[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Authentication failed with ldaps configuration
On Fri, 2009-12-04 at 22:23 +0530, Chamith Kumarage wrote:
> On Fri, 2009-12-04 at 14:27 +0100, Smaïne Kahlouch wrote:
> > -------- Message initial --------
> > De: Zdenek Styblik <stybla@turnovfree.net>
> > À: smainklh@free.fr
> > Cc: openldap-technical@openldap.org
> > Sujet: Re: Authentication failed with ldaps configuration
> > Date: Thu, 03 Dec 2009 17:03:32 +0100
> >
> > smainklh@free.fr wrote:
> > > ----- Mail Original -----
> > > De: "Zdenek Styblik" <stybla@turnovfree.net>
> > > À: smainklh@free.fr
> > > Cc: openldap-technical@openldap.org
> > > Envoyé: Mercredi 2 Décembre 2009 16h37:01 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
> > > Objet: Re: Authentication failed with ldaps configuration
> > >
> > > smainklh@free.fr wrote:
> > >> Hi everyone,
> > >>
> > >> I configured my ldap server (debian lenny) to listen on port 636 (ldaps) but it doesn't seems to work when issuing a remote connexion.
> > >> Perhaps i did a mistake when generating the certificates ?....
> > >>
> > >> When i try to browse the ldap server from a remote server i get the following message :
> > >> ----------
> > >> root@vmtest:~# ldapsearch -d 1 -Wx -H ldaps://ldapserver.domain.tld -D cn=admin,dc=domain,dc=tld
> > >> ldap_url_parse_ext(ldaps://ldapserver.domain.tld)
> > >> ldap_create
> > >> ldap_url_parse_ext(ldaps://ldapserver.domain.tld:636/??base)
> > >> Enter LDAP Password:
> > >> ldap_sasl_bind
> > >> ldap_send_initial_request
> > >> ldap_new_connection 1 1 0
> > >> ldap_int_open_connection
> > >> ldap_connect_to_host: TCP ldapserver.domain.tld:636
> > >> ldap_new_socket: 3
> > >> ldap_prepare_socket: 3
> > >> ldap_connect_to_host: Trying 10.10.48.40:636
> > >> ldap_pvt_connect: fd: 3 tm: -1 async: 0
> > >> TLS: peer cert untrusted or revoked (0x42)
> > >> ldap_err2string
> > >> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> > >> -----------
> > >>
> > >> I generated the certificates with the following command :
> > >> # openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650
> > >>
> > >> -----------
> > >>
> > >> Then i tried the connexion :
> > >> openssl s_client -connect ldapserver.domain.tld:636 -showcerts
> > >> CONNECTED(00000003)
> > >> depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
> > >> verify error:num=18:self signed certificate
> > >> verify return:1
> > >> depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
> > >> verify return:1
> > >> ---
> > >> Certificate chain
> > >> 0 s:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
> > >> i:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
> > >> -----BEGIN CERTIFICATE-----
> > >> MIIDDTCCAnagAwIBAgIJAM7IwuTIzhwqMA0GCSqGSIb3DQEBBQUAMGMxCzAJBgNV
> > >> BAYTAkZSMRMwEQYDVQQIEwpTb21lLVN0YXRlMQ4wDAYDVQQHEwVQYXJpczELMAkG
> > >> A1UEChMCQlQxIjAgBgNVBAMTGWlwb2MwMS5pcG9jLmJ0c2VydmljZXMuZnIwHhcN
> > >> MDkxMTI0MTUwMTUxWhcNMTkxMTIyMTUwMTUxWjBjMQswCQYDVQQGEwJGUjETMBEG
> > >> A1UECBMKU29tZS1TdGF0ZTEOMAwGA1UEBxMFUGFyaXMxCzAJBgNVBAoTAkJUMSIw
> > >> IAYDVQQDExlpcG9jMDEuaXBvYy5idHNlcnZpY2VzLmZyMIGfMA0GCSqGSIb3DQEB
> > >> AQUAA4GNADCBiQKBgQCm5FrQ3dN1Jkxj2SZsPr+vkYDlwVnvqDCxnAs3O5NJ/1uY
> > >> F9/mwsCVdAnp04Eywo3BCbvP6tlzsF3JbAlqMLTb85ZTHOqRQncXGfVZ7bMnR071
> > >> tQ70/b3vF/TuMYiOU7vXf2h863aRi11tT9xHD17wFfFaXBtRIIOioc3UpJWWPwID
> > >> AQABo4HIMIHFMB0GA1UdDgQWBBREqX/HQEzU5TCDrBsbttUxa44fnDCBlQYDVR0j
> > >> BIGNMIGKgBREqX/HQEzU5TCDrBsbttUxa44fnKFnpGUwYzELMAkGA1UEBhMCRlIx
> > >> EzARBgNVBAgTClNvbWUtU3RhdGUxDjAMBgNVBAcTBVBhcmlzMQswCQYDVQQKEwJC
