[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Authentication failed with ldaps configuration
-------- Message initial --------
De: Zdenek Styblik <stybla@turnovfree.net>
À: smainklh@free.fr
Cc: openldap-technical@openldap.org
Sujet: Re: Authentication failed with ldaps configuration
Date: Thu, 03 Dec 2009 17:03:32 +0100
smainklh@free.fr wrote:
> ----- Mail Original -----
> De: "Zdenek Styblik" <stybla@turnovfree.net>
> À: smainklh@free.fr
> Cc: openldap-technical@openldap.org
> Envoyé: Mercredi 2 Décembre 2009 16h37:01 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
> Objet: Re: Authentication failed with ldaps configuration
>
> smainklh@free.fr wrote:
>> Hi everyone,
>>
>> I configured my ldap server (debian lenny) to listen on port 636 (ldaps) but it doesn't seems to work when issuing a remote connexion.
>> Perhaps i did a mistake when generating the certificates ?....
>>
>> When i try to browse the ldap server from a remote server i get the following message :
>> ----------
>> root@vmtest:~# ldapsearch -d 1 -Wx -H ldaps://ldapserver.domain.tld -D cn=admin,dc=domain,dc=tld
>> ldap_url_parse_ext(ldaps://ldapserver.domain.tld)
>> ldap_create
>> ldap_url_parse_ext(ldaps://ldapserver.domain.tld:636/??base)
>> Enter LDAP Password:
>> ldap_sasl_bind
>> ldap_send_initial_request
>> ldap_new_connection 1 1 0
>> ldap_int_open_connection
>> ldap_connect_to_host: TCP ldapserver.domain.tld:636
>> ldap_new_socket: 3
>> ldap_prepare_socket: 3
>> ldap_connect_to_host: Trying 10.10.48.40:636
>> ldap_pvt_connect: fd: 3 tm: -1 async: 0
>> TLS: peer cert untrusted or revoked (0x42)
>> ldap_err2string
>> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>> -----------
>>
>> I generated the certificates with the following command :
>> # openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650
>>
>> -----------
>>
>> Then i tried the connexion :
>> openssl s_client -connect ldapserver.domain.tld:636 -showcerts
>> CONNECTED(00000003)
>> depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
>> verify error:num=18:self signed certificate
>> verify return:1
>> depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
>> verify return:1
>> ---
>> Certificate chain
>> 0 s:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
>> i:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
>> -----BEGIN CERTIFICATE-----
>> MIIDDTCCAnagAwIBAgIJAM7IwuTIzhwqMA0GCSqGSIb3DQEBBQUAMGMxCzAJBgNV
>> BAYTAkZSMRMwEQYDVQQIEwpTb21lLVN0YXRlMQ4wDAYDVQQHEwVQYXJpczELMAkG
>> A1UEChMCQlQxIjAgBgNVBAMTGWlwb2MwMS5pcG9jLmJ0c2VydmljZXMuZnIwHhcN
>> MDkxMTI0MTUwMTUxWhcNMTkxMTIyMTUwMTUxWjBjMQswCQYDVQQGEwJGUjETMBEG
>> A1UECBMKU29tZS1TdGF0ZTEOMAwGA1UEBxMFUGFyaXMxCzAJBgNVBAoTAkJUMSIw
>> IAYDVQQDExlpcG9jMDEuaXBvYy5idHNlcnZpY2VzLmZyMIGfMA0GCSqGSIb3DQEB
>> AQUAA4GNADCBiQKBgQCm5FrQ3dN1Jkxj2SZsPr+vkYDlwVnvqDCxnAs3O5NJ/1uY
>> F9/mwsCVdAnp04Eywo3BCbvP6tlzsF3JbAlqMLTb85ZTHOqRQncXGfVZ7bMnR071
>> tQ70/b3vF/TuMYiOU7vXf2h863aRi11tT9xHD17wFfFaXBtRIIOioc3UpJWWPwID
>> AQABo4HIMIHFMB0GA1UdDgQWBBREqX/HQEzU5TCDrBsbttUxa44fnDCBlQYDVR0j
>> BIGNMIGKgBREqX/HQEzU5TCDrBsbttUxa44fnKFnpGUwYzELMAkGA1UEBhMCRlIx
>> EzARBgNVBAgTClNvbWUtU3RhdGUxDjAMBgNVBAcTBVBhcmlzMQswCQYDVQQKEwJC
>> VDEiMCAGA1UEAxMZaXBvYzAxLmlwb2MuYnRzZXJ2aWNlcy5mcoIJAM7IwuTIzhwq
>> MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAd0Le1JyJF8zBs0RYvEn7
>> c1nhVbsdD8FDBTa4IaNvkbIt8al6G7bBpfyDxcMVtgFc8zHt/+sYfTxWuHh7m+b1
>> yjJtD9vMjIigbaZq4VJOz11JEWsQHc8wo3So+G+CelTz4HXPoGh5vqRtTkupjedz
>> 0DDsA1jd9F4KpYSOkzxosdc=
>> -----END CERTIFICATE-----
>> ---
>> Server certificate
>> subject=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
>> issuer=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 1107 bytes and written 316 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is AES256-SHA
>> Server public key is 1024 bit
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>> Protocol : TLSv1
>> Cipher : AES256-SHA
>> Session-ID: 9EF5F2D4FD72A0D1161C8334537F1ADF60C8B790A3F699B6DC52557E3C95D427
>> Session-ID-ctx:
>> Master-Key: 015D50D6D93F502E37EDB577691F05D157E80A439A2B129B370EEA24E651E828A172E43B3F6D29174BF33B96193202F0
>> Key-Arg : None
>> Start Time: 1259761586
>> Timeout : 300 (sec)
>> Verify return code: 18 (self signed certificate)
>> ---
>>
>> ------------------
>>
>> My ldap.conf
>> -----------------
>> BASE dc=domain,dc=tld
>> URI ldaps://ldapserver.domain.tld/
>> TLS_REQCERT allow
>>
>>
>> My slapd.conf :
>> ----------------
>> ...
