Re: TLS enabled LDAP, clients fail to connect
hi, Is the server cert trusted on the client ? -- Best Regards, Mubeesh Ali.V.M On Mon, Nov 22, 2010 at 3:50 AM, bluethundr wrote: > I am attempting to setup SSL/TLS support on my openLDAP 2.4 server on FreeBSD. > > LBSD2# pkg_info | grep openldap > openldap-sasl-client-2.4.23 Open source LDAP client implementation > with SASL2 support > openldap-sasl-server-2.4.23 Open source LDAP server implementation > > I put my cert file, key file and CA certfile in a directory called > /usr/local/etc/openldap/cacerts > > Here's how it looks: > > [r...@lbsd2:/usr/local/etc/openldap/cacerts]#ls -l > total 48 > dr--r- 2 root ldap 512 Nov 21 17:12 bak > -r--r- 1 root ldap 1960 Nov 21 07:05 bsd2.summitnjhome.com.crt > -r--r- 1 root ldap 4604 Nov 21 17:16 gd_bundle.crt > -r--r- 1 root ldap 4689 Nov 21 18:59 sf_bundle.crt > -r--r- 1 root ldap 1537 Nov 21 17:16 sf_issuing.crt > -r--r- 1 root ldap 1090 Nov 21 12:29 slapd.csr > -r--r- 1 root ldap 1743 Nov 21 12:26 slapd.key > -r--r- 1 root ldap 1675 Nov 21 17:25 slapd.pem > > > My cert flie is a GoDaddy turbo-ssl certfile named > bsd2.summitnjhome.com.crt. slapd.key is the key file and slapd.pem is > the same thing only with the password removed. > > I'm a little unsure of which CA file to use but I think that > sf_issuing.crt _should_ work as this is the CA file that I used to > setup a similar SSL enabled LDAP server for a client recently. > Although I have tried all three CA files in this directory: > (gd_bundle.crt, sf_bundle.crt, and sf_issuing.crt). > > I put the various cert/key files into my slapd.conf file like this: > > LBSD2# cat slapd.conf | grep -i tls > ## TLS options for slapd > TLSCipherSuite HIGH:MEDIUM:+SSLv2 > TLSCertificateFile /usr/local/etc/openldap/cacerts/bsd2.summitnjhome.com.crt > TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem > TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_issuing.crt > > > Slapd restarts cleanly! > > LBSD2# /usr/local/etc/rc.d/slapd restart > Stopping slapd. > Waiting for PIDS: 81924. > Starting slapd. > > > Then I attempt to setup a virtual instance of CentOS 5.5 on the client > side and that's where things fall apart...I attempt to ssh to > localhost as an LDAP account: > > [r...@virtcent08:/etc/openldap/cacerts]#ssh bluethu...@localhost > > [...tectonic plates drift, careers begin and end, babies learn to > walk, talk and grow to adulthood..] > > Connection closed by 127.0.0.1 > > [r...@virtcent08:/etc/openldap/cacerts]#getent passwd | grep ldapAccount > [same interminable wait as above] > > > This is what my /etc/ldap.conf file looks like on the client: > > [r...@virtcent08:/etc/openldap/cacerts]#cat /etc/ldap.conf > # Your LDAP server. Must be resolvable without using LDAP. > # Multiple hosts may be specified, each separated by a > # space. How long nss_ldap takes to failover depends on > # whether your LDAP client library supports configurable > # network or connect timeouts (see bind_timelimit). > #host 127.0.0.1 > # The distinguished name of the search base. > base dc=summitnjhome,dc=com > # stored in /etc/ldap.secret (mode 600) > #rootbinddn cn=manager,dc=example,dc=com > # The port. > # Optional: default is 389. > #port 389 > # Search timelimit > #timelimit 30 > timelimit 120 > # Bind/connect timelimit > #bind_timelimit 30 > bind_timelimit 120 > # Idle timelimit; client will close connections > # (nss_ldap only) if the server has not been contacted > # for the number of seconds specified below. > #idle_timelimit 3600 > idle_timelimit 3600 > # Netscape SDK LDAPS > #ssl on > # Netscape SDK SSL options > #sslpath /etc/ssl/certs > # OpenLDAP SSL mechanism > # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 > #ssl start_tls > #ssl on > # OpenLDAP SSL options > # Require and verify server certificate (yes/no) > # Default is to use libldap's default behavior, which can be configured in > # /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for > # OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". > #tls_checkpeer yes > # CA certificates for server certificate verification > # At least one of these are required if tls_checkpeer is "yes" > #tls_cacertfile /etc/ssl/ca.cert > #tls_cacertdir /etc/ssl/certs > # SSL cipher suite > # See man ciphers for syntax > #tls_ciphers TLSv1 > # Client certificate and key > # Use these, if your server requires client authentication. > #tls_cert > #tls_key > # SASL mechanism for PAM authentication - use is experimental > # at present and does not support password policy control > uri ldap://ldap.summitnjhome.com/ > ssl start_tls > tls_cacertdir /etc/openldap/cacerts > pam_password crypt > > This is how my nsswitch on the client side is setup: > > passwd: files ldap > shadow: files ldap > group: files ldap > > And here is the cert dir on my CentOS client: > > [r...@virtcent08:/etc/openldap/cacerts]#ls -l > total 72 > lrwxrwxrwx 1 root root 13 Nov 2
Re: TLS enabled LDAP, clients fail to connect
On 21/11/10 23.20, bluethundr wrote: I am attempting to setup SSL/TLS support on my openLDAP 2.4 server on FreeBSD. ... [r...@virtcent08:/etc/openldap/cacerts]#openssl s_client -connect ldap.summitnjhome.com:389 -showcerts -CAfile gd_bundle.crt CONNECTED(0003) 3156:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: From the man page, s_client(1): "If the handshake fails then there are several possible causes, if it is nothing obvious like no client certificate then the -bugs, -ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1 options can be tried in case it is a buggy server." But rather than using s_client, you may try using ldapsearch(1) I use openldap-sasl-server-2.4.23, in slapd.conf: TLSCipherSuite HIGH TLSCertificateFile /path/to/server/certs/MyServerCert.cer TLSCertificateKeyFile /path/to/server/certs/MyServerKey.key The server need only be configured with TLSCACertificateFile options if you use TLS for client authentication. Multiple certificates can be stored in this file by concatenating the certificate files. in ldap.conf: TLS_CACERT /path/to/certs/MyCARoot.cer The MyCARoot.cer must be the CA root certificate used to issue the server certificate. You may add more certificates by concatenation. Other TLS options may be configured to enable TLS client authentication. Then with the command: ldapsearch -Z -h ldap.example.com -x -D "cn=My Name, ou=Some Org, dc=example, dc=com" -w UpsThisIsVerySecret -b "dc=example, dc=com" "(telephoneNumber=*555*)" cn sn telephoneNumber I connect, in paralel using snort -vCd port 389, I see this: 11/22-13:31:15.332512 172.16.1.127:52454 -> 172.16.0.1:389 TCP TTL:64 TOS:0x0 ID:18677 IpLen:20 DgmLen:83 DF ***AP*** Seq: 0x1B6C4BE1 Ack: 0xB1212BEB Win: 0x8218 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1062950892 2880608010 0w...1.3.6.1.4.1.1466.20037 That 1.3.6.1.4.1.1466.20037 is the OID for StartTLS. The rest is giberish, but it works. BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
TLS enabled LDAP, clients fail to connect
I am attempting to setup SSL/TLS support on my openLDAP 2.4 server on FreeBSD. LBSD2# pkg_info | grep openldap openldap-sasl-client-2.4.23 Open source LDAP client implementation with SASL2 support openldap-sasl-server-2.4.23 Open source LDAP server implementation I put my cert file, key file and CA certfile in a directory called /usr/local/etc/openldap/cacerts Here's how it looks: [r...@lbsd2:/usr/local/etc/openldap/cacerts]#ls -l total 48 dr--r- 2 root ldap 512 Nov 21 17:12 bak -r--r- 1 root ldap 1960 Nov 21 07:05 bsd2.summitnjhome.com.crt -r--r- 1 root ldap 4604 Nov 21 17:16 gd_bundle.crt -r--r- 1 root ldap 4689 Nov 21 18:59 sf_bundle.crt -r--r- 1 root ldap 1537 Nov 21 17:16 sf_issuing.crt -r--r- 1 root ldap 1090 Nov 21 12:29 slapd.csr -r--r- 1 root ldap 1743 Nov 21 12:26 slapd.key -r--r- 1 root ldap 1675 Nov 21 17:25 slapd.pem My cert flie is a GoDaddy turbo-ssl certfile named bsd2.summitnjhome.com.crt. slapd.key is the key file and slapd.pem is the same thing only with the password removed. I'm a little unsure of which CA file to use but I think that sf_issuing.crt _should_ work as this is the CA file that I used to setup a similar SSL enabled LDAP server for a client recently. Although I have tried all three CA files in this directory: (gd_bundle.crt, sf_bundle.crt, and sf_issuing.crt). I put the various cert/key files into my slapd.conf file like this: LBSD2# cat slapd.conf | grep -i tls ## TLS options for slapd TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /usr/local/etc/openldap/cacerts/bsd2.summitnjhome.com.crt TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_issuing.crt Slapd restarts cleanly! LBSD2# /usr/local/etc/rc.d/slapd restart Stopping slapd. Waiting for PIDS: 81924. Starting slapd. Then I attempt to setup a virtual instance of CentOS 5.5 on the client side and that's where things fall apart...I attempt to ssh to localhost as an LDAP account: [r...@virtcent08:/etc/openldap/cacerts]#ssh bluethu...@localhost [...tectonic plates drift, careers begin and end, babies learn to walk, talk and grow to adulthood..] Connection closed by 127.0.0.1 [r...@virtcent08:/etc/openldap/cacerts]#getent passwd | grep ldapAccount [same interminable wait as above] This is what my /etc/ldap.conf file looks like on the client: [r...@virtcent08:/etc/openldap/cacerts]#cat /etc/ldap.conf # Your LDAP server. Must be resolvable without using LDAP. # Multiple hosts may be specified, each separated by a # space. How long nss_ldap takes to failover depends on # whether your LDAP client library supports configurable # network or connect timeouts (see bind_timelimit). #host 127.0.0.1 # The distinguished name of the search base. base dc=summitnjhome,dc=com # stored in /etc/ldap.secret (mode 600) #rootbinddn cn=manager,dc=example,dc=com # The port. # Optional: default is 389. #port 389 # Search timelimit #timelimit 30 timelimit 120 # Bind/connect timelimit #bind_timelimit 30 bind_timelimit 120 # Idle timelimit; client will close connections # (nss_ldap only) if the server has not been contacted # for the number of seconds specified below. #idle_timelimit 3600 idle_timelimit 3600 # Netscape SDK LDAPS #ssl on # Netscape SDK SSL options #sslpath /etc/ssl/certs # OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 #ssl start_tls #ssl on # OpenLDAP SSL options # Require and verify server certificate (yes/no) # Default is to use libldap's default behavior, which can be configured in # /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for # OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". #tls_checkpeer yes # CA certificates for server certificate verification # At least one of these are required if tls_checkpeer is "yes" #tls_cacertfile /etc/ssl/ca.cert #tls_cacertdir /etc/ssl/certs # SSL cipher suite # See man ciphers for syntax #tls_ciphers TLSv1 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key # SASL mechanism for PAM authentication - use is experimental # at present and does not support password policy control uri ldap://ldap.summitnjhome.com/ ssl start_tls tls_cacertdir /etc/openldap/cacerts pam_password crypt This is how my nsswitch on the client side is setup: passwd: files ldap shadow: files ldap group: files ldap And here is the cert dir on my CentOS client: [r...@virtcent08:/etc/openldap/cacerts]#ls -l total 72 lrwxrwxrwx 1 root root 13 Nov 21 09:44 97552d04.0 -> gd_bundle.crt lrwxrwxrwx 1 root root 14 Nov 21 09:44 b737b221.0 -> sf_issuing.crt dr--r--r-- 2 root root 4096 Nov 21 2010 bak -r--r--r-- 1 root root 1960 Nov 21 07:05 bsd2.summitnjhome.com.crt lrwxrwxrwx 1 root root 25 Nov 21 09:44 c75be861.0 -> bsd2.summitnjhome.com.crt -r--r--r-- 1 root root 4604 Nov 21 2010 gd_bundle.crt -r--r--r-- 1 root root 1537 Nov