On Fri, 2009-12-04 at 22:23 +0530, Chamith Kumarage wrote: > On Fri, 2009-12-04 at 14:27 +0100, Smaïne Kahlouch wrote: > > -------- Message initial -------- > > De: Zdenek Styblik <[email protected]> > > À: [email protected] > > Cc: [email protected] > > Sujet: Re: Authentication failed with ldaps configuration > > Date: Thu, 03 Dec 2009 17:03:32 +0100 > > > > [email protected] wrote: > > > ----- Mail Original ----- > > > De: "Zdenek Styblik" <[email protected]> > > > À: [email protected] > > > Cc: [email protected] > > > Envoyé: Mercredi 2 Décembre 2009 16h37:01 GMT +01:00 Amsterdam / > > Berlin / Berne / Rome / Stockholm / Vienne > > > Objet: Re: Authentication failed with ldaps configuration > > > > > > [email protected] wrote: > > >> Hi everyone, > > >> > > >> I configured my ldap server (debian lenny) to listen on port 636 > > (ldaps) but it doesn't seems to work when issuing a remote connexion. > > >> Perhaps i did a mistake when generating the certificates ?.... > > >> > > >> When i try to browse the ldap server from a remote server i get > > the following message : > > >> ---------- > > >> r...@vmtest:~# ldapsearch -d 1 -Wx -H > > ldaps://ldapserver.domain.tld -D cn=admin,dc=domain,dc=tld > > >> ldap_url_parse_ext(ldaps://ldapserver.domain.tld) > > >> ldap_create > > >> ldap_url_parse_ext(ldaps://ldapserver.domain.tld:636/??base) > > >> Enter LDAP Password: > > >> ldap_sasl_bind > > >> ldap_send_initial_request > > >> ldap_new_connection 1 1 0 > > >> ldap_int_open_connection > > >> ldap_connect_to_host: TCP ldapserver.domain.tld:636 > > >> ldap_new_socket: 3 > > >> ldap_prepare_socket: 3 > > >> ldap_connect_to_host: Trying 10.10.48.40:636 > > >> ldap_pvt_connect: fd: 3 tm: -1 async: 0 > > >> TLS: peer cert untrusted or revoked (0x42) > > >> ldap_err2string > > >> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > > >> ----------- > > >> > > >> I generated the certificates with the following command : > > >> # openssl req -newkey rsa:1024 -x509 -nodes -out server.pem > > -keyout server.pem -days 3650 > > >> > > >> ----------- > > >> > > >> Then i tried the connexion : > > >> openssl s_client -connect ldapserver.domain.tld:636 -showcerts > > >> CONNECTED(00000003) > > >> depth=0 > > /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld > > >> verify error:num=18:self signed certificate > > >> verify return:1 > > >> depth=0 > > /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld > > >> verify return:1 > > >> --- > > >> Certificate chain > > >> 0 s:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld > > >> i:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld > > >> -----BEGIN CERTIFICATE----- > > >> MIIDDTCCAnagAwIBAgIJAM7IwuTIzhwqMA0GCSqGSIb3DQEBBQUAMGMxCzAJBgNV > > >> BAYTAkZSMRMwEQYDVQQIEwpTb21lLVN0YXRlMQ4wDAYDVQQHEwVQYXJpczELMAkG > > >> A1UEChMCQlQxIjAgBgNVBAMTGWlwb2MwMS5pcG9jLmJ0c2VydmljZXMuZnIwHhcN > > >> MDkxMTI0MTUwMTUxWhcNMTkxMTIyMTUwMTUxWjBjMQswCQYDVQQGEwJGUjETMBEG > > >> A1UECBMKU29tZS1TdGF0ZTEOMAwGA1UEBxMFUGFyaXMxCzAJBgNVBAoTAkJUMSIw > > >> IAYDVQQDExlpcG9jMDEuaXBvYy5idHNlcnZpY2VzLmZyMIGfMA0GCSqGSIb3DQEB > > >> AQUAA4GNADCBiQKBgQCm5FrQ3dN1Jkxj2SZsPr+vkYDlwVnvqDCxnAs3O5NJ/1uY > > >> F9/mwsCVdAnp04Eywo3BCbvP6tlzsF3JbAlqMLTb85ZTHOqRQncXGfVZ7bMnR071 > > >> tQ70/b3vF/TuMYiOU7vXf2h863aRi11tT9xHD17wFfFaXBtRIIOioc3UpJWWPwID > > >> AQABo4HIMIHFMB0GA1UdDgQWBBREqX/HQEzU5TCDrBsbttUxa44fnDCBlQYDVR0j > > >> BIGNMIGKgBREqX/HQEzU5TCDrBsbttUxa44fnKFnpGUwYzELMAkGA1UEBhMCRlIx > > >> EzARBgNVBAgTClNvbWUtU3RhdGUxDjAMBgNVBAcTBVBhcmlzMQswCQYDVQQKEwJC > > >> VDEiMCAGA1UEAxMZaXBvYzAxLmlwb2MuYnRzZXJ2aWNlcy5mcoIJAM7IwuTIzhwq > > >> MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAd0Le1JyJF8zBs0RYvEn7 > > >> c1nhVbsdD8FDBTa4IaNvkbIt8al6G7bBpfyDxcMVtgFc8zHt/+sYfTxWuHh7m+b1 > > >> yjJtD9vMjIigbaZq4VJOz11JEWsQHc8wo3So+G+CelTz4HXPoGh5vqRtTkupjedz > > >> 0DDsA1jd9F4KpYSOkzxosdc= > > >> -----END CERTIFICATE----- > > >> --- > > >> Server certificate > > >> > > subject=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld > > >> > > issuer=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld > > >> --- > > >> No client certificate CA names sent > > >> --- > > >> SSL handshake has read 1107 bytes and written 316 bytes > > >> --- > > >> New, TLSv1/SSLv3, Cipher is AES256-SHA > > >> Server public key is 1024 bit > > >> Compression: NONE > > >> Expansion: NONE > > >> SSL-Session: > > >> Protocol : TLSv1 > > >> Cipher : AES256-SHA > > >> Session-ID: > > 9EF5F2D4FD72A0D1161C8334537F1ADF60C8B790A3F699B6DC52557E3C95D427 > > >> Session-ID-ctx: > > >> Master-Key: > > 015D50D6D93F502E37EDB577691F05D157E80A439A2B129B370EEA24E651E828A172E43B3F6D29174BF33B96193202F0 > > >> Key-Arg : None > > >> Start Time: 1259761586 > > >> Timeout : 300 (sec) > > >> Verify return code: 18 (self signed certificate) > > >> --- > > >> > > >> ------------------ > > >> > > >> My ldap.conf > > >> ----------------- > > >> BASE dc=domain,dc=tld > > >> URI ldaps://ldapserver.domain.tld/ > > >> TLS_REQCERT allow > > >> > > >> > > >> My slapd.conf : > > >> ---------------- > > >> ... > > >> TLSCACertificateFile /etc/ldap/ssl/server.pem > > >> TLSCertificateFile /etc/ldap/ssl/server.pem > > >> TLSCertificateKeyFile /etc/ldap/ssl/server.pem > > >> ... > > >> > > >> ------------------ > > >> My /etc/default/slapd.conf > > >> ... > > >> SLAPD_SERVICES="ldaps://ldapserver.domain.tld" > > >> ... > > >> > > >> Could you please help me ? > > >> > > > > > > Hello, > > > > > > are you sure the server is listetning at 636? > > > > > > --- SNIP --- > > > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > > > ------------ > > > > > > It seems more like a network problem to me. > > > Please, verify it by % netstat -nlp | grep 636; or eventually by % > > > netstat -nlp | grep 389; at the server. > > > > > > Regards, > > > Zdenek > > > > > > Hi Zdenek, > > > > > > Yes i'm. > > > > > > netstat -nlp | grep 636 > > > tcp 0 0 10.10.48.40:636 0.0.0.0:* > > LISTEN > > > netstat -nlp | grep 389 > > > > > > Logs from the ldap server > > > ----------- > > > Dec 3 10:10:04 ldapserver slapd[20754]: > > slap_listener_activate(8): > > > Dec 3 10:10:04 ldapserver slapd[20754]: >>> > > slap_listener(ldaps://ldapserver.domain.tld) > > > Dec 3 10:10:04 ldapserver slapd[20754]: connection_get(14): got > > connid=42 > > > Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): > > checking for input on id=42 > > > Dec 3 10:10:04 ldapserver slapd[20754]: connection_get(14): got > > connid=42 > > > Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): > > checking for input on id=42 > > > Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): > > unable to get TLS client DN, error=49 id=42 > > > Dec 3 10:10:04 ldapserver slapd[20754]: connection_get(14): got > > connid=42 > > > Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): > > checking for input on id=42 > > > Dec 3 10:10:04 ldapserver slapd[20754]: ber_get_next on fd 14 > > failed errno=0 (Success) > > > Dec 3 10:10:04 ldapserver