>> TLSCACertificateFile /etc/ldap/ssl/server.pem
>> TLSCertificateFile /etc/ldap/ssl/server.pem
>> TLSCertificateKeyFile /etc/ldap/ssl/server.pem
>> ...
>>
>> ------------------
>> My /etc/default/slapd.conf
>> ...
>> SLAPD_SERVICES="ldaps://ldapserver.domain.tld"
>> ...
>>
>> Could you please help me ?
>>
>
> Hello,
>
> are you sure the server is listetning at 636?
>
> --- SNIP ---
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> ------------
>
> It seems more like a network problem to me.
> Please, verify it by % netstat -nlp | grep 636; or eventually by %
> netstat -nlp | grep 389; at the server.
>
> Regards,
> Zdenek
>
> Hi Zdenek,
>
> Yes i'm.
>
> netstat -nlp | grep 636
> tcp 0 0 10.10.48.40:636 0.0.0.0:* LISTEN
> netstat -nlp | grep 389
>
> Logs from the ldap server
> -----------
> Dec 3 10:10:04 ldapserver slapd[20754]: slap_listener_activate(8):
> Dec 3 10:10:04 ldapserver slapd[20754]: >>> slap_listener(ldaps://ldapserver.domain.tld)
> Dec 3 10:10:04 ldapserver slapd[20754]: connection_get(14): got connid=42
> Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): checking for input on id=42
> Dec 3 10:10:04 ldapserver slapd[20754]: connection_get(14): got connid=42
> Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): checking for input on id=42
> Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): unable to get TLS client DN, error=49 id=42
> Dec 3 10:10:04 ldapserver slapd[20754]: connection_get(14): got connid=42
> Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): checking for input on id=42
> Dec 3 10:10:04 ldapserver slapd[20754]: ber_get_next on fd 14 failed errno=0 (Success)
> Dec 3 10:10:04 ldapserver slapd[20754]: connection_closing: readying conn=42 sd=14 for close
> Dec 3 10:10:04 ldapserver slapd[20754]: connection_close: conn=42 sd=14
>
> It seems to be a certificate problem.
> -----
> TLS: peer cert untrusted or revoked
> -----
>
> Do you have any idea ?
> Grifith
Evening Grifith,
I'm sorry I've missed that one. I'm no expert, but I can give you my
config-files.
I've used 'easy-rsa' to generate all certificates. It comes with
OpenVPN, but it might be as standalone package in Debian. It's set of
scripts for certificate manipulation, and it surely eases up things.
One thing that came to my mind, certificate "has" to bear same FQDN as
IP eg. if 192.168.1.1 -eq server1.mydomain.tld then certificate should
be generated and contain server1.mydomain.tld.
Another thing is .key files should have chmod 400.
--- client side ---
cat /etc/openldap/ldap.conf
BASE dc=mydomain,dc=tld
URI ldaps://server1.mydomain.tld
port 636
ssl yes
#ssl start_tls
TLS_CACERT /etc/openldap/ssl/ca.mydomain.crt
TLS_CERT /etc/ssl/certs/server2.mydomain.tld.crt
TLS_KEY /etc/ssl/private/server2.mydomain.tld.key
TLS_REQCERT never
TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3
------------------
--- server ---
cat /etc/openldap/slapd.conf
...
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCACertificateFile /etc/ssl/certs/ca.mydomain.crt
TLSCertificateFile /etc/ssl/certs/server1.mydomain.tld.crt
TLSCertificateKeyFile /etc/ssl/private/server1.mydomain.tld.key
TLSVerifyClient never
...
--------------
I hope it helps, at least a bit.
Have a nice evening,
Zdenek
PS: Thunderbird refused to accept the rest of the text for some reason,
I had to c&p it inside.
--------------------------------
Hi,
Thanks for your help Zdenek
I made it work with the following configuration :
SERVER
-------------
My slapd.conf :
----------------
...
TLSCACertificateFile /etc/ssl/certs/ldap-cert.pem
TLSCertificateFile /etc/ssl/certs/ldap-cert.pem
TLSCertificateKeyFile /etc/ldap/ssl/ldap-key.pem
I created the certificate with this command
# openssl req -config /etc/ssl/openssl.cnf -new -x509 nodes -out /etc/ssl/certs/ldap-cert.pem -keyout /etc/ldap/ssl/ldap-key.pem -days 999999
My ldap.conf :
----------------
BASE dc=mydomain,dc=tld
URI ldaps://ldapserver.mydomain.tld
port 636
ssl on
ssl start_tls
TLS_CACERT /etc/ssl/certs/ldap-cert.pem
TLS_REQCERT allow
CLIENT
------------
The ldap.conf is exactly the same as the server's.
And it works !