[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: problem with openldap ssl client
Hello
On Tue, 2008-07-08 at 10:04 +0200, Buchan Milne wrote:
> On Tue, 2008-07-08 at 00:06 -0400, Sambuddho Chakravarty wrote:
> > Hello
> > I have an openldap server running slapd on 636 (LDAPS) . When I connect
> > from a ldap browser , I am able to successfully browse the database.
>
> Can you be more specific about the software you are using? Not all
> graphical LDAP clients have SSL validation features (and if they do, in
> some cases they aren't enabled by default).
>
> > However when I try to connect from a linux client machine (Ubuntu Server
> > 8.04) I am not able to connect to the ldaps. However regular ldap works
> > fine.
>
> So, assuming it is not a firewall problem, the most likely cause is
> certificate validation.
>
> > The /etc/ldap.conf looks like this
> >
> > ssl start_tls
> > ssl on
>
> You shouldn't use both of these, only use 'ssl on' if you are using
> 'host', in the 'uri' case it won't really make a difference.
>
> > tls_checkpeer tes
>
> "tes" ???
>
> > tls_cacertdir /etc/ldap/cacerts
> > tls_cacertfile /etc/ldap/cacert/cacert.pem
> > #server IP
> > uri ldaps://30.0.0.2/
>
> What is the subject CN on the certificate the server has?
The subject CN on the certificate is the IP address of the server
(30.0.0.2); same as that in the HOST field.
> > pam_password md5
> > base dc=example,dc=com
> >
> > The /etc/ldap/ldap.conf file is like this
> >
> > URI ldaps://30.0.0.2/
> > TLS_CACERTDIR /etc/ldap/cacerts
> > TLS_CACERT /etc/ldap/cacerts/cacert.pem
> > HOST 30.0.0.2
> > BASE dc=example,dc=com
> >
> > The same configuration (with approprirate changes - replacing ldaps with
> > ldap and so on) works fine for regular ldap. But the problem is the
> > ldaps.
>
> So, what do you get if you try something like this:
>
> $ openssl s_client -CAfile /etc/ldap/cacerts/cacert.pem -connect
> 30.0.0.2:636
>
> Does the CN attribute in the server certificate you get back match the
> hostname in the URI?
The CN attribute is the server IP address.
>
>
> > When ldaps client is enabled and I do a getent passed ,
> > the /var/log/auth.log looks like this
> >
> > Jul 7 23:57:46 host3 getent: nss_ldap: reconnecting to LDAP server...
> > Jul 7 23:57:46 host3 getent: nss_ldap: reconnecting to LDAP server
> > (sleeping 1 seconds)...
> > Jul 7 23:57:47 host3 getent: nss_ldap: could not search LDAP server -
> > Server is unavailable
> > Jul 7 23:58:18 host3 getent: nss_ldap: reconnecting to LDAP server...
> >
>
> For now, using the OpenLDAP client utilities (ldapsearch) to do the same
> connection may be an easier way to debug, but once it is working, you
> need to put the equivalent configuration in /etc/ldap.conf. So, with
> your current configuration, this would be the way to test with
> ldapsearch:
>
> $ ldapsearch -x -H ldaps://30.0.0.2 -s base -b dc=example,dc=com
> namingContexts
This results the following error : ldap_result: Can't contact LDAP
server (-1)
>
> However, and certificate-related aspects still need to be in the
> OpenLDAP library configuration file (/etc/ldap/ldap.conf, or ~/.ldaprc).
>
> > Please suggest where I could have gone wrong. Any suggestions would be
> > really appreciated.
>
> Hmm, if you were trying to get https working, you would be getting
> warnings from your browser, this really isn't rocket science, but
> nss_ldap can't show you warning dialogs, so you need to get the
> configuration right ...
>
>
Thanks
Sambuddho
> Regards,
> Buchan
>