RE: Openldap server with TLS not working

[Christian Kratzer]

Hi,

On Thu, 3 Oct 2013, Axel Grosse wrote:

Hi Ben, Dieter
can we focus on LDAPS because TLS1 is not an option and even if LDAPS is 
deprecated I should be able to configure it ..

TLSCACertificateFile /etc/openldap/ssl/VordelCA.crt
TLSCertificateFile /etc/openldap/ssl/VordelDev.crt
TLSCertificateKeyFile /etc/openldap/ssl/VordelDev.key
TLSVerifyClient never


are this entries in the slapd.conf sutable for LDAPS ?
if not whats missing ?

start the server with
/usr/sbin/slapd -h ldap://192.168.30.169:636 -u ldap

in that case you need ldaps:// and not ldap:/ in the url. Now you are starting 
plaintext ldap on port 636.

Please just start slapd without any host specification and test using openssl 
s_client connect target:636

After that works start trimming down the ports slapd binds to.


Greetings
Christian

thanks a lot
Axel


AXEL GROSSE
Principal Solution Architect, Sales Solution Center, Axway
P: +61-405-995-768
828 Pacific Highway
Gordon, 2072 NSW
agro...@axway.com
http://www.axway.com


-----Original Message-----
From: openldap-technical-boun...@openldap.org 
[mailto:openldap-technical-boun...@openldap.org] On Behalf Of Dieter Klünter
Sent: Thursday, 3 October 2013 6:46 PM
To: openldap-technical@openldap.org
Subject: Re: Openldap server with TLS not working

Am Thu, 3 Oct 2013 00:16:28 +0000
schrieb Axel Grosse <agro...@axway.com>:

Hi ben,
thanks for the comment.
agree with you on TLS usage should be perferred
but the client that is connecting is only capable of LDAPS ... he has
not implemented TLS Client jet .

But can you please take a look to the error I am facing

openssl s_client -connect 192.168.30.169:389 -showcerts
-CAfile ./ssl/VordelCA.crt CONNECTED(00000003)
710:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:

any idea what can cause this ?


AXEL GROSSE
Principal Solution Architect, Sales Solution Center, Axway
P: +61-405-995-768
828 Pacific Highway
Gordon, 2072 NSW
agro...@axway.com
http://www.axway.com

-----Original Message-----
From: openldap-technical-boun...@openldap.org
[mailto:openldap-technical-boun...@openldap.org] On Behalf Of btb
Sent: Wednesday, 2 October 2013 10:57 PM To:
openldap-technical@openldap.org Subject: Re: Openldap server with TLS
not working

On 2013.10.02 07.29, Axel Grosse wrote:

when I test on the server itself ..
openssl s_client -connect 192.168.30.169:389 -showcerts -CAfile
./ssl/VordelCA.crt
CONNECTED(00000003)
710:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:

ldaps [port 636] is deprecated.  use starttls with the standard port
[389].  to test, just use ldapsearch [see the reference to -Z in the
man page]

You are connnecting to port 389, but s_client is not able to initiate a
LDAP startTLS  session (only SMTP and IMAP), so you have to connect
ldaps and port 636.

-Dieter

--
Christian Kratzer                      CK Software GmbH
Email:   c...@cksoft.de                  Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0          D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9          HRB 245288, Amtsgericht Stuttgart
Web:     http://www.cksoft.de/         Geschaeftsfuehrer: Christian Kratzer