[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authentication failed with ldaps configuration

To: Zdenek Styblik <stybla@turnovfree.net>
Subject: Re: Authentication failed with ldaps configuration
From: smainklh@free.fr
Date: Thu, 3 Dec 2009 10:15:48 +0100 (CET)
Cc: openldap-technical@openldap.org
In-reply-to: <4B16899D.7030301@turnovfree.net>

----- Mail Original -----
De: "Zdenek Styblik" <stybla@turnovfree.net>
À: smainklh@free.fr
Cc: openldap-technical@openldap.org
Envoyé: Mercredi 2 Décembre 2009 16h37:01 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
Objet: Re: Authentication failed with ldaps configuration

smainklh@free.fr wrote:
> Hi everyone,
> 
> I configured my ldap server (debian lenny) to listen on port 636 (ldaps) but it doesn't seems to work when issuing a remote connexion.
> Perhaps i did a mistake when generating the certificates ?....
> 
> When i try to browse the ldap server from a remote server i get the following message :
> ----------
> root@vmtest:~# ldapsearch -d 1 -Wx -H ldaps://ldapserver.domain.tld -D cn=admin,dc=domain,dc=tld
> ldap_url_parse_ext(ldaps://ldapserver.domain.tld)
> ldap_create
> ldap_url_parse_ext(ldaps://ldapserver.domain.tld:636/??base)
> Enter LDAP Password:
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP ldapserver.domain.tld:636
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 10.10.48.40:636
> ldap_pvt_connect: fd: 3 tm: -1 async: 0
> TLS: peer cert untrusted or revoked (0x42)
> ldap_err2string
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> -----------
> 
> I generated the certificates with the following command :
> # openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650
> 
> -----------
> 
> Then i tried the connexion :
> openssl s_client -connect ldapserver.domain.tld:636 -showcerts
> CONNECTED(00000003)
> depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
> verify error:num=18:self signed certificate
> verify return:1
> depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
> verify return:1
> ---
> Certificate chain
>  0 s:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
>    i:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
> -----BEGIN CERTIFICATE-----
> MIIDDTCCAnagAwIBAgIJAM7IwuTIzhwqMA0GCSqGSIb3DQEBBQUAMGMxCzAJBgNV
> BAYTAkZSMRMwEQYDVQQIEwpTb21lLVN0YXRlMQ4wDAYDVQQHEwVQYXJpczELMAkG
> A1UEChMCQlQxIjAgBgNVBAMTGWlwb2MwMS5pcG9jLmJ0c2VydmljZXMuZnIwHhcN
> MDkxMTI0MTUwMTUxWhcNMTkxMTIyMTUwMTUxWjBjMQswCQYDVQQGEwJGUjETMBEG
> A1UECBMKU29tZS1TdGF0ZTEOMAwGA1UEBxMFUGFyaXMxCzAJBgNVBAoTAkJUMSIw
> IAYDVQQDExlpcG9jMDEuaXBvYy5idHNlcnZpY2VzLmZyMIGfMA0GCSqGSIb3DQEB
> AQUAA4GNADCBiQKBgQCm5FrQ3dN1Jkxj2SZsPr+vkYDlwVnvqDCxnAs3O5NJ/1uY
> F9/mwsCVdAnp04Eywo3BCbvP6tlzsF3JbAlqMLTb85ZTHOqRQncXGfVZ7bMnR071
> tQ70/b3vF/TuMYiOU7vXf2h863aRi11tT9xHD17wFfFaXBtRIIOioc3UpJWWPwID
> AQABo4HIMIHFMB0GA1UdDgQWBBREqX/HQEzU5TCDrBsbttUxa44fnDCBlQYDVR0j
> BIGNMIGKgBREqX/HQEzU5TCDrBsbttUxa44fnKFnpGUwYzELMAkGA1UEBhMCRlIx
> EzARBgNVBAgTClNvbWUtU3RhdGUxDjAMBgNVBAcTBVBhcmlzMQswCQYDVQQKEwJC
> VDEiMCAGA1UEAxMZaXBvYzAxLmlwb2MuYnRzZXJ2aWNlcy5mcoIJAM7IwuTIzhwq
> MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAd0Le1JyJF8zBs0RYvEn7
> c1nhVbsdD8FDBTa4IaNvkbIt8al6G7bBpfyDxcMVtgFc8zHt/+sYfTxWuHh7m+b1
> yjJtD9vMjIigbaZq4VJOz11JEWsQHc8wo3So+G+CelTz4HXPoGh5vqRtTkupjedz
> 0DDsA1jd9F4KpYSOkzxosdc=
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
> issuer=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1107 bytes and written 316 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 1024 bit
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : AES256-SHA
>     Session-ID: 9EF5F2D4FD72A0D1161C8334537F1ADF60C8B790A3F699B6DC52557E3C95D427
>     Session-ID-ctx:
>     Master-Key: 015D50D6D93F502E37EDB577691F05D157E80A439A2B129B370EEA24E651E828A172E43B3F6D29174BF33B96193202F0
>     Key-Arg   : None
>     Start Time: 1259761586
>     Timeout   : 300 (sec)
>     Verify return code: 18 (self signed certificate)
> ---
> 
> ------------------
> 
> My ldap.conf
> -----------------
> BASE    dc=domain,dc=tld
> URI     ldaps://ldapserver.domain.tld/
> TLS_REQCERT allow
> 
> 
> My slapd.conf :
> ----------------
> ...
> TLSCACertificateFile /etc/ldap/ssl/server.pem
> TLSCertificateFile /etc/ldap/ssl/server.pem
> TLSCertificateKeyFile /etc/ldap/ssl/server.pem
> ...
> 
> ------------------
> My /etc/default/slapd.conf
> ...
> SLAPD_SERVICES="ldaps://ldapserver.domain.tld"
> ...
> 
> Could you please help me ? 
> 