slapd[20754]: connection_closing: > > readying conn=42 sd=14 for close > > > Dec 3 10:10:04 ldapserver slapd[20754]: connection_close: > > conn=42 sd=14 > > > > > > It seems to be a certificate problem. > > > ----- > > > TLS: peer cert untrusted or revoked > > > ----- > > > > > > Do you have any idea ? > > > Grifith > > > > > > Evening Grifith, > > > > I'm sorry I've missed that one. I'm no expert, but I can give you my > > config-files. > > I've used 'easy-rsa' to generate all certificates. It comes with > > OpenVPN, but it might be as standalone package in Debian. It's set > > of > > scripts for certificate manipulation, and it surely eases up things. > > One thing that came to my mind, certificate "has" to bear same FQDN > > as > > IP eg. if 192.168.1.1 -eq server1.mydomain.tld then certificate > > should > > be generated and contain server1.mydomain.tld. > > Another thing is .key files should have chmod 400. > > > > --- client side --- > > cat /etc/openldap/ldap.conf > > > > BASE dc=mydomain,dc=tld > > URI ldaps://server1.mydomain.tld > > port 636 > > ssl yes > > #ssl start_tls > > TLS_CACERT /etc/openldap/ssl/ca.mydomain.crt > > TLS_CERT /etc/ssl/certs/server2.mydomain.tld.crt > > TLS_KEY /etc/ssl/private/server2.mydomain.tld.key > > TLS_REQCERT never > > TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3 > > ------------------ > > > > --- server --- > > cat /etc/openldap/slapd.conf > > ... > > TLSCipherSuite HIGH:MEDIUM:+SSLv3 > > TLSCACertificateFile /etc/ssl/certs/ca.mydomain.crt > > TLSCertificateFile /etc/ssl/certs/server1.mydomain.tld.crt > > TLSCertificateKeyFile /etc/ssl/private/server1.mydomain.tld.key > > TLSVerifyClient never > > ... > > -------------- > > > > I hope it helps, at least a bit. > > > > Have a nice evening, > > Zdenek > > > > PS: Thunderbird refused to accept the rest of the text for some > > reason, > > I had to c&p it inside. > > -------------------------------- > > > > Hi, > > > > Thanks for your help Zdenek > > I made it work with the following configuration : > > > > > > SERVER > > ------------- > > My slapd.conf : > > ---------------- > > ... > > TLSCACertificateFile /etc/ssl/certs/ldap-cert.pem > > TLSCertificateFile /etc/ssl/certs/ldap-cert.pem > > TLSCertificateKeyFile /etc/ldap/ssl/ldap-key.pem > > > > I created the certificate with this command > > # openssl req -config /etc/ssl/openssl.cnf -new -x509 nodes -out > > /etc/ssl/certs/ldap-cert.pem -keyout /etc/ldap/ssl/ldap-key.pem -days 999999 > > > > My ldap.conf : > > ---------------- > > BASE dc=mydomain,dc=tld > > URI ldaps://ldapserver.mydomain.tld > > port 636 > > ssl on > > ssl start_tls > > TLS_CACERT /etc/ssl/certs/ldap-cert.pem > > TLS_REQCERT allow > > > > CLIENT > > ------------ > > > > The ldap.conf is exactly the same as the server's. > > > > And it works ! > > Hi - I tried the exact same thing but ended up with no luck. I'm on > Ubuntu 9.04 (slapd 2.4.15). Though I can see my ldapssl service gets > started I cannot perform any ldap operations from the client machine. I > think this is because of a SSL issue. When I tried to verify my cert > using; > > openssl s_client -connect my_ip:636 -showcerts , I'm getting the > following error. > > 13761:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > failure:s23_lib.c:188: > > > Any help is appreciated. > > Thanks, > ~Chamith
FYI: Just tested the same setup with Ubuntu 8.04.2 and it works perfectly. Gotta blog about this at saguide.wordpress.com :) Thanks, ~Chamith
