIA5Match): matchingRuleUse: (1.3.6.1.4.1.1466.109.114.2 NAME 
> 'caseIgnoreIA5Match' APPLIES ( altServer $ c$ mail $ dc $ 
> associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $nSRecord $ 
> sOARecord $ cNAMERecord $ janetMailbox $ gecos $ homeDirectory 
> $loginShell $ memberUid $ memberNisNetgroup $ ipHostNumber $ 
> ipNetworkNumber$ ipNetmaskNumber $ macAddress $ bootFile $ nisMapEntry $ 
> mailbox $ quota $maildrop $ mailsource $ virtualdomain $ 
> virtualdomainuser $ defaultdelivery$ disableimap $ disablepop3 $ 
> disablewebmail $ sharedgroup $ disableshared $mailhost ) )    
> 1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): matchingRuleUse: 
> (1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES ( altServer 
> $ c$ mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ 
> mXRecord $nSRecord $ sOARecord $ cNAMERecord $ janetMailbox $ gecos $ 
> homeDirectory $loginShell $ memberUid $ memberNisNetgroup $ ipH!
> ostNumber $ ipNetworkNumber$ ipNetmaskNumber $ macAddress $ bootFile $ 
> nisMapEntry $ mailbox $ quota $maildrop $ mailsource $ virtualdomain $ 
> virtualdomainuser $ defaultdelivery$ disableimap $ disablepop3 $ 
> disablewebmail $ sharedgroup $ disableshared $mailhost ) )    2.5.13.35 
> (certificateMatch):     2.5.13.34 
> (certificateExactMatch):matchingRuleUse: ( 2.5.13.34 NAME 
> 'certificateExactMatch' APPLIES (userCertificate $ cACertificate ) )    
> 2.5.13.30 (objectIdentifierFirstComponentMatch): matchingRuleUse: 
> (2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES 
> (supportedControl $ supportedExtension $ supportedFeatures $ 
> ldapSyntaxes $supportedApplicationContext ) )    2.5.13.29 
> (integerFirstComponentMatch): matchingRuleUse: ( 2.5.13.29NAME 
> 'integerFirstComponentMatch' APPLIES ( supportedLDAPVersion $ entryTtl$ 
> uidNumber $ gidNumber $ mailPreferenceOption $ shadowLastChange 
> $shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire 
> $shadowFlag $ ipServicePort!
>  $ ipProtocolNumber $ oncRpcNumber ) )    2.5.13.27 (generalizedTimeMa
>
> tch): matchingRuleUse: ( 2.5.13.27 NAME'generalizedTimeMatch' APPLIES ( 
> createTimestamp $ modifyTimestamp ) )    2.5.13.24 
> (protocolInformationMatch): matchingRuleUse: ( 2.5.13.24 
> NAME'protocolInformationMatch' APPLIES protocolInformation )    
> 2.5.13.23 (uniqueMemberMatch): matchingRuleUse: ( 2.5.13.23 
> NAME'uniqueMemberMatch' APPLIES uniqueMember )    2.5.13.22 
> (presentationAddressMatch): matchingRuleUse: ( 2.5.13.22 
> NAME'presentationAddressMatch' APPLIES presentationAddress )    
> 2.5.13.20 (telephoneNumberMatch): matchingRuleUse: ( 2.5.13.20 
> NAME'telephoneNumberMatch' APPLIES ( telephoneNumber $ homePhone $ 
> mobile $pager ) )    2.5.13.17 (octetStringMatch): matchingRuleUse: ( 
> 2.5.13.17 NAME'octetStringMatch' APPLIES ( userPassword $ clearPassword 
> ) )    2.5.13.16 (bitStringMatch): matchingRuleUse: ( 2.5.13.16 
> NAME'bitStringMatch' APPLIES x500UniqueIdentifier )    2.5.13.14 
> (integerMatch): matchingRuleUse: ( 2.5.13.14 NAME'integerMatch' APPLIES 
> ( supportedLDAPVersion $ entryT!
