[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: tls_checkpeer directive

To: openldap-technical@openldap.org
Subject: Re: tls_checkpeer directive
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Wed, 9 Feb 2011 09:54:42 +0200
Cc: Michael Starling <mlstarling31@hotmail.com>
In-reply-to: <COL104-W399D45122C6687BF20EC31D4EA0@phx.gbl>
References: <COL104-W399D45122C6687BF20EC31D4EA0@phx.gbl>
User-agent: KMail/1.13.3 (Linux/2.6.33.7-desktop-2.1mnb; KDE/4.4.3; x86_64; ; )

On Tuesday, 8 February 2011 19:11:52 Michael Starling wrote:
> I'm running openldap-2.3.43-12.el5 on a RHEL 5.5 system:
> 
> I believe I have TLS encryption working but I'd like to be able to verify
> my client connections.
> 
> On my LDAP server I have the following in slapd.conf
> 
> 
> TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
> TLSCertificateFile /etc/openldap/cacerts/slapdcert.pem
> TLSCertificateKeyFile /etc/openldap/cacerts/slapdkey.pem
> TLSCACertificateFile /etc/openldap/cacerts/slapdcert.pem

So, a self-signed cert? You may want to reconsider this, if you will ever have 
more than one LDAP server, and depending on how many clients you have.

You may want to supply the output of:
openssl x509 -noout -subject -in /etc/openldap/cacerts/slapdcert.pem

> On the client I have the following in /etc/ldap.conf
> 
> uri ldaps://10.70.5.67/

So, the subject CN on the certificate is 10.70.5.67? You may instead want to 
have the subject CN on the cert be the hostname, and use *that* hostname, 
exactly, in the uri.

Please compare to HTTPS browser validation .. the certificate needs to match 
the server address you have specified you want to connect to, not some other 
arbitrary attribute of this server (e.g. the IP address).

(there are other options to allow IP addresses, but they require more work)

> ssl on
> tls_cacertfile /etc/openldap/cacerts/slapdcert.pem
> tls_checkpeer no
> 
> 
> On the client /etc/openldap/ldap.conf
> 
> URI ldaps://10.70.5.67/

Again, ensure the host portion of the URI matches the name on the cert.

> TLS_CACERT /etc/openldap/cacerts/slapdcert.pem
> TLS_REQCERT demand
> 
> 
> These commands work both from the client and server.
> 
> openssl s_client -connect servername:636 -showcerts
> 
> ldapsearch -x -H ldaps://servername -b dc=domain,dc=domain -D
> cn=root,dc=domain,dc=domain -W

So, here you use the hostname, but in *all* the other instances you use the 
IP? Why?

> So my first question would be does this guarantee encrypted sessions?

Does *what* guarantee encrypted connections? Your client configurations ensure 
that the clients use encrypted connections, but your server configuration does 
not prevent unencrypted connections from working.

> Second, if I change tls_checkpeer to yes then I can't contact the LDAP
> server. How can I verify my clients?

This is about the server certificate validation, which means server 
certificate validation rules need to be satisfied:
-chain of trust from CA cert to server cert
-date validity
-matching of cert subject and host portion of URI

Regards,
Buchan

References:
- tls_checkpeer directive
  - From: Michael Starling <mlstarling31@hotmail.com>

Prev by Date: Re: slapd.conf for proxy to AD
Next by Date: Re: slapd.conf for proxy to AD
Index(es):
- Chronological
- Thread