LDAP SSL Problems (was: service script (/etc/init.d/ldap))

Daniel B. Thurman dant at cdkkt.com
Mon Nov 14 19:25:57 UTC 2005 

>From: fedora-list-bounces at redhat.com
>[mailto:fedora-list-bounces at redhat.com]On Behalf Of Craig White
>Sent: Monday, November 14, 2005 8:03 AM
>To: fedora-list at redhat.com
>Subject: RE: LDAP SSL Problems (was: service script (/etc/init.d/ldap))
>
>
>On Mon, 2005-11-14 at 07:48 -0800, Daniel B. Thurman wrote:
>> >From: fedora-list-bounces at redhat.com
>> >[mailto:fedora-list-bounces at redhat.com]On Behalf Of Daniel 
>B. Thurman
>> >Sent: Monday, November 14, 2005 7:28 AM
>> >To: For users of Fedora Core releases (E-mail)
>> >Subject: LDAP service script (/etc/init.d/ldap)
>> >
>> >
>> >
>> >Hi Folks,
>> >
>> >I got ldap working but I am not able to get ldaps (secure) to work.
>> >
>> >I ran some tests:
>> >
>> >Simple auth, no encryption
>> >====================
>> >ldapsearch -H ldap://hostname/ -b dc=example,dc=com -x
>> >
>> >RESULTS: WORKS!
>> >
>> >Simple auth, SSL via LDAPS
>> >======================
>> >ldapsearch -H ldaps://hostname/ -b dc=example,dc=com -x
>> >
>> >RESULTS: FAIL: ldap_bind: Can't contact LDAP server (-1)
>> >
>> > - Ran slapd -d -1 : See no error hints
>> > - Looked in /var/log/messages - nothing
>> > - netstat -a : shows listener: ldaps
>> >
>> >If anyone has any suggestions, please let me know!
>> >
>> >Also, if anyone has any really good links on getting 
>ldap/kerberos/ssl
>> >working please let me know!
>> >
>> >Thanks
>> >Dan
>> >
>> 
>> Sorry folks about the bad subject line.  I fixed that.
>> 
>> I wanted to add more information:
>> 
>> openssl s_client -CAfile /etc/openldap/cacerts/ldapCA.pem 
>-connect ldap.cdkkt.com:636
>> CONNECTED(00000003)
>> depth=1 /C=US/ST=Oregon/L=Beaverton/O=DBT And 
>Associates/OU=ldap/CN=ldap.cdkkt.com/emailAddress=admin at cdkkt.com
>> verify return:1
>> depth=0 /C=US/ST=Oregon/L=Beaverton/O=DBT And 
>Associates/OU=ldap/CN=ldap.cdkkt.com/emailAddress=admin at cdkkt.com
>> verify return:1
>> ---
>> Certificate chain
>>  0 s:/C=US/ST=Oregon/L=Beaverton/O=DBT And 
>Associates/OU=ldap/CN=ldap.cdkkt.com/emailAddress=admin at cdkkt.com
>>    i:/C=US/ST=Oregon/L=Beaverton/O=DBT And 
>Associates/OU=ldap/CN=ldap.cdkkt.com/emailAddress=admin at cdkkt.com
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>> MIID0zCCAzygAwIBAgIBATANBgkqhkiG9w0BAQQFADCBlzELMAkGA1UEBhMCVVMx
>> DzANBgNVBAgTBk9yZWdvbjESMBAGA1UEBxMJQmVhdmVydG9uMRswGQYDVQQKExJE
>> QlQgQW5kIEFzc29jaWF0ZXMxDTALBgNVBAsTBGxkYXAxFzAVBgNVBAMTDmxkYXAu
>> Y2Rra3QuY29tMR4wHAYJKoZIhvcNAQkBFg9hZG1pbkBjZGtrdC5jb20wHhcNMDUx
>> MTEzMjM1NjA4WhcNMDYxMTEzMjM1NjA4WjCBlzELMAkGA1UEBhMCVVMxDzANBgNV
>> BAgTBk9yZWdvbjESMBAGA1UEBxMJQmVhdmVydG9uMRswGQYDVQQKExJEQlQgQW5k
>> IEFzc29jaWF0ZXMxDTALBgNVBAsTBGxkYXAxFzAVBgNVBAMTDmxkYXAuY2Rra3Qu
>> Y29tMR4wHAYJKoZIhvcNAQkBFg9hZG1pbkBjZGtrdC5jb20wgZ8wDQYJKoZIhvcN
>> AQEBBQADgY0AMIGJAoGBAO17IIZe1fv3KGrM+bACxMPeqC+Y0ncsGM7lrAObSYTw
>> QlQfsF4fDnBhPrEgyYS5BD7CV5ETyBdUmQfVcs/l5G5AjhAmMUF4POieBwJWsW/I
>> hTN+nWPn1Reu6WcqpliU1Jqz5bxy17IOT93Ah/Qnrh9KNVALZ6ZoK0iRirReINIl
>> AgMBAAGjggErMIIBJzAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM
>> IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUmpJK9I5ZX77qgL1p/RSJ
>> 9I5MtQ8wgcwGA1UdIwSBxDCBwYAU65DeeNVXt8w3GKUqoF10LK1kf4ahgZ2kgZow
>> gZcxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZPcmVnb24xEjAQBgNVBAcTCUJlYXZl
>> cnRvbjEbMBkGA1UEChMSREJUIEFuZCBBc3NvY2lhdGVzMQ0wCwYDVQQLEwRsZGFw
>> MRcwFQYDVQQDEw5sZGFwLmNka2t0LmNvbTEeMBwGCSqGSIb3DQEJARYPYWRtaW5A
>> Y2Rra3QuY29tggkApfBH0A0Oy+kwDQYJKoZIhvcNAQEEBQADgYEAC+Y21AFYLdVB
>> psK+4IDVA2+rv8G0pGy+jO4FH+GbKGZbSzCFGPdKigpvDatCxGIndkw8LN58In92
>> 4By4U95NvYLLCjdc1DtIDMxEjTNTWwkEjKy/Nkn2vblJp8lrIrHJGimcapimr4zx
>> ui4CfJBXtrV3bc2Zp20eaLRgVciv+fU=
>> -----END CERTIFICATE-----
>> subject=/C=US/ST=Oregon/L=Beaverton/O=DBT And 
>Associates/OU=ldap/CN=ldap.cdkkt.com/emailAddress=admin at cdkkt.com
>> issuer=/C=US/ST=Oregon/L=Beaverton/O=DBT And 
>Associates/OU=ldap/CN=ldap.cdkkt.com/emailAddress=admin at cdkkt.com
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 1145 bytes and written 340 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is AES256-SHA
>> Server public key is 1024 bit
>> SSL-Session:
>>     Protocol  : TLSv1
>>     Cipher    : AES256-SHA
>>     Session-ID: 
>EEEC2E025097267E2E39E129A1130FDA7921D57F86C4D8CC94CE4D7CBF71286
>5    Session-ID-ctx:
>>     Master-Key: 
>28ACBE74CC2972246E9E1039D182643652DC2CC1F91333F68B700F22318C93C
>CB881A287BEF91AC498B2068C7DFAB39F
>>     Key-Arg   : None
>>     Krb5 Principal: None
>>     Start Time: 1131983082
>>     Timeout   : 300 (sec)
>>     Verify return code: 0 (ok)
>> ---
>> 
>> *****  HANGS HERE!!!!!
>> 
>> So, from the test it looks like there is a problem.  Anyone
>> care to comment???
>----
>guessing that you probably need some TLS_REQCERT type of entry in
>slapd.conf and perhaps an entry in ~/.ldaprc for user stuff
>
>Craig
>
>

