[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Openldap 2.4.40-13.el7 on CentOS 7 and SSL/TLS
- To: openldap-technical@openldap.org
- Subject: Re: Openldap 2.4.40-13.el7 on CentOS 7 and SSL/TLS
- From: Christopher Wood <christopher_wood@pobox.com>
- Date: Fri, 22 Sep 2017 16:32:42 -0400
- Content-disposition: inline
- Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date:from:to :subject:message-id:references:mime-version:content-type :in-reply-to; s=sasl; bh=PbzXK1iT3sRcXnVjc6eizecLPbM=; b=DkXGi51 tQFNHWF3J7FMa+5xlluDLnZV206EL4TdYGfXOIrUspgLipE+2GTGt8e4ecclQVRq NWzXQsA/oOhqEkwRU4w7GWEAmChKrjqmzO9pS9rRJ4kNsmRrC+Xzr5ecCpvL4g7B r/MclPKCSeTTkcsl4AQCYqdJfGnHbVCPgPj8=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=pobox.com; h=date:from:to :subject:message-id:references:mime-version:content-type :in-reply-to; q=dns; s=sasl; b=w2Fa3UvvuVu+1W5Gss5+YZQjXzhVLKSbv mYx3DQUoZcRP7arZNy5eOgJa+nHI6dBQy4JrT/0EMLFK19rXQi5O1krF/w+VsLta 9QcqECkICkYIQjrotJ5aXG0RGLOqLUFrArFL25UrgqDh5ksaaBkBn0DBNCAIDiZk YXg9+aJva0=
- In-reply-to: <20170922201643.B211C732214@sharky3.deepsoft.com>
- References: <20170922201643.B211C732214@sharky3.deepsoft.com>
- User-agent: NeoMutt/20170113 (1.7.2)
Two things I notice from below:
olcTLSCACertificateFile: /etc/openldap/certs/ca_cert.pem
-rw-r--r--. 1 root root 1696 Sep 22 14:18 ca-cert.pem
Underscore in the first, dash in the second.
Per netstat you're running ldaps on 636 so you can start your TLS diagnostics with openssl and work your way down to ldapsearch.
openssl s_client -CApath /etc/openldap/certs -connect
(if I recall correctly)
ldapsearch -H ldaps://host:636 -x -D binddn -W filter=what
(or something)
On Fri, Sep 22, 2017 at 04:16:43PM -0400, Robert Heller wrote:
> What is the *correct* way to set up Openldap to use SSL/TLS? The
> documentation is somewhat confusing.
>
> My cn=config.ldif file looks like this:
>
> dn: cn=config
> objectClass: olcGlobal
> cn: config
> olcArgsFile: /var/run/openldap/slapd.args
> olcPidFile: /var/run/openldap/slapd.pid
> olcTLSCACertificatePath: /etc/openldap/certs
> olcTLSCACertificateFile: /etc/openldap/certs/ca_cert.pem
> olcTLSCertificateFile: /etc/openldap/certs/c764guest.cert
> olcTLSCertificateKeyFile: /etc/openldap/certs/privkey.pem
> structuralObjectClass: olcGlobal
> entryUUID: 7e6a3298-30da-1037-9c4f-458bcc6c0ce0
> creatorsName: cn=config
> createTimestamp: 20170918163057Z
> entryCSN: 20170918163057.597791Z#000000#000#000000
> modifiersName: cn=config
> modifyTimestamp: 20170918163057Z
>
> in /etc/openldap/certs are these files:
>
> [root@c764guest heller]# ls -l /etc/openldap/certs
> total 104
> -rw-r--r--. 1 root root 5137 Sep 22 14:42 c764guest.cert
> -rw-r--r--. 1 root root 1074 Sep 22 14:37 c764guest.csr
> -rw-r--r--. 1 root root 1696 Sep 22 14:18 ca-cert.pem
> -rw-r--r--. 1 root root 65536 Sep 18 12:30 cert8.db
> -rw-r--r--. 1 root root 16384 Sep 18 12:30 key3.db
> -r--r-----. 1 root ldap 45 Jan 10 2016 password
> -rw-r--r--. 1 root root 1834 Sep 22 14:37 privkey.pem
> -rw-r--r--. 1 root root 16384 Jan 10 2016 secmod.db
>
> /etc/sysconfig/slapd contains:
>
> # OpenLDAP server configuration
> # see 'man slapd' for additional information
>
> # Where the server will run (-h option)
> # - ldapi:/// is required for on-the-fly configuration using client tools
> # (use SASL with EXTERNAL mechanism for authentication)
> # - default: ldapi:/// ldap:///
> # - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:///
> SLAPD_URLS="ldapi:/// ldap://127.0.0.1/ ldap://192.168.250.98/ ldaps:///"
>
> # Any custom options
> #SLAPD_OPTIONS="-s 128"
>
> # Keytab location for GSSAPI Kerberos authentication
> #KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
>
> /etc/openldap/ldap.conf contains:
>
> #
> # LDAP Defaults
> #
>
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
>
> BASE dc=deepsoft,dc=com
> URI ldaps://192.168.250.98/
> TLS_CACERT /etc/openldap/certs/ca-cert.pem
> TLS_CACERTDIR /etc/openldap/certs
> TLS_REQCERT demand
>
> #SIZELIMIT 12
> #TIMELIMIT 15
> #DEREF never
>
> TLS_CACERTDIR /etc/openldap/cacerts
>
> # Turning this off breaks GSSAPI used with krb5 when rdns = false
> SASL_NOCANON on
>
>
> But now when I try to do a ldapsearch I get:
>
> [heller@c764guest ~]$ ldapsearch -x
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>
> even though:
> [root@c764guest heller]# netstat -a|grep ldap
> tcp 0 0 0.0.0.0:ldaps 0.0.0.0:* LISTEN
> tcp 0 0 c764guest.deepsoft:ldap 0.0.0.0:* LISTEN
> tcp 0 0 localhost:ldap 0.0.0.0:* LISTEN
> tcp 0 0 c764guest.deepsof:33302 c764guest.deepsoft:ldap ESTABLISHED
> tcp 0 0 c764guest.deepsoft:ldap c764guest.deepsof:33302 ESTABLISHED
> tcp6 0 0 [::]:ldaps [::]:* LISTEN
>
> Is this correct? I am not sure if I should be using ldaps:/// or not. And I
> am not sure what the proper "magic" to get TLS working is.
>
>
>
>
> --
> Robert Heller -- 978-544-6933
> Deepwoods Software -- Custom Software Services
> http://www.deepsoft.com/ -- Linux Administration Services
> heller@deepsoft.com -- Webhosting Services
>
>