[Date Prev][Date Next] [Chronological] [Thread] [Top]

openldap and tls or ssl



Hello,

I'm trying (for a week now....) to add SSL and TLS to my openldap server, which works well in uncrypted mode (used it from gq (ldap client for Gnome) and from pam-ldap).

Waiting for an official cert/key from my CA (still waiting...), I used openssl and the CA.pl script to create a CA cert and a cert/key for my server.

1 - Create a CA cert:
CA.pl -newCA (used the dns of the openldap server as common name)

2 - Create a priv key for my server
CA.pl -newreq (used also the dns of the openldap server as common name)

3 - Create the cert
CA.pl -sign

Then, I uncrypted the key file in order to use it with openldap (seen somewhere it had to be uncrypted)

Then, I configure slapd.conf in order to use these PEM files (cacert.pem, uncryptedkey and certificate)
...
########################
# certificats et clefs


TLSCertificateKeyFile      /opt/openldap/pem/uncryptprivatekey.pem
TLSCertificateFile            /usr/sss/demoCA/certs/certificat.pem
TLSCACertificateFile      /usr/ssl/demoCA/cacert.pem
...

Then I tested it with ldapsearch:
clear:
./ldapsearch -x -LLL "cn=*BLIN*" cn

tls:
./ldapsearch -x -LLL "cn=*BLIN*" -ZZZ cn

ssl:
./ldapsearch -H"ldaps://servername" -x -b"dc=..." -LLL "cn=*BLIN*" cn

I get the results, but the openldap server tells me:

connection_read(10): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A

I suppose these 2 last lines are because my client (ie the ldapsearch commands) have'nt certs/keys... If I'm right, is there a way telling ldapsearch to use a certificate??

My problem is by using pam_ldap or gq. It works in no SSL mode, but when I try to use TLS (or SSL with pamldap), it fails.

I've generated another couple cert/key for pamldap.

The pamldap conf file:
--------------------------------------------------
...
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
#ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
tls_cacertfile /usr/ssl/demoCA/cacert.pem
tls_cacertdir /usr/ssl/demoCA/certs

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
tls_cert /usr/ssl/certs/privcertest.pem
tls_key /usr/ssl/privkeytest.pem
-----------------------------------------------------

and when i try to connect, pamldap asks me for the PEM phrase(!!!) and then failes. The slapd server tells me:

------------

connection_get(15): got connid=4
connection_read(15): checking for input on id=4
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
ber_get_next on fd 15 failed errno=11 (Resource temporarily unavailable)
do_extended
ber_scanf fmt ({a) ber:
send_ldap_extended 0: (0)
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 15

<< here, he waits for the PEM phrase....

connection_get(15): got connid=4
connection_read(15): checking for input on id=4
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
connection_get(15): got connid=4
connection_read(15): checking for input on id=4
TLS: can't accept.
connection_read(15): TLS accept error error=-1 id=4, closing
connection_closing: readying conn=4 sd=15 for close
connection_close: conn=4 sd=15

---------------------------------------------------------------------------------------------------------------------------

Does anyone has an idea of where is the problem??

 Thanks in advance.

   Laurent BLIN
   Montpellier - France