On Fri, 2009-12-04 at 14:27 +0100, Smaïne Kahlouch wrote: > -------- Message initial -------- > De: Zdenek Styblik <[email protected]> > À: [email protected] > Cc: [email protected] > Sujet: Re: Authentication failed with ldaps configuration > Date: Thu, 03 Dec 2009 17:03:32 +0100 > > [email protected] wrote: > > ----- Mail Original ----- > > De: "Zdenek Styblik" <[email protected]> > > À: [email protected] > > Cc: [email protected] > > Envoyé: Mercredi 2 Décembre 2009 16h37:01 GMT +01:00 Amsterdam / > Berlin / Berne / Rome / Stockholm / Vienne > > Objet: Re: Authentication failed with ldaps configuration > > > > [email protected] wrote: > >> Hi everyone, > >> > >> I configured my ldap server (debian lenny) to listen on port 636 > (ldaps) but it doesn't seems to work when issuing a remote connexion. > >> Perhaps i did a mistake when generating the certificates ?.... > >> > >> When i try to browse the ldap server from a remote server i get > the following message : > >> ---------- > >> r...@vmtest:~# ldapsearch -d 1 -Wx -H > ldaps://ldapserver.domain.tld -D cn=admin,dc=domain,dc=tld > >> ldap_url_parse_ext(ldaps://ldapserver.domain.tld) > >> ldap_create > >> ldap_url_parse_ext(ldaps://ldapserver.domain.tld:636/??base) > >> Enter LDAP Password: > >> ldap_sasl_bind > >> ldap_send_initial_request > >> ldap_new_connection 1 1 0 > >> ldap_int_open_connection > >> ldap_connect_to_host: TCP ldapserver.domain.tld:636 > >> ldap_new_socket: 3 > >> ldap_prepare_socket: 3 > >> ldap_connect_to_host: Trying 10.10.48.40:636 > >> ldap_pvt_connect: fd: 3 tm: -1 async: 0 > >> TLS: peer cert untrusted or revoked (0x42) > >> ldap_err2string > >> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > >> ----------- > >> > >> I generated the certificates with the following command : > >> # openssl req -newkey rsa:1024 -x509 -nodes -out server.pem > -keyout server.pem -days 3650 > >> > >> ----------- > >> > >> Then i tried the connexion : > >> openssl s_client -connect ldapserver.domain.tld:636 -showcerts > >> CONNECTED(00000003) > >> depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld > >> verify error:num=18:self signed certificate > >> verify return:1 > >> depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld > >> verify return:1 > >> --- > >> Certificate chain > >> 0 s:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld > >> i:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld > >> -----BEGIN CERTIFICATE----- > >> MIIDDTCCAnagAwIBAgIJAM7IwuTIzhwqMA0GCSqGSIb3DQEBBQUAMGMxCzAJBgNV > >> BAYTAkZSMRMwEQYDVQQIEwpTb21lLVN0YXRlMQ4wDAYDVQQHEwVQYXJpczELMAkG > >> A1UEChMCQlQxIjAgBgNVBAMTGWlwb2MwMS5pcG9jLmJ0c2VydmljZXMuZnIwHhcN > >> MDkxMTI0MTUwMTUxWhcNMTkxMTIyMTUwMTUxWjBjMQswCQYDVQQGEwJGUjETMBEG > >> A1UECBMKU29tZS1TdGF0ZTEOMAwGA1UEBxMFUGFyaXMxCzAJBgNVBAoTAkJUMSIw > >> IAYDVQQDExlpcG9jMDEuaXBvYy5idHNlcnZpY2VzLmZyMIGfMA0GCSqGSIb3DQEB > >> AQUAA4GNADCBiQKBgQCm5FrQ3dN1Jkxj2SZsPr+vkYDlwVnvqDCxnAs3O5NJ/1uY > >> F9/mwsCVdAnp04Eywo3BCbvP6tlzsF3JbAlqMLTb85ZTHOqRQncXGfVZ7bMnR071 > >> tQ70/b3vF/TuMYiOU7vXf2h863aRi11tT9xHD17wFfFaXBtRIIOioc3UpJWWPwID > >> AQABo4HIMIHFMB0GA1UdDgQWBBREqX/HQEzU5TCDrBsbttUxa44fnDCBlQYDVR0j > >> BIGNMIGKgBREqX/HQEzU5TCDrBsbttUxa44fnKFnpGUwYzELMAkGA1UEBhMCRlIx > >> EzARBgNVBAgTClNvbWUtU3RhdGUxDjAMBgNVBAcTBVBhcmlzMQswCQYDVQQKEwJC > >> VDEiMCAGA1UEAxMZaXBvYzAxLmlwb2MuYnRzZXJ2aWNlcy5mcoIJAM7IwuTIzhwq > >> MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAd0Le1JyJF8zBs0RYvEn7 > >> c1nhVbsdD8FDBTa4IaNvkbIt8al6G7bBpfyDxcMVtgFc8zHt/+sYfTxWuHh7m+b1 > >> yjJtD9vMjIigbaZq4VJOz11JEWsQHc8wo3So+G+CelTz4HXPoGh5vqRtTkupjedz > >> 0DDsA1jd9F4KpYSOkzxosdc= > >> -----END CERTIFICATE----- > >> --- > >> Server certificate > >> subject=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld > >> issuer=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld > >> --- > >> No client certificate CA names sent > >> --- > >> SSL handshake has read 1107 bytes and written 316 bytes > >> --- > >> New, TLSv1/SSLv3, Cipher is AES256-SHA > >> Server public key is 1024 bit > >> Compression: NONE > >> Expansion: NONE > >> SSL-Session: > >> Protocol : TLSv1 > >> Cipher : AES256-SHA > >> Session-ID: > 9EF5F2D4FD72A0D1161C8334537F1ADF60C8B790A3F699B6DC52557E3C95D427 > >> Session-ID-ctx: > >> Master-Key: > 015D50D6D93F502E37EDB577691F05D157E80A439A2B129B370EEA24E651E828A172E43B3F6D29174BF33B96193202F0 > >> Key-Arg : None > >> Start Time: 1259761586 > >> Timeout : 300 (sec) > >> Verify return code: 18 (self signed certificate) > >> --- > >> > >> ------------------ > >> > >> My ldap.conf > >> ----------------- > >> BASE dc=domain,dc=tld > >> URI ldaps://ldapserver.domain.tld/ > >> TLS_REQCERT allow > >> > >> > >> My slapd.conf : > >> ---------------- > >> ... > >> TLSCACertificateFile /etc/ldap/ssl/server.pem > >> TLSCertificateFile /etc/ldap/ssl/server.pem > >> TLSCertificateKeyFile /etc/ldap/ssl/server.pem > >> ... > >> > >> ------------------ > >> My /etc/default/slapd.conf > >> ... > >> SLAPD_SERVICES="ldaps://ldapserver.domain.tld" > >> ... > >> > >> Could you please help me ? > >> > > > > Hello, > > > > are you sure the server is listetning at 636? > > > > --- SNIP --- > > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > > ------------ > > > > It seems more like a network problem to me. > > Please, verify it by % netstat -nlp | grep 636; or eventually by % > > netstat -nlp | grep 389; at the server. > > > > Regards, > > Zdenek > > > > Hi Zdenek, > > > > Yes i'm. > > > > netstat -nlp | grep 636 > > tcp 0 0 10.10.48.40:636 0.0.0.0:* > LISTEN > > netstat -nlp | grep 389 > > > > Logs from the ldap server > > ----------- > > Dec 3 10:10:04 ldapserver slapd[20754]: slap_listener_activate(8): > > Dec 3 10:10:04 ldapserver slapd[20754]: >>> > slap_listener(ldaps://ldapserver.domain.tld) > > Dec 3 10:10:04 ldapserver slapd[20754]: connection_get(14): got > connid=42 > > Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): > checking for input on id=42 > > Dec 3 10:10:04 ldapserver slapd[20754]: connection_get(14): got > connid=42 > > Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): > checking for input on id=42 > > Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): > unable to get TLS client DN, error=49 id=42 > > Dec 3 10:10:04 ldapserver slapd[20754]: connection_get(14): got > connid=42 > > Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): > checking for input on id=42 > > Dec 3 