> > >> VDEiMCAGA1UEAxMZaXBvYzAxLmlwb2MuYnRzZXJ2aWNlcy5mcoIJAM7IwuTIzhwq
> > >> MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAd0Le1JyJF8zBs0RYvEn7
> > >> c1nhVbsdD8FDBTa4IaNvkbIt8al6G7bBpfyDxcMVtgFc8zHt/+sYfTxWuHh7m+b1
> > >> yjJtD9vMjIigbaZq4VJOz11JEWsQHc8wo3So+G+CelTz4HXPoGh5vqRtTkupjedz
> > >> 0DDsA1jd9F4KpYSOkzxosdc=
> > >> -----END CERTIFICATE-----
> > >> ---
> > >> Server certificate
> > >> subject=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
> > >> issuer=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
> > >> ---
> > >> No client certificate CA names sent
> > >> ---
> > >> SSL handshake has read 1107 bytes and written 316 bytes
> > >> ---
> > >> New, TLSv1/SSLv3, Cipher is AES256-SHA
> > >> Server public key is 1024 bit
> > >> Compression: NONE
> > >> Expansion: NONE
> > >> SSL-Session:
> > >> Protocol : TLSv1
> > >> Cipher : AES256-SHA
> > >> Session-ID: 9EF5F2D4FD72A0D1161C8334537F1ADF60C8B790A3F699B6DC52557E3C95D427
> > >> Session-ID-ctx:
> > >> Master-Key: 015D50D6D93F502E37EDB577691F05D157E80A439A2B129B370EEA24E651E828A172E43B3F6D29174BF33B96193202F0
> > >> Key-Arg : None
> > >> Start Time: 1259761586
> > >> Timeout : 300 (sec)
> > >> Verify return code: 18 (self signed certificate)
> > >> ---
> > >>
> > >> ------------------
> > >>
> > >> My ldap.conf
> > >> -----------------
> > >> BASE dc=domain,dc=tld
> > >> URI ldaps://ldapserver.domain.tld/
> > >> TLS_REQCERT allow
> > >>
> > >>
> > >> My slapd.conf :
> > >> ----------------
> > >> ...
> > >> TLSCACertificateFile /etc/ldap/ssl/server.pem
> > >> TLSCertificateFile /etc/ldap/ssl/server.pem
> > >> TLSCertificateKeyFile /etc/ldap/ssl/server.pem
> > >> ...
> > >>
> > >> ------------------
> > >> My /etc/default/slapd.conf
> > >> ...
> > >> SLAPD_SERVICES="ldaps://ldapserver.domain.tld"
> > >> ...
> > >>
> > >> Could you please help me ?
> > >>
> > >
> > > Hello,
> > >
> > > are you sure the server is listetning at 636?
> > >
> > > --- SNIP ---
> > > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> > > ------------
> > >
> > > It seems more like a network problem to me.
> > > Please, verify it by % netstat -nlp | grep 636; or eventually by %
> > > netstat -nlp | grep 389; at the server.
> > >
> > > Regards,
> > > Zdenek
> > >
> > > Hi Zdenek,
> > >
> > > Yes i'm.
> > >
> > > netstat -nlp | grep 636
> > > tcp 0 0 10.10.48.40:636 0.0.0.0:* LISTEN
> > > netstat -nlp | grep 389
> > >
> > > Logs from the ldap server
> > > -----------
> > > Dec 3 10:10:04 ldapserver slapd[20754]: slap_listener_activate(8):
> > > Dec 3 10:10:04 ldapserver slapd[20754]: >>> slap_listener(ldaps://ldapserver.domain.tld)
> > > Dec 3 10:10:04 ldapserver slapd[20754]: connection_get(14): got connid=42
> > > Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): checking for input on id=42
> > > Dec 3 10:10:04 ldapserver slapd[20754]: connection_get(14): got connid=42
> > > Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): checking for input on id=42
> > > Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): unable to get TLS client DN, error=49 id=42
> > > Dec 3 10:10:04 ldapserver slapd[20754]: connection_get(14): got connid=42
> > > Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): checking for input on id=42
> > > Dec 3 10:10:04 ldapserver slapd[20754]: ber_get_next on fd 14 failed errno=0 (Success)
> > > Dec 3 10:10:04 ldapserver slapd[20754]: connection_closing: readying conn=42 sd=14 for close
> > > Dec 3 10:10:04 ldapserver slapd[20754]: connection_close: conn=42 sd=14
> > >
> > > It seems to be a certificate problem.
