Date: Mon, 22 Nov 2010 18:18:57 +0530 From: Mubeesh ali <mubeeshalivm@gmail.com> To: bluethundr <bluethundr@gmail.com> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: TLS enabled LDAP, clients fail to connect Message-ID: <AANLkTing9D6d2C--GJeAdPUwhqfcMMLMPim7r5tE9nKB@mail.gmail.com> In-Reply-To: <AANLkTikGs2Kw4U8Fe956G_FxKOOvO8uXWuskuGeWZc79@mail.gmail.com> References: <AANLkTikGs2Kw4U8Fe956G_FxKOOvO8uXWuskuGeWZc79@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
hi,
Is the server cert trusted on the client ?
--=20
Best Regards,
Mubeesh Ali.V.M
On Mon, Nov 22, 2010 at 3:50 AM, bluethundr <bluethundr@gmail.com> wrote:
> I am attempting to setup SSL/TLS support on my openLDAP 2.4 server on Fre=
eBSD.
>
> LBSD2# pkg_info | grep openldap
> openldap-sasl-client-2.4.23 Open source LDAP client implementation
> with SASL2 support
> openldap-sasl-server-2.4.23 Open source LDAP server implementation
>
> I put my cert file, key file and CA certfile in a directory called
> /usr/local/etc/openldap/cacerts
>
> Here's how it looks:
>
> [root@LBSD2:/usr/local/etc/openldap/cacerts]#ls -l
> total 48
> dr--r----- =A02 root =A0ldap =A0 512 Nov 21 17:12 bak
> -r--r----- =A01 root =A0ldap =A01960 Nov 21 07:05 bsd2.summitnjhome.com.c=
rt
> -r--r----- =A01 root =A0ldap =A04604 Nov 21 17:16 gd_bundle.crt
> -r--r----- =A01 root =A0ldap =A04689 Nov 21 18:59 sf_bundle.crt
> -r--r----- =A01 root =A0ldap =A01537 Nov 21 17:16 sf_issuing.crt
> -r--r----- =A01 root =A0ldap =A01090 Nov 21 12:29 slapd.csr
> -r--r----- =A01 root =A0ldap =A01743 Nov 21 12:26 slapd.key
> -r--r----- =A01 root =A0ldap =A01675 Nov 21 17:25 slapd.pem
>
>
> My cert flie is a GoDaddy turbo-ssl certfile named
> bsd2.summitnjhome.com.crt. slapd.key is the key file and slapd.pem is
> the same thing only with the password removed.
>
> I'm a little unsure of which CA file to use but I think that
> sf_issuing.crt _should_ work as this is the CA file that I used to
> setup a similar SSL enabled LDAP server for a client recently.
> Although I have tried all three CA files in this directory:
> (gd_bundle.crt, sf_bundle.crt, and sf_issuing.crt).
>
> I put the various cert/key files into my slapd.conf file like this:
>
> LBSD2# cat slapd.conf | grep -i tls
> ## TLS options for slapd
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCertificateFile =A0/usr/local/etc/openldap/cacerts/bsd2.summitnjhome.c=
om.crt
> TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem
> TLSCACertificateFile =A0/usr/local/etc/openldap/cacerts/sf_issuing.crt
>
>
> Slapd restarts cleanly!
>
> LBSD2# /usr/local/etc/rc.d/slapd restart
> Stopping slapd.
> Waiting for PIDS: 81924.
> Starting slapd.
>
>
> Then I attempt to setup a virtual instance of CentOS 5.5 on the client
> side and that's where things fall apart...I attempt to ssh to
> localhost as an LDAP account:
>
> [root@VIRTCENT08:/etc/openldap/cacerts]#ssh bluethundr@localhost
>
> [...tectonic plates drift, careers begin and end, babies learn to
> walk, talk and grow to adulthood..]
>
> Connection closed by 127.0.0.1
>
> [root@VIRTCENT08:/etc/openldap/cacerts]#getent passwd | grep ldapAccount
> [same interminable wait as above]
>
>
> This is what my /etc/ldap.conf file looks like on the client:
>
> [root@VIRTCENT08:/etc/openldap/cacerts]#cat /etc/ldap.conf
> # Your LDAP server. Must be resolvable without using LDAP.
> # Multiple hosts may be specified, each separated by a
> # space. How long nss_ldap takes to failover depends on
> # whether your LDAP client library supports configurable
> # network or connect timeouts (see bind_timelimit).
> #host 127.0.0.1
> # The distinguished name of the search base.
> base dc=3Dsummitnjhome,dc=3Dcom
> # stored in /etc/ldap.secret (mode 600)
> #rootbinddn cn=3Dmanager,dc=3Dexample,dc=3Dcom
> # The port.
> # Optional: default is 389.
> #port 389
> # Search timelimit
> #timelimit 30
> timelimit 120
> # Bind/connect timelimit
> #bind_timelimit 30
> bind_timelimit 120
> # Idle timelimit; client will close connections
> # (nss_ldap only) if the server has not been contacted
> # for the number of seconds specified below.
> #idle_timelimit 3600
> idle_timelimit 3600
> # Netscape SDK LDAPS
> #ssl on
> # Netscape SDK SSL options
> #sslpath /etc/ssl/certs
> # OpenLDAP SSL mechanism
> # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
> #ssl start_tls
> #ssl on
> # OpenLDAP SSL options
> # Require and verify server certificate (yes/no)
> # Default is to use libldap's default behavior, which can be configured i=
n
> # /etc/openldap/ldap.conf using the TLS_REQCERT setting. =A0The default f=
or
> # OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
> #tls_checkpeer yes
> # CA certificates for server certificate verification
> # At least one of these are required if tls_checkpeer is "yes"
> #tls_cacertfile /etc/ssl/ca.cert
> #tls_cacertdir /etc/ssl/certs
> # SSL cipher suite
> # See man ciphers for syntax
> #tls_ciphers TLSv1
> # Client certificate and key
> # Use these, if your server requires client authentication.