> tl $ uidNumber $gidNumber $ mailPreferenceOption $ shadowLastChange $ 
> shadowMin $ shadowMax$ shadowWarning $ shadowInactive $ shadowExpire $ 
> shadowFlag $ ipServicePort$ ipProtocolNumber $ oncRpcNumber ) )    
> 2.5.13.13 (booleanMatch): matchingRuleUse: ( 2.5.13.13 
> NAME'booleanMatch' APPLIES hasSubordinates )    2.5.13.11 
> (caseIgnoreListMatch): matchingRuleUse: ( 2.5.13.11 
> NAME'caseIgnoreListMatch' APPLIES ( postalAddress $ registeredAddress 
> $homePostalAddress ) )    2.5.13.8 (numericStringMatch): 
> matchingRuleUse: ( 2.5.13.8 NAME'numericStringMatch' APPLIES ( 
> x121Address $ internationaliSDNNumber ) )    2.5.13.7 
> (caseExactSubstringsMatch): matchingRuleUse: ( 2.5.13.7 
> NAME'caseExactSubstringsMatch' APPLIES ( serialNumber $ 
> destinationIndicator $dnQualifier ) )    2.5.13.6 
> (caseExactOrderingMatch): matchingRuleUse: ( 2.5.13.6 
> NAME'caseExactOrderingMatch' APPLIES ( serialNumber $ 
> destinationIndicator $dnQualifier ) )    2.5.13.5 (caseExactMatch): 
> matchingRuleUse: ( 2.5.13.5 NAME'!
> caseExactMatch' APPLIES ( supportedSASLMechanisms $ vendorName $vendor
>
> Version $ ref $ name $ cn $ uid $ labeledURI $ description 
> $knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou 
> $title $ businessCategory $ postalCode $ postOfficeBox 
> $physicalDeliveryOfficeName $ destinationIndicator $ givenName $ 
> initials $generationQualifier $ dnQualifier $ houseIdentifier $ dmdName 
> $ pseudonym $textEncodedORAddress $ info $ drink $ roomNumber $ 
> userClass $ host $documentIdentifier $ documentTitle $ documentVersion $ 
> documentLocation $personalTitle $ co $ uniqueIdentifier $ 
> organizationalStatus $ buildingName$ documentPublisher $ 
> ipServiceProtocol $ nisMapName $ carLicense $departmentNumber $ 
> displayName $ employeeNumber $ employeeType $preferredLanguage ) )    
> 2.5.13.4 (caseIgnoreSubstringsMatch): matchingRuleUse: ( 2.5.13.4 
> NAME'caseIgnoreSubstringsMatch' APPLIES ( serialNumber $ 
> destinationIndicator $dnQualifier ) )    2.5.13.3 
> (caseIgnoreOrderingMatch): matchingRuleUse: ( 2.5.13.3 
> NAME'caseIgnoreOrderingMatch' APPLIES ( serialNumbe!
> r $ destinationIndicator $dnQualifier ) )    2.5.13.2 (caseIgnoreMatch): 
> matchingRuleUse: ( 2.5.13.2 NAME'caseIgnoreMatch' APPLIES ( 
> supportedSASLMechanisms $ vendorName $vendorVersion $ ref $ name $ cn $ 
> uid $ labeledURI $ description $knowledgeInformation $ sn $ serialNumber 
> $ c $ l $ st $ street $ o $ ou $title $ businessCategory $ postalCode $ 
> postOfficeBox $physicalDeliveryOfficeName $ destinationIndicator $ 
> givenName $ initials $generationQualifier $ dnQualifier $ 
> houseIdentifier $ dmdName $ pseudonym $textEncodedORAddress $ info $ 
> drink $ roomNumber $ userClass $ host $documentIdentifier $ 
> documentTitle $ documentVersion $ documentLocation $personalTitle $ co $ 
> uniqueIdentifier $ organizationalStatus $ buildingName$ 
> documentPublisher $ ipServiceProtocol $ nisMapName $ carLicense 
> $departmentNumber $ displayName $ employeeNumber $ employeeType 
> $preferredLanguage ) )    1.2.36.79672281.1.13.3 (rdnMatch):     
> 2.5.13.1(distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 !
