[Date Prev][Date Next] [Chronological] [Thread] [Top]

Using Arbitrary X509 certificates for LDAPS authentication

To: openldap-technical@openldap.org
Subject: Using Arbitrary X509 certificates for LDAPS authentication
From: Stephen Cartwright <034710@gmail.com>
Date: Wed, 2 Sep 2009 17:38:19 -0600
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=5R+LcAuD1PMQnItzw3iwEACOtzUeUF7ZTkw+uP84yEE=; b=wtaGMZtXYmfzeW9YXyu29t1qSnJnit8X4jiJfY4xB/0hwOuFzQlXW8OGe3mLT3v5zL wn7+E1hIJBACSXPJtw6+KJVH0cARh3DVtwLV2UwG173PJvS/HD9SWIRV+SFffi8Nlmeh 1AmTEbTyX7LYmvIJRtR/4jD/vcwSP3NWEoVQo=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=MrNk7PNzmoErFzxauxUUTBQWWQ2TyB7yz6D4Uy5o3XHxNhtYDdz5Q0k41ysVMiteXv eYe5XJz6ZG0shJedTSVIwGPrQWxZoZBiRD5bpX3Vvvx5ATVvF1NRESVdcEjY8KURMOY4 6vISa14HK7Ko8NIOs5BDUE+IUqEzawTMYW98c=

Hi there,

Are there any restrictions on the DN or other attributes of
credentials used for LDAP authentication?

We are using grid credentials (X509 format) with DNs like this:

issuer= /C=CA/O=Grid/CN=Grid Canada Certificate Authority
subject= /C=CA/O=Grid/CN=host/somehost.somedomain.ca

When I use some grid certs (X509 format)  I see this message in the debug
output from slapd:

connection_read(10): unable to get TLS client DN error=49 id=3

When I try to connect, I get this:

ldap_initialize( ldaps://somehost.somedomain.ca )
ldap_bind: Can't contact LDAP server

The openssl command to create a connection works OK:

CONNECTED(00000003)
---
Certificate chain
  0 s:/C=CA/O=Grid/CN=host/somehost.somedomain.ca
    i:/C=CA/O=Grid/CN=Grid Canada Certificate Authority
  1 s:/C=CA/O=Grid/CN=Grid Canada Certificate Authority
    i:/C=CA/O=Grid/CN=Grid Canada Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/C=CA/O=Grid/CN=host/somehost.somedomain.ca
issuer=/C=CA/O=Grid/CN=Grid Canada Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 2083 bytes and written 320 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
     Protocol  : TLSv1
     Cipher    : DES-CBC3-SHA
     Session-ID:
43B46528E848663E7C8E9CAAEA4E6DB5E4A9675C05C3066DBD826CD1CF59A566
     Session-ID-ctx:
   Master-Key:
A8245A0731BA98F0D88821346432868C392FEE3F23EAFB9F356A34CB6BB663FC0892374118F280D6284C8E2ACAC3
     Key-Arg   : None
     Start Time: 1251330160
     Timeout   : 300 (sec)
     Verify return code: 0 (ok)

When I use certs created by us with another DN format such as this:

subject= /C=CA/ST=Province/L=Town/O=Organization/OU=Unit/CN=somehost.somedomain.ca/emailAddress=email@somewhere.ca
issuer= /C=CA/ST=Province/O=Organization/OU=Town/CN=Our
CA/emailAddress=email@somewhere.ca

And then make no other changes to the config other than pointing
everything to the new commands I can make a connection.

Any suggestions? Please advise.

Steve

Follow-Ups:
- Re: Using Arbitrary X509 certificates for LDAPS authentication
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: syncrepl "modified by peer" question
Next by Date: Re: Using Arbitrary X509 certificates for LDAPS authentication
Index(es):
- Chronological
- Thread