10:10:04 ldapserver slapd[20754]: ber_get_next on fd 14 > failed errno=0 (Success) > > Dec 3 10:10:04 ldapserver slapd[20754]: connection_closing: > readying conn=42 sd=14 for close > > Dec 3 10:10:04 ldapserver slapd[20754]: connection_close: conn=42 > sd=14 > > > > It seems to be a certificate problem. > > ----- > > TLS: peer cert untrusted or revoked > > ----- > > > > Do you have any idea ? > > Grifith > > > Evening Grifith, > > I'm sorry I've missed that one. I'm no expert, but I can give you my > config-files. > I've used 'easy-rsa' to generate all certificates. It comes with > OpenVPN, but it might be as standalone package in Debian. It's set of > scripts for certificate manipulation, and it surely eases up things. > One thing that came to my mind, certificate "has" to bear same FQDN as > IP eg. if 192.168.1.1 -eq server1.mydomain.tld then certificate should > be generated and contain server1.mydomain.tld. > Another thing is .key files should have chmod 400. > > --- client side --- > cat /etc/openldap/ldap.conf > > BASE dc=mydomain,dc=tld > URI ldaps://server1.mydomain.tld > port 636 > ssl yes > #ssl start_tls > TLS_CACERT /etc/openldap/ssl/ca.mydomain.crt > TLS_CERT /etc/ssl/certs/server2.mydomain.tld.crt > TLS_KEY /etc/ssl/private/server2.mydomain.tld.key > TLS_REQCERT never > TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3 > ------------------ > > --- server --- > cat /etc/openldap/slapd.conf > ... > TLSCipherSuite HIGH:MEDIUM:+SSLv3 > TLSCACertificateFile /etc/ssl/certs/ca.mydomain.crt > TLSCertificateFile /etc/ssl/certs/server1.mydomain.tld.crt > TLSCertificateKeyFile /etc/ssl/private/server1.mydomain.tld.key > TLSVerifyClient never > ... > -------------- > > I hope it helps, at least a bit. > > Have a nice evening, > Zdenek > > PS: Thunderbird refused to accept the rest of the text for some > reason, > I had to c&p it inside. > -------------------------------- > > Hi, > > Thanks for your help Zdenek > I made it work with the following configuration : > > > SERVER > ------------- > My slapd.conf : > ---------------- > ... > TLSCACertificateFile /etc/ssl/certs/ldap-cert.pem > TLSCertificateFile /etc/ssl/certs/ldap-cert.pem > TLSCertificateKeyFile /etc/ldap/ssl/ldap-key.pem > > I created the certificate with this command > # openssl req -config /etc/ssl/openssl.cnf -new -x509 nodes -out > /etc/ssl/certs/ldap-cert.pem -keyout /etc/ldap/ssl/ldap-key.pem -days 999999 > > My ldap.conf : > ---------------- > BASE dc=mydomain,dc=tld > URI ldaps://ldapserver.mydomain.tld > port 636 > ssl on > ssl start_tls > TLS_CACERT /etc/ssl/certs/ldap-cert.pem > TLS_REQCERT allow > > CLIENT > ------------ > > The ldap.conf is exactly the same as the server's. > > And it works !
Hi - I tried the exact same thing but ended up with no luck. I'm on Ubuntu 9.04 (slapd 2.4.15). Though I can see my ldapssl service gets started I cannot perform any ldap operations from the client machine. I think this is because of a SSL issue. When I tried to verify my cert using; openssl s_client -connect my_ip:636 -showcerts , I'm getting the following error. 13761:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: Any help is appreciated. Thanks, ~Chamith
