[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: fedora and openldap
I'm posting all the information together in this e-mail, hope you can
help me out, I'm quite desperate at this point.
Following your advise I tried to set TLS in my server and client.
I generated the certificates for both client and server (self signed)
and sent the cacert file from the server to the clients.
I started the server like this:
/usr/local/libexec/slapd -u ldap -h ldaps://curri0.imppc.local:636 -f
/usr/local/openldap-2.4.25/etc/openldap/slapd.conf -d 1
( I installed a newer version of openldap in my server as the RH6 uses
an old one, I compiled it with tls and openssl)
From the client I do :
ldapsearch -x -ZZ -d1 -h curri0.imppc.local:636
ldap_create
ldap_url_parse_ext(ldap://curri0.imppc.local:636)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP curri0.imppc.local:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 172.19.5.13:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x1b4c170 msgid 1
wait4msg ld 0x1b4c170 msgid 1 (infinite timeout)
wait4msg continue ld 0x1b4c170 msgid 1 all 1
** ld 0x1b4c170 Connections:
* host: curri0.imppc.local port: 636 (default)
refcnt: 2 status: Connected
last used: Tue Apr 12 18:56:35 2011
** ld 0x1b4c170 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x1b4c170 request count 1 (abandoned 0)
** ld 0x1b4c170 Response Queue:
Empty
ld 0x1b4c170 response count 0
ldap_chkResponseList ld 0x1b4c170 msgid 1 all 1
ldap_chkResponseList returns ld 0x1b4c170 NULL
ldap_int_select
read1msg: ld 0x1b4c170 msgid 1 all 1
ber_get_next
ldap_err2string
ldap_start_tls: Can't contact LDAP server (-1)
And the server shows this:
slap_listener_activate(8):
>>> slap_listener(ldaps://curri0.imppc.local:636)
connection_get(12): got connid=1000
connection_read(12): checking for input on id=1000
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
TLS: can't accept: error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol.
connection_read(12): TLS accept failure error=-1 id=1000, closing
connection_close: conn=1000 sd=12
If I do this from the client or the server:
# openssl s_client -connect curri0.imppc.local:636 -showcerts
CONNECTED(00000003)
(...)
verify return:1
---
Certificate chain
0 s:(...)
-----BEGIN CERTIFICATE-----
(...)
-----END CERTIFICATE-----
---
Server certificate
subject=(...)
---
No client certificate CA names sent
---
SSL handshake has read 1254 bytes and written 439 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: (...)
Session-ID-ctx:
Master-Key: (...)
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket:
(...)
Compression: 1 (zlib compression)
Start Time: 1302627455
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
I get this on server:
slap_listener_activate(8):
>>> slap_listener(ldaps://curri0.imppc.local:636)
connection_get(12): got connid=1002
connection_read(12): checking for input on id=1002
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(12): got connid=1002
connection_read(12): checking for input on id=1002
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write session ticket A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(12): unable to get TLS client DN, error=49 id=1002
I generated the certificates like this:
# generate CA
openssl genrsa 2048 > ca-key.pem
# create certificate
openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem
openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem >
server-req.pem
# self sign the cert
openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey
ca-key.pem -set_serial 01 > server-cert.pem
#For the client:
# create cert
openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem >
client-req.pem
# sign cert
openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey
ca-key.pem -set_serial 01 > client-cert.pem
Here is my slapd.conf tls related
TLSCACertificateFile
/usr/local/openldap-2.4.25/etc/openldap/imppccerts/ca-cert.pem
TLSCertificateFile
/usr/local/openldap-2.4.25/etc/openldap/imppccerts/server-cert.pem
TLSCertificateKeyFile
/usr/local/openldap-2.4.25/etc/openldap/imppccerts/server-key.pem
Am I missing something?
Thanks a lot in advance for any help, it is very appreciated.
j
On 04/11/2011 01:14 PM, harry.jede@arcor.de wrote:
Judith Flo Gaya wrote:
...
At least i could see that the password exop option in the
pam_ldap.conf lets the server to apply the security to the password,
so I think I can change it within the slapd.conf file.
Yes, and if you don't specify "password-hash" in slapd.conf, ssha is
used. It is the default.
do you suggest to use salt?
ssha use salt.
Thanks a lot for your help,
j
BTW
have you read rfc-3062 ?
http://www.faqs.org/rfcs/rfc3062.html
If you configure your clients to use "password exop" you should be sure
that the clients use any kind of network protection, TLS or SSL.
TinyCA is a perl based GTK-GUI which may help you to generate certs and
keys.
Until you are ready to use TLS/SSL I sugggest that you let the client
encrypt the passwords local.