> #tls_cert
> #tls_key
> # SASL mechanism for PAM authentication - use is experimental
> # at present and does not support password policy control
> uri ldap://ldap.summitnjhome.com/
> ssl start_tls
> tls_cacertdir /etc/openldap/cacerts
> pam_password crypt
>
> This is how my nsswitch on the client side is setup:
>
> passwd: =A0 =A0 files ldap
> shadow: =A0 =A0 files ldap
> group: =A0 =A0 =A0files ldap
>
> And here is the cert dir on my CentOS client:
>
> [root@VIRTCENT08:/etc/openldap/cacerts]#ls -l
> total 72
> lrwxrwxrwx 1 root root =A0 13 Nov 21 09:44 97552d04.0 -> gd_bundle.crt
> lrwxrwxrwx 1 root root =A0 14 Nov 21 09:44 b737b221.0 -> sf_issuing.crt
> dr--r--r-- 2 root root 4096 Nov 21 =A02010 bak
> -r--r--r-- 1 root root 1960 Nov 21 07:05 bsd2.summitnjhome.com.crt
> lrwxrwxrwx 1 root root =A0 25 Nov 21 09:44 c75be861.0 -> bsd2.summitnjhom=
e.com.crt
> -r--r--r-- 1 root root 4604 Nov 21 =A02010 gd_bundle.crt
> -r--r--r-- 1 root root 1537 Nov 21 =A02010 sf_issuing.crt
> -r--r--r-- 1 root root 1090 Nov 21 12:29 slapd.csr
> -r--r--r-- 1 root root 1743 Nov 21 12:26 slapd.key
> -r--r--r-- 1 root root 1675 Nov 21 =A02010 slapd.pem
>
>
> Back on the server side there is a lot of activity in the ldap logs
> (here is an excerpt)
>
> Nov 21 20:21:38 LBSD2 slapd[81972]: daemon: read activity on 11
> Nov 21 20:21:38 LBSD2 slapd[81972]: daemon: select: listen=3D6
> active_threads=3D0 tvp=3DNULL
> Nov 21 20:21:38 LBSD2 slapd[81972]: daemon: select: listen=3D7
> active_threads=3D0 tvp=3DNULL
> Nov 21 20:21:38 LBSD2 slapd[81972]: connection_read(11): input
> error=3D-2 id=3D1017, closing.
> Nov 21 20:21:38 LBSD2 slapd[81972]: connection_closing: readying
> conn=3D1017 sd=3D11 for close
> Nov 21 20:21:38 LBSD2 slapd[81972]: daemon: activity on 1 descriptor
>
> I've encloses a more complete log file as an attachment.
>
> I then try to show the CA files with an openssl command.
>
> First with sf_issuing.crt -
>
> slapd.conf:
>
> TLSCACertificateFile =A0/usr/local/etc/openldap/cacerts/sf_issuing.crt
>
> On the client:
>
> [root@VIRTCENT08:/etc/openldap/cacerts]#openssl s_client -connect
> ldap.summitnjhome.com:389 -showcerts -CAfile sf_issuing.crt
> CONNECTED(00000003)
> 3143:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_li=
b.c:188
>
>
> Next with sf_bundle.crt -
>
> slapd.conf:
>
> TLSCACertificateFile =A0/usr/local/etc/openldap/cacerts/sf_bundle.crt
>
>
> [root@VIRTCENT08:/etc/openldap/cacerts]#openssl s_client -connect
> ldap.summitnjhome.com:389 -showcerts -CAfile sf_bundle.crt
> 3149:error:02001002:system library:fopen:No such file or
> directory:bss_file.c:122:fopen('sf_bundle.crt','r')
> 3149:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125=
:
> 3149:error:0B084002:x509 certificate
> routines:X509_load_cert_crl_file:system lib:by_file.c:279:
> CONNECTED(00000003)
> 3149:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:188:
>
> Next with =A0gd_bundle.crt -
>
> TLSCACertificateFile =A0/usr/local/etc/openldap/cacerts/gd_bundle.crt
>
> [root@VIRTCENT08:/etc/openldap/cacerts]#openssl s_client -connect
> ldap.summitnjhome.com:389 -showcerts -CAfile gd_bundle.crt
> CONNECTED(00000003)
> 3156:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:188:
>
>
> Disabling TLS on the client side authentication works again!
>
> [root@VIRTCENT08:/etc/openldap/cacerts]#ssh bluethundr@localhost
> bluethundr@localhost's password:
> Last login: Sun Nov 21 09:41:34 2010 from 192.168.1.50
> #########################################################
> # =A0 =A0 =A0 =A0 =A0 =A0 =A0 SUMMITNJHOME.COM =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0 =A0 =A0 =A0#
> # =A0 =A0 =A0 =A0 =A0 =A0 =A0 TITLE: =A0 =A0 =A0 VIRTCENT08 BOX =A0 =A0 =
=A0 =A0 =A0 =A0 #
> # =A0 =A0 =A0 =A0 =A0 =A0 =A0 LOCATION: =A0 =A0SUMMIT BASEMENT =A0 =A0 =
=A0 =A0 =A0 =A0#
> # =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 #
> #########################################################
>
>
> Any thought on how to resolve the current situation would be most
> appreciated! ;)
>
>
>
>
> --
> Here's my RSA Public key:
> gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9
>
> Share and enjoy!!
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o=
rg"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTing9D6d2C--GJeAdPUwhqfcMMLMPim7r5tE9nKB>