> > > -----
> > > TLS: peer cert untrusted or revoked
> > > -----
> > >
> > > Do you have any idea ?
> > > Grifith
> >
> >
> > Evening Grifith,
> >
> > I'm sorry I've missed that one. I'm no expert, but I can give you my
> > config-files.
> > I've used 'easy-rsa' to generate all certificates. It comes with
> > OpenVPN, but it might be as standalone package in Debian. It's set of
> > scripts for certificate manipulation, and it surely eases up things.
> > One thing that came to my mind, certificate "has" to bear same FQDN as
> > IP eg. if 192.168.1.1 -eq server1.mydomain.tld then certificate should
> > be generated and contain server1.mydomain.tld.
> > Another thing is .key files should have chmod 400.
> >
> > --- client side ---
> > cat /etc/openldap/ldap.conf
> >
> > BASE dc=mydomain,dc=tld
> > URI ldaps://server1.mydomain.tld
> > port 636
> > ssl yes
> > #ssl start_tls
> > TLS_CACERT /etc/openldap/ssl/ca.mydomain.crt
> > TLS_CERT /etc/ssl/certs/server2.mydomain.tld.crt
> > TLS_KEY /etc/ssl/private/server2.mydomain.tld.key
> > TLS_REQCERT never
> > TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3
> > ------------------
> >
> > --- server ---
> > cat /etc/openldap/slapd.conf
> > ...
> > TLSCipherSuite HIGH:MEDIUM:+SSLv3
> > TLSCACertificateFile /etc/ssl/certs/ca.mydomain.crt
> > TLSCertificateFile /etc/ssl/certs/server1.mydomain.tld.crt
> > TLSCertificateKeyFile /etc/ssl/private/server1.mydomain.tld.key
> > TLSVerifyClient never
> > ...
> > --------------
> >
> > I hope it helps, at least a bit.
> >
> > Have a nice evening,
> > Zdenek
> >
> > PS: Thunderbird refused to accept the rest of the text for some reason,
> > I had to c&p it inside.
> > --------------------------------
> >
> > Hi,
> >
> > Thanks for your help Zdenek
> > I made it work with the following configuration :
> >
> >
> > SERVER
> > -------------
> > My slapd.conf :
> > ----------------
> > ...
> > TLSCACertificateFile /etc/ssl/certs/ldap-cert.pem
> > TLSCertificateFile /etc/ssl/certs/ldap-cert.pem
> > TLSCertificateKeyFile /etc/ldap/ssl/ldap-key.pem
> >
> > I created the certificate with this command
> > # openssl req -config /etc/ssl/openssl.cnf -new -x509 nodes -out /etc/ssl/certs/ldap-cert.pem -keyout /etc/ldap/ssl/ldap-key.pem -days 999999
> >
> > My ldap.conf :
> > ----------------
> > BASE dc=mydomain,dc=tld
> > URI ldaps://ldapserver.mydomain.tld
> > port 636
> > ssl on
> > ssl start_tls
> > TLS_CACERT /etc/ssl/certs/ldap-cert.pem
> > TLS_REQCERT allow
> >
> > CLIENT
> > ------------
> >
> > The ldap.conf is exactly the same as the server's.
> >
> > And it works !
>
> Hi - I tried the exact same thing but ended up with no luck. I'm on
> Ubuntu 9.04 (slapd 2.4.15). Though I can see my ldapssl service gets
> started I cannot perform any ldap operations from the client machine. I
> think this is because of a SSL issue. When I tried to verify my cert
> using;
>
> openssl s_client -connect my_ip:636 -showcerts , I'm getting the
> following error.
>
> 13761:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:188:
>
>
> Any help is appreciated.
>
> Thanks,
> ~Chamith
FYI: Just tested the same setup with Ubuntu 8.04.2 and it works
perfectly.
Gotta blog about this at saguide.wordpress.com :)
Thanks,
~Chamith