OK... So I think I made some progress on this issue.... Here is my /etc/ldap.conf file:
cat /etc/ldap.conf #host 127.0.0.1 base cn=users,dc=testing,dc=com uri ldaps://localhost binddn cn=manager,dc=testing,dc=com bindpw password scope sub timelimit 120 bind_policy soft bind_timelimit 120 idle_timelimit 3600 ssl on tls_cacert /etc/openldap/cacerts/ca.key tls_cacertdir /etc/openldap/cacerts tls_checkpeer no tls_reqcert allow nss_base_group cn=groups,dc=testing,dc=com?sub pam_password md5 When I use "tcpdump" to actually view the packets, everything appears to be encrypted and I get the results I am looking for when I issue the "getent passwd" command... However, when I change "tls_checkpeer" to "yes" or comment it out from the config, I do not get the expected results from 'getent passwd'.... also, here is the output from the ldapsearch debug.. ldapsearch -d1 -x -H ldaps://localhost:636/ ldap_create ldap_url_parse_ext(ldaps://localhost:636/) ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 18, subject: /C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire, LLC/OU=Support/CN=testing.com/[email protected], issuer: /C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire, LLC/OU=Support/CN=testing.com/[email protected] TLS certificate verification: Error, self signed certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_bind: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed When I issue a search using just ldap://localhost it works, but the data is not encrypted, how does it encrypt the data, if it can't verify the certificate? -Lynn -----Original Message----- From: Howard Chu [mailto:[email protected]] Sent: Monday, April 12, 2010 2:09 PM To: Chris Jacobs Cc: '[email protected]'; '[email protected]' Subject: Re: Problem with SSL/TLS Chris Jacobs wrote: > /etc/ldap.conf is used by nss tools and the ilk. > > /etc/openldap/ldap.conf would be used by openldap tools - like ldapsearch. Actually it's used by libldap, which means everything that uses libldap (including nss_ldap). But of course the converse is not true, /etc/ldap.conf only affects nss_ldap and pam_ldap, not anything else. > I have the same setting there for tls_checkpeer - but in the latter > ldap.conf > (under openldap). tls_checkpeer is not a valid OpenLDAP ldap.conf keyword. > FWIW: there's apparently no real different format for the two files; while > one > would only be setup on ldap servers, mine are identical and things work > with a If they are identical and things work, it's by sheer luck. Read the ldap.conf(5) manpage. Relying on anything not documented there would be a mistake. To the original poster: use the ldapsearch debug flag. OpenSSL s_client is not a reliable indicator of anything. > mirror master, both setup behind a VIP (fail over, not load balanced) and > a > plethora of slaves in different subdomains. > > - chris > > PS: I'd forgotten to 'reply-to-all' earlier. :) > > Chris Jacobs, Systems Administrator > Apollo Group | Apollo Marketing | Aptimus > 2001 6th Ave Ste 3200 | Seattle, WA 98121 > phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 > email: [email protected] > > ------------------------------------------------------------------------------ > *From*: Lynn York > *To*: Chris Jacobs > *Sent*: Mon Apr 12 10:29:19 2010 > *Subject*: RE: Problem with SSL/TLS > > Here is my /etc/ldap.conf: > > #host 127.0.0.1 > > base cn=users,dc=testing,dc=com > > uri ldap://localhost:636 > > binddn cn=manager,dc=testing,dc=com > > bindpw password > > scope sub > > timelimit 120 > > bind_policy soft > > bind_timelimit 120 > > idle_timelimit 3600 > > ssl on > > tls_cacert /etc/openldap/cacerts/servercrt.pem > > tls_cacertdir /etc/openldap/cacerts > > tls_checkpeer no > > nss_base_group cn=groups,dc=testing,dc=com?sub > > pam_password md5 > > I have tried it with and without “tls_checkpeer”…. I am sort of at a loss > as > to what it can be. I also tested it using openssl client.. and here is the > output: > *From*: openldap-technical-bounces+chris.jacobs=apollogrp.edu > <http://apollogrp.edu>@OpenLDAP.org > *To*: [email protected] > <mailto:[email protected]> > *Sent*: Mon Apr 12 08:13:39 2010 > *Subject*: Problem with SSL/TLS > > I have created a cert. on the server and openldap starts without any > issues, > however when I attempt to connect via ldaps I keep getting the following > error: > > ?? > > ?? > > ldapsearch -x -H ldaps://localhost:636 -D > "cn=Manager,dc=testing,dc=com" -W -b > "dc=testing,dc=com" "(objectClass=top)" > > Enter LDAP Password: > > ldap_bind: Can't contact LDAP server (-1) > > ?????????????? additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > ?? > > I can???t quite pin point what the problem might be.?? > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ MavenWire - We DELIVER http://www.mavenwire.com This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.