> NAME'distinguishedNameMatch' APPLIES ( creatorsName $ modifiersName $s
>
> ubschemaSubentry $ entryDN $ namingContexts $ aliasedObjectName 
> $dynamicSubtrees $ distinguishedName $ seeAlso $ member $ owner 
> $roleOccupant $ manager $ documentAuthor $ secretary $ associatedName 
> $dITRedirect ) )    2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 
> 2.5.13.0 NAME'objectIdentifierMatch' APPLIES ( supportedControl $ 
> supportedExtension $supportedFeatures $ supportedApplicationContext ) 
> )slapd startup: initiated.backend_startup_one: starting 
> "cn=config"config_back_db_openconfig_build_entry: 
> "cn=config"config_build_entry: "cn=module{0}"config_build_entry: 
> "cn=schema"config_build_entry: "cn={0}core"config_build_entry: 
> "cn={1}cosine"config_build_entry: "cn={2}nis"config_build_entry: 
> "cn={3}inetorgperson"config_build_entry: 
> "cn={4}authldap"config_build_entry: 
> "olcDatabase={-1}frontend"config_build_entry: 
> "olcDatabase={0}config"config_build_entry: 
> "olcDatabase={1}bdb"backend_startup_one: starting 
> "dc=davemehler,dc=com"bdb_db_open: "dc=davemehler,dc=com"bdb_db_ope!
> n: warning - no DB_CONFIG file found in directory/var/db/openldap-data: 
> (2).Expect poor performance for suffix 
> "dc=davemehler,dc=com".bdb_db_open: database 
> "dc=davemehler,dc=com":dbenv_open(/var/db/openldap-data).slapd 
> startingslap_listener_activate(6):>>> 
> slap_listener(ldap://0.0.0.0)connection_get(10)connection_get(10): got 
> connid=0connection_read(10): checking for input on 
> id=0ber_get_nextber_get_next: tag 0x30 len 29 
> contents:ber_get_nextconn=0 op=0 do_extendedber_scanf fmt ({m) 
> ber:do_extended: oid=1.3.6.1.4.1.1466.20037send_ldap_extended: err=0 
> oid= len=0send_ldap_response: msgid=1 tag=120 err=0ber_flush2: 14 bytes 
> to sd 10connection_get(10)connection_get(10): got 
> connid=0connection_read(10): checking for input on id=0TLS trace: 
> SSL_accept:before/accept initializationTLS trace: SSL_accept:SSLv3 read 
> client hello ATLS trace: SSL_accept:SSLv3 write server hello ATLS trace: 
> SSL_accept:SSLv3 write certificate ATLS trace: SSL_accept:SSLv3 write 
> certificate request ATLS tra!
> ce: SSL_accept:SSLv3 flush dataTLS trace: SSL_accept:error in SSLv3 re
>
> ad client certificate ATLS trace: SSL_accept:error in SSLv3 read client 
> certificate Aconnection_get(10)connection_get(10): got 
> connid=0connection_read(10): checking for input on id=0TLS trace: SSL3 
> alert write:fatal:handshake failureTLS trace: SSL_accept:error in SSLv3 
> read client certificate BTLS: can't accept.TLS: error:140890C7:SSL 
> routines:SSL3_GET_CLIENT_CERTIFICATE:peer did notreturn a certificate 
> s3_srvr.c:2514connection_read(10): TLS accept failure error=-1 id=0, 
> closingconnection_closing: readying conn=0 sd=10 for 
> closeconnection_close: conn=0 sd=10^Cdaemon: shutdown requested and 
> initiated.slapd shutdown: waiting for 0 threads to terminateslapd 
> shutdown: initiated====> bdb_cache_release_allslapd destroy: freeing 
> system resources.slapd stopped.

Firstly I can't see how you can have a server running at ldap://0.0.0.0. 
Secondly it looks as if you don't have any customized configuration 
files at all. Does it "work" without starttls? If so, I can't see how.

--Tonni

--
Tony Earnshaw
Email: tonni at hetnet dot nl