[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Last attempt at TLS/SSL

To: "'Lawrence, Mike \(White Plains\)'" <Mike.Lawrence@starwoodhotels.com>, <openldap-software@OpenLDAP.org>
Subject: RE: Last attempt at TLS/SSL
From: "Howard Chu" <hyc@highlandsun.com>
Date: Thu, 26 Jun 2003 12:34:40 -0700
Importance: Normal
In-reply-to: <6C6B73040F8CD411AA5600508B6D5F1208A261BE@strnynt2.strny.starwoodhotels.com>

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Lawrence, Mike
(White Plains)

> Well I am just about at the end of my rope with openldap and
> SSL/TLS.  I've
> tried
> tweaking, rebuilding, generated tons of certs and I am about
> to call it
> quits and
> switch over to using the Sun One/iPlanet directory server.
> I'll see if
> anyone can
> make sense out of the current situation I am in because I
> would prefer to
> stay
> with openldap, but the SSL/TLS component with no commercial
> support is just
> about to scare me away.

Of course, there is always the option of getting commercial support.
>
> Here is what I'm using:
>
> Solaris 8
> padl pam_ldap and nss_ldap
> openldap 2.1.21
> openssl 0.9.7

We (Symas) generally don't recommend the use of OpenSSL 0.9.7. It's gotten
better recently, but it's still not stable. Certainly I don't consider it
stable enough for production use.

> Here is what is happening.  I generated new certs as follows:
>
> mkdir /var/tmp/certs
> cd /var/tmp/certs
> /usr/local/ssl/misc/CA.pl -newca
> /usr/local/ssl/misc/CA.pl -newreq
> /usr/local/ssl/misc/CA.pl -signreq
>
> The CN I used matches the FQDN of the host I'm using.
>
> Then I renamed the newreq.pem to ldapkey.pem and newcert.pem to
> ldapcert.pem.
>
> The lines I then added to slapd.conf were:
>
> TLSCipherSuite          HIGH:MEDIUM:+SSLv2
> TLSCertificateFile       /var/tmp/certs/ldapcert.pem
> TLSCertificateKeyFile /var/tmp/certs/ldapkey.pem
> TLSCACertificateFile  /var/tmp/certs/demoCA/cacert.pem
> TLSVerifyClient          never

You must set the TLS_CACERT in OpenLDAP's ldap.conf file on all of your
client machines. If you read the documentation in the OpenLDAP 2.1 Admin
Guide, this is clearly stated in the "Using TLS" chapter.

Don't confuse PADL's ldap.conf with OpenLDAP's ldap.conf - they are two
separate files, living in two separate locations of your filesystem. (If you
use the pam/nss binaries from Symas, we rename PADL's file to "nsspam.conf"
to make the purpose more explicit and less confusing. I wish they would do
the same, as most of the configuration errors I see on the mailing lists are
due to people putting directives in the wrong file and wondering why they
don't take effect.)

> So there's one piece of software, openssl, saying "your cert
> is cool".

The OpenSSL s_client command never rejects a certificate. It exists as a
debug tool to show you the traffic and any/all errors it encounters.

> Now if I try to run ldapsearch
> and pass it -H "ldaps://wp-app-3.webtech.com", it will fail
> with this error:
>
> ldap_bind: Can't contact LDAP server (81)
>         additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

You should run the ldapsearch with debugging enabled to see exactly what part
of the verification failