[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
LDAP clients fail to connect with SSL enabled
- To: openldap-technical@openldap.org
- Subject: LDAP clients fail to connect with SSL enabled
- From: bluethundr <bluethundr@gmail.com>
- Date: Sun, 21 Nov 2010 17:24:43 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=yAak6rLstbezQ0231KL+I98PIFrOzl141ff269sHa9w=; b=Av04Ng46yG+NlqLlFE2f5ii67crHB1Lq7XwSoWrTashnWae3mCmYwS0ElhrM7v+Bfy VJpOCK7aFxvsOTWLKMCblawmmzmJzwPg4LtfQkELBotxLGC0qlrOQVUEXradltR1Y2Pd 9FpDpkCQHJfP6pFtQCKYiSUTKMMT9tbUA0qeM=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=XQjDtN4Y+RhkV2BX05UDD32IgxpEqecDD40+3MrkK0009zzO++Cq9Lk8D36mDHiRPS bt5204C3A/S1YKjXc6LHS62YUt4Uq9xcvxQDA9TsjhKeF97jgUchmnByLsI8RtX8T7b0 +qJNya+YCRSHXfPB0PTydQMINdBmM76QQDY3A=
LDAP clients fail to connect with SSL enabled
I am attempting to setup SSL/TLS support on my openLDAP 2.4 server on FreeBSD.
LBSD2# pkg_info | grep openldap
openldap-sasl-client-2.4.23 Open source LDAP client implementation
with SASL2 support
openldap-sasl-server-2.4.23 Open source LDAP server implementation
I put my cert file, key file and CA certfile in a directory called
/usr/local/etc/openldap/cacerts
Here's how it looks:
[root@LBSD2:/usr/local/etc/openldap/cacerts]#ls -l
total 48
dr--r----- 2 root ldap 512 Nov 21 17:12 bak
-r--r----- 1 root ldap 1960 Nov 21 07:05 bsd2.summitnjhome.com.crt
-r--r----- 1 root ldap 4604 Nov 21 17:16 gd_bundle.crt
-r--r----- 1 root ldap 4689 Nov 21 18:59 sf_bundle.crt
-r--r----- 1 root ldap 1537 Nov 21 17:16 sf_issuing.crt
-r--r----- 1 root ldap 1090 Nov 21 12:29 slapd.csr
-r--r----- 1 root ldap 1743 Nov 21 12:26 slapd.key
-r--r----- 1 root ldap 1675 Nov 21 17:25 slapd.pem
My cert flie is a GoDaddy turbo-ssl certfile named
bsd2.summitnjhome.com.crt. slapd.key is the key file and slapd.pem is
the same thing only with the password removed.
I'm a little unsure of which CA file to use but I think that
sf_issuing.crt _should_ work as this is the CA file that I used to
setup a similar SSL enabled LDAP server for a client recently.
Although I have tried all three CA files in this directory:
(gd_bundle.crt, sf_bundle.crt, and sf_issuing.crt).
I put the various cert/key files into my slapd.conf file like this:
LBSD2# cat slapd.conf | grep -i tls
## TLS options for slapd
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /usr/local/etc/openldap/cacerts/bsd2.summitnjhome.com.crt
TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem
TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_issuing.crt
Slapd restarts cleanly!
LBSD2# /usr/local/etc/rc.d/slapd restart
Stopping slapd.
Waiting for PIDS: 81924.
Starting slapd.
Then I attempt to setup a virtual instance of CentOS 5.5 on the client
side and that's where things fall apart...I attempt to ssh to
localhost as an LDAP account:
[root@VIRTCENT08:/etc/openldap/cacerts]#ssh bluethundr@localhost
[...tectonic plates drift, careers begin and end, babies learn to
walk, talk and grow to adulthood..]
Connection closed by 127.0.0.1
[root@VIRTCENT08:/etc/openldap/cacerts]#getent passwd | grep ldapAccount
[same interminable wait as above]
This is what my /etc/ldap.conf file looks like on the client:
[root@VIRTCENT08:/etc/openldap/cacerts]#cat /etc/ldap.conf
# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
#host 127.0.0.1
# The distinguished name of the search base.
base dc=summitnjhome,dc=com
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=manager,dc=example,dc=com
# The port.
# Optional: default is 389.
#port 389
# Search timelimit
#timelimit 30
timelimit 120
# Bind/connect timelimit
#bind_timelimit 30
bind_timelimit 120
# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600
idle_timelimit 3600
# Netscape SDK LDAPS
#ssl on
# Netscape SDK SSL options
#sslpath /etc/ssl/certs
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
# SASL mechanism for PAM authentication - use is experimental
# at present and does not support password policy control
uri ldap://ldap.summitnjhome.com/
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
pam_password crypt
This is how my nsswitch on the client side is setup:
passwd: files ldap
shadow: files ldap
group: files ldap
And here is the cert dir on my CentOS client:
[root@VIRTCENT08:/etc/openldap/cacerts]#ls -l
total 72
lrwxrwxrwx 1 root root 13 Nov 21 09:44 97552d04.0 -> gd_bundle.crt
lrwxrwxrwx 1 root root 14 Nov 21 09:44 b737b221.0 -> sf_issuing.crt
dr--r--r-- 2 root root 4096 Nov 21 2010 bak
-r--r--r-- 1 root root 1960 Nov 21 07:05 bsd2.summitnjhome.com.crt
lrwxrwxrwx 1 root root 25 Nov 21 09:44 c75be861.0 -> bsd2.summitnjhome.com.crt
-r--r--r-- 1 root root 4604 Nov 21 2010 gd_bundle.crt
-r--r--r-- 1 root root 1537 Nov 21 2010 sf_issuing.crt
-r--r--r-- 1 root root 1090 Nov 21 12:29 slapd.csr
-r--r--r-- 1 root root 1743 Nov 21 12:26 slapd.key
-r--r--r-- 1 root root 1675 Nov 21 2010 slapd.pem
Back on the server side there is a lot of activity in the ldap logs
(here is an excerpt)
Nov 21 20:21:38 LBSD2 slapd[81972]: daemon: read activity on 11
Nov 21 20:21:38 LBSD2 slapd[81972]: daemon: select: listen=6
active_threads=0 tvp=NULL
Nov 21 20:21:38 LBSD2 slapd[81972]: daemon: select: listen=7
active_threads=0 tvp=NULL
Nov 21 20:21:38 LBSD2 slapd[81972]: connection_read(11): input
error=-2 id=1017, closing.
Nov 21 20:21:38 LBSD2 slapd[81972]: connection_closing: readying
conn=1017 sd=11 for close
Nov 21 20:21:38 LBSD2 slapd[81972]: daemon: activity on 1 descriptor
I've encloses a more complete log file as an attachment.
I then try to show the CA files with an openssl command.
First with sf_issuing.crt -
slapd.conf:
TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_issuing.crt
On the client:
[root@VIRTCENT08:/etc/openldap/cacerts]#openssl s_client -connect
ldap.summitnjhome.com:389 -showcerts -CAfile sf_issuing.crt
CONNECTED(00000003)
3143:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188
Next with sf_bundle.crt -
slapd.conf:
TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_bundle.crt
[root@VIRTCENT08:/etc/openldap/cacerts]#openssl s_client -connect
ldap.summitnjhome.com:389 -showcerts -CAfile sf_bundle.crt
3149:error:02001002:system library:fopen:No such file or
directory:bss_file.c:122:fopen('sf_bundle.crt','r')
3149:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125:
3149:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:279:
CONNECTED(00000003)
3149:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
Next with gd_bundle.crt -
TLSCACertificateFile /usr/local/etc/openldap/cacerts/gd_bundle.crt
[root@VIRTCENT08:/etc/openldap/cacerts]#openssl s_client -connect
ldap.summitnjhome.com:389 -showcerts -CAfile gd_bundle.crt
CONNECTED(00000003)
3156:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
Disabling TLS on the client side authentication works again!
[root@VIRTCENT08:/etc/openldap/cacerts]#ssh bluethundr@localhost
bluethundr@localhost's password:
Last login: Sun Nov 21 09:41:34 2010 from 192.168.1.50
#########################################################
# SUMMITNJHOME.COM #
# TITLE: VIRTCENT08 BOX #
# LOCATION: SUMMIT BASEMENT #
# #
#########################################################
Any thought on how to resolve the current situation would be most
appreciated! ;)
--
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9
Share and enjoy!!