I think there is a perhaps a problem in the way I have
created ssl certificates and may not have done it properly.
I would like to request instructions for creating the slapd.pem
file please?  I used to do this the old way and had a hard
time trying to seperate the CA cert, unsigned cert/key and
signed certs - so I dont know which one to use for ldap!

I noticed that there has been a change from what I am used
to and that there is a new location for certificates and it is
at: /etc/pki/tls specifically.  I tried all kinds of ways to
get this to work and it appears that for some reason, the ldap
programs is unable to find the certificate.

I added TLS* directives in /etc/ldap.conf and in
/etc/openldap/slapd.conf (why the redunancy?) and put my created
certs in the /etc/openldap/cacerts directory.

It appears from the ldapsearch debug output, that it will
only search for certificates in /etc/pki/tls directory and
in *maybe* in /etc/openldap/cacerts (see the '#' in front
of that directory in the debug output.  From the debug output,
it is not clear as to WHAT dir/file was attempted to be opened.

Here is the debug output I got:

# ldapsearch -d -1 -H ldaps://ldap.cdkkt.com -b dc=cdkkt,dc=com -x
ldap_create
ldap_url_parse_ext(ldaps://ldap.cdkkt.com)
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.cdkkt.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 216.99.218.205:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
TLS: could not load client CA list (file:`',dir:`/etc/pki/tls/slapd.pem # /etc/openldap/cacerts').
TLS: error:0200A002:system library:opendir:No such file or directory ssl_cert.c:752
TLS: error:140D7002:SSL routines:SSL_add_dir_cert_subjects_to_stack:system lib ssl_cert.c:754
ldap_perror
ldap_bind: Can't contact LDAP server (-1)

So what does it all mean?  What file was attempted and why is it
that my TLS* directives are seemingly ignored in both places
specificed in /etc/ldap.conf and in /etc/openldap/slapd.conf?

I even copied to put my certificate in /etc/pki/tls/slapd.pem
since no slapd.pem existed there and oddly enough, a slapd.pem
did exists in: /etc/pki/tls/certs/slapd.pem - supposedly created
when I setup kerberos!

Something is royally screwed up somewhere!  Please help!

Kind regards,
Dan

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.362 / Virus Database: 267.13.0/167 - Release Date: 11/11/2005

More information about the fedora-list mailing list