[Date Prev][Date Next] [Chronological] [Thread] [Top]

Authentication failed with ldaps configuration



Hi everyone,

I configured my ldap server (debian lenny) to listen on port 636 (ldaps) but it doesn't seems to work when issuing a remote connexion.
Perhaps i did a mistake when generating the certificates ?....

When i try to browse the ldap server from a remote server i get the following message :
----------
root@vmtest:~# ldapsearch -d 1 -Wx -H ldaps://ldapserver.domain.tld -D cn=admin,dc=domain,dc=tld
ldap_url_parse_ext(ldaps://ldapserver.domain.tld)
ldap_create
ldap_url_parse_ext(ldaps://ldapserver.domain.tld:636/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldapserver.domain.tld:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.10.48.40:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: peer cert untrusted or revoked (0x42)
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
-----------

I generated the certificates with the following command :
# openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650

-----------

Then i tried the connexion :
openssl s_client -connect ldapserver.domain.tld:636 -showcerts
CONNECTED(00000003)
depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
verify return:1
---
Certificate chain
 0 s:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
   i:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
-----BEGIN CERTIFICATE-----
MIIDDTCCAnagAwIBAgIJAM7IwuTIzhwqMA0GCSqGSIb3DQEBBQUAMGMxCzAJBgNV
BAYTAkZSMRMwEQYDVQQIEwpTb21lLVN0YXRlMQ4wDAYDVQQHEwVQYXJpczELMAkG
A1UEChMCQlQxIjAgBgNVBAMTGWlwb2MwMS5pcG9jLmJ0c2VydmljZXMuZnIwHhcN
MDkxMTI0MTUwMTUxWhcNMTkxMTIyMTUwMTUxWjBjMQswCQYDVQQGEwJGUjETMBEG
A1UECBMKU29tZS1TdGF0ZTEOMAwGA1UEBxMFUGFyaXMxCzAJBgNVBAoTAkJUMSIw
IAYDVQQDExlpcG9jMDEuaXBvYy5idHNlcnZpY2VzLmZyMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQCm5FrQ3dN1Jkxj2SZsPr+vkYDlwVnvqDCxnAs3O5NJ/1uY
F9/mwsCVdAnp04Eywo3BCbvP6tlzsF3JbAlqMLTb85ZTHOqRQncXGfVZ7bMnR071
tQ70/b3vF/TuMYiOU7vXf2h863aRi11tT9xHD17wFfFaXBtRIIOioc3UpJWWPwID
AQABo4HIMIHFMB0GA1UdDgQWBBREqX/HQEzU5TCDrBsbttUxa44fnDCBlQYDVR0j
BIGNMIGKgBREqX/HQEzU5TCDrBsbttUxa44fnKFnpGUwYzELMAkGA1UEBhMCRlIx
EzARBgNVBAgTClNvbWUtU3RhdGUxDjAMBgNVBAcTBVBhcmlzMQswCQYDVQQKEwJC
VDEiMCAGA1UEAxMZaXBvYzAxLmlwb2MuYnRzZXJ2aWNlcy5mcoIJAM7IwuTIzhwq
MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAd0Le1JyJF8zBs0RYvEn7
c1nhVbsdD8FDBTa4IaNvkbIt8al6G7bBpfyDxcMVtgFc8zHt/+sYfTxWuHh7m+b1
yjJtD9vMjIigbaZq4VJOz11JEWsQHc8wo3So+G+CelTz4HXPoGh5vqRtTkupjedz
0DDsA1jd9F4KpYSOkzxosdc=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
issuer=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
---
No client certificate CA names sent
---
SSL handshake has read 1107 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 9EF5F2D4FD72A0D1161C8334537F1ADF60C8B790A3F699B6DC52557E3C95D427
    Session-ID-ctx:
    Master-Key: 015D50D6D93F502E37EDB577691F05D157E80A439A2B129B370EEA24E651E828A172E43B3F6D29174BF33B96193202F0
    Key-Arg   : None
    Start Time: 1259761586
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

------------------

My ldap.conf
-----------------
BASE    dc=domain,dc=tld
URI     ldaps://ldapserver.domain.tld/
TLS_REQCERT allow


My slapd.conf :
----------------
...
TLSCACertificateFile /etc/ldap/ssl/server.pem
TLSCertificateFile /etc/ldap/ssl/server.pem
TLSCertificateKeyFile /etc/ldap/ssl/server.pem
...

------------------
My /etc/default/slapd.conf
...
SLAPD_SERVICES="ldaps://ldapserver.domain.tld"
...

Could you please help me ?