[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: fedora and openldap



Judith, you are starting the LDAP server as LDAPS (port 636) which doesn't accept START_TLS connections. What is in your /etc/ldap.conf and/or /etc/openldap/ldap.conf files (you may want to run 'find /etc /usr -name ldap.conf -print' in case your system has the ldap.conf file(s) somewhere else. In one (or more) of those files, you most likely have 'ssl start_tls' and this should be just 'ssl on'.
Tom Leach
leach@coas.oregonstate.edu

On 04/12/2011 10:10 AM, Judith Flo Gaya wrote:

I'm posting all the information together in this e-mail, hope you can help me out, I'm quite desperate at this point.

Following your advise I tried to set TLS in my server and client.
I generated the certificates for both client and server (self signed) and sent the cacert file from the server to the clients.

I started the server like this:
/usr/local/libexec/slapd -u ldap -h ldaps://curri0.imppc.local:636 -f /usr/local/openldap-2.4.25/etc/openldap/slapd.conf -d 1

( I installed a newer version of openldap in my server as the RH6 uses an old one, I compiled it with tls and openssl)

 From the client I do :
 ldapsearch -x -ZZ -d1 -h curri0.imppc.local:636
ldap_create
ldap_url_parse_ext(ldap://curri0.imppc.local:636)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP curri0.imppc.local:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 172.19.5.13:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x1b4c170 msgid 1
wait4msg ld 0x1b4c170 msgid 1 (infinite timeout)
wait4msg continue ld 0x1b4c170 msgid 1 all 1
** ld 0x1b4c170 Connections:
* host: curri0.imppc.local  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Tue Apr 12 18:56:35 2011


** ld 0x1b4c170 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x1b4c170 request count 1 (abandoned 0)
** ld 0x1b4c170 Response Queue:
   Empty
  ld 0x1b4c170 response count 0
ldap_chkResponseList ld 0x1b4c170 msgid 1 all 1
ldap_chkResponseList returns ld 0x1b4c170 NULL
ldap_int_select
read1msg: ld 0x1b4c170 msgid 1 all 1
ber_get_next
ldap_err2string
ldap_start_tls: Can't contact LDAP server (-1)



And the server shows this:

slap_listener_activate(8):
 >>> slap_listener(ldaps://curri0.imppc.local:636)
connection_get(12): got connid=1000
connection_read(12): checking for input on id=1000
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
TLS: can't accept: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol.
connection_read(12): TLS accept failure error=-1 id=1000, closing
connection_close: conn=1000 sd=12



If I do this from the client or the server:

# openssl s_client -connect curri0.imppc.local:636 -showcerts
CONNECTED(00000003)
(...)
verify return:1
---
Certificate chain
 0 s:(...)
-----BEGIN CERTIFICATE-----
(...)
-----END CERTIFICATE-----
---
Server certificate
subject=(...)
---
No client certificate CA names sent
---
SSL handshake has read 1254 bytes and written 439 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: (...)
    Session-ID-ctx:
    Master-Key: (...)
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket:
(...)

    Compression: 1 (zlib compression)
    Start Time: 1302627455
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)



I get this on server:

slap_listener_activate(8):
 >>> slap_listener(ldaps://curri0.imppc.local:636)
connection_get(12): got connid=1002
connection_read(12): checking for input on id=1002
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(12): got connid=1002
connection_read(12): checking for input on id=1002
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write session ticket A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(12): unable to get TLS client DN, error=49 id=1002


I generated the certificates like this:
# generate CA
openssl genrsa 2048 > ca-key.pem
# create certificate
openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem
openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem > server-req.pem
# self sign the cert
openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem

#For the client:
# create cert
openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem > client-req.pem
# sign cert
openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem

Here is my slapd.conf tls related

TLSCACertificateFile /usr/local/openldap-2.4.25/etc/openldap/imppccerts/ca-cert.pem TLSCertificateFile /usr/local/openldap-2.4.25/etc/openldap/imppccerts/server-cert.pem TLSCertificateKeyFile /usr/local/openldap-2.4.25/etc/openldap/imppccerts/server-key.pem

Am I missing something?

Thanks a lot in advance for any help, it is very appreciated.
j

On 04/11/2011 01:14 PM, harry.jede@arcor.de wrote:
Judith Flo Gaya wrote:
...
At least i could see that the password exop option in the
pam_ldap.conf lets the server to apply the security to the password,
so I think I can change it within the slapd.conf file.
Yes, and if you don't specify "password-hash" in slapd.conf, ssha is
used. It is the default.

do you suggest to use salt?
ssha use salt.

Thanks a lot for your help,
j

BTW
have you read rfc-3062 ?
http://www.faqs.org/rfcs/rfc3062.html

If you configure your clients to use "password exop" you should be sure
that the clients use any kind of network protection, TLS or SSL.

TinyCA is a perl based GTK-GUI which may help you to generate certs and
keys.

Until you are ready to use TLS/SSL I sugggest that you let the client
encrypt the passwords local.