Hello,

are you sure the server is listetning at 636?

--- SNIP ---
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
------------

It seems more like a network problem to me.
Please, verify it by % netstat -nlp | grep 636; or eventually by %
netstat -nlp | grep 389; at the server.

Regards,
Zdenek

-- 
Zdenek Styblik
Net/Linux admin
OS TurnovFree.net
email: stybla@turnovfree.net
jabber: stybla@jabber.turnovfree.net


Hi Zdenek,

Yes i'm.

netstat -nlp | grep 636
tcp        0      0 10.10.48.40:636         0.0.0.0:*               LISTEN 
netstat -nlp | grep 389

Logs from the ldap server
-----------
Dec  3 10:10:04 ldapserver slapd[20754]: slap_listener_activate(8):
Dec  3 10:10:04 ldapserver slapd[20754]: >>> slap_listener(ldaps://ldapserver.domain.tld)
Dec  3 10:10:04 ldapserver slapd[20754]: connection_get(14): got connid=42
Dec  3 10:10:04 ldapserver slapd[20754]: connection_read(14): checking for input on id=42
Dec  3 10:10:04 ldapserver slapd[20754]: connection_get(14): got connid=42
Dec  3 10:10:04 ldapserver slapd[20754]: connection_read(14): checking for input on id=42
Dec  3 10:10:04 ldapserver slapd[20754]: connection_read(14): unable to get TLS client DN, error=49 id=42
Dec  3 10:10:04 ldapserver slapd[20754]: connection_get(14): got connid=42
Dec  3 10:10:04 ldapserver slapd[20754]: connection_read(14): checking for input on id=42
Dec  3 10:10:04 ldapserver slapd[20754]: ber_get_next on fd 14 failed errno=0 (Success)
Dec  3 10:10:04 ldapserver slapd[20754]: connection_closing: readying conn=42 sd=14 for close
Dec  3 10:10:04 ldapserver slapd[20754]: connection_close: conn=42 sd=14

It seems to be a certificate problem.
-----
TLS: peer cert untrusted or revoked
-----

Do you have any idea ?
Grifith

Follow-Ups:
- Re: Authentication failed with ldaps configuration
  - From: Zdenek Styblik <stybla@turnovfree.net>

References:
- Re: Authentication failed with ldaps configuration
  - From: Zdenek Styblik <stybla@turnovfree.net>

Prev by Date: Re: File Server & LDAP Server
Next by Date: Re: changing samba and ldap password at the same time
Index(es):
- Chronological
- Thread