[Date Prev][Date Next] [Chronological] [Thread] [Top]

configuring ldap-client to use TLS (Certificate not found in database)



I am a novice to linux administration. Recently I had to configure a system to authenticate using LDAP with TLS. I have read guides from several websites. But I still could configure it. There seem to be several reasons for the failure. I tried many suggestions, but with no success. I don’t have access to the LDAP server. So I have been just playing with config on the client.
The LDAP server is sso.abcdef.edu 
My ldap.conf content is below

BASE dc=abcdef,dc=edu
TLS_REQCERT allow
TLS_CACERT /etc/openldap/cacerts/sso.abcdef.edu.crt
TLS_CACERTDIR /etc/openldap/cacerts

I could issue a ldapsearch -x which returns several entries. However, when I couldn’t do using TLS.  The following command shows some errors. Could you suggest me possible directions to resolve this. The directory /etc/openldap/cacerts/ contains  the server certificate sso.abcdef.edu.crt. I also made a copy of it with name sso.abcdef.edu.pem. I am not sure whether this pem file should be that of the server or the client. 
Another question, should the client also have a ca (or self-signed ) certificate and it whether it should be uploaded onto the LDAP server? 
Could anyone please describe the basic essential steps in configuring LDAP client with TLS (without necessarily including the commands). (Several guides suggest changing configs at several places (like, pam_ldap.con, auth.conf) etc. But centOS documentation on LDAP describes configuration only for the ldap.conf (which I couldn’t follow completely).)

/etc/openldap/cacerts root@wserver[0.5]5019 > ldapsearch -ZZZ -h sso.abcdef.edu -d -1

ldap_create
ldap_url_parse_ext(ldap://sso.abcdef.edu)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP sso.abcdef.edu:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.71.31.15:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x15ea5b0 ptr=0x15ea5b0 end=0x15ea5cf len=31
  0000:  30 1d 02 01 01 77 18 80  16 31 2e 33 2e 36 2e 31   0....w...1.3.6.1
  0010:  2e 34 2e 31 2e 31 34 36  36 2e 32 30 30 33 37      .4.1.1466.20037
ber_scanf fmt ({) ber:
ber_dump: buf=0x15ea5b0 ptr=0x15ea5b5 end=0x15ea5cf len=26
  0000:  77 18 80 16 31 2e 33 2e  36 2e 31 2e 34 2e 31 2e   w...1.3.6.1.4.1.
  0010:  31 34 36 36 2e 32 30 30  33 37                     1466.20037
ber_flush2: 31 bytes to sd 3
  0000:  30 1d 02 01 01 77 18 80  16 31 2e 33 2e 36 2e 31   0....w...1.3.6.1
  0010:  2e 34 2e 31 2e 31 34 36  36 2e 32 30 30 33 37      .4.1.1466.20037
ldap_write: want=31, written=31
  0000:  30 1d 02 01 01 77 18 80  16 31 2e 33 2e 36 2e 31   0....w...1.3.6.1
  0010:  2e 34 2e 31 2e 31 34 36  36 2e 32 30 30 33 37      .4.1.1466.20037
ldap_result ld 0x15e1090 msgid 1
wait4msg ld 0x15e1090 msgid 1 (infinite timeout)
wait4msg continue ld 0x15e1090 msgid 1 all 1
** ld 0x15e1090 Connections:
* host: sso.abcdef.edu  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Oct 20 20:50:52 2015


** ld 0x15e1090 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x15e1090 request count 1 (abandoned 0)
** ld 0x15e1090 Response Queue:
   Empty
  ld 0x15e1090 response count 0
ldap_chkResponseList ld 0x15e1090 msgid 1 all 1
ldap_chkResponseList returns ld 0x15e1090 NULL
ldap_int_select
read1msg: ld 0x15e1090 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=8
  0000:  30 0c 02 01 01 78 07 0a                            0....x..
ldap_read: want=6, got=6
  0000:  01 00 04 00 04 00                                  ......
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x15eba20 ptr=0x15eba20 end=0x15eba2c len=12
  0000:  02 01 01 78 07 0a 01 00  04 00 04 00               ...x........
read1msg: ld 0x15e1090 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x15eba20 ptr=0x15eba23 end=0x15eba2c len=9
  0000:  78 07 0a 01 00 04 00 04  00                        x........
read1msg: ld 0x15e1090 0 new referrals
read1msg:  mark request completed, ld 0x15e1090 msgid 1
request done: ld 0x15e1090 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x15eba20 ptr=0x15eba23 end=0x15eba2c len=9
  0000:  78 07 0a 01 00 04 00 04  00                        x........
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_dump: buf=0x15eba20 ptr=0x15eba23 end=0x15eba2c len=9
  0000:  78 07 0a 01 00 04 00 04  00                        x........
ber_scanf fmt (}) ber:
ber_dump: buf=0x15eba20 ptr=0x15eba2c end=0x15eba2c len=0

ldap_msgfree
TLS: loaded CA certificate file /etc/openldap/cacerts/sso.abcdef.edu.crt.
TLS: error: the certificate '/etc/openldap/cacerts/sso.abcdef.edu.pem' could not be found in the database - error -12285:Unable to find the certificate or key necessary for authentication..
TLS: certificate '/etc/openldap/cacerts/sso.abcdef.edu.pem' successfully loaded from PEM file.
TLS: could not add the private key '/etc/openldap/cacerts/sso.abcdef.edu.pem' - error -8018:Unknown PKCS #11 error..
TLS: error: could not initialize moznss security context - error -8018:Unknown PKCS #11 error.
TLS: can't create ssl handle.
ldap_err2string
ldap_start_tls: Connect error (-11)
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
  0000:  30 05 02 01 02 42 00                               0....B.
ldap_write: want=7, written=7
  0000:  30 05 02 01 02 42 00                               0....B.
ldap_free_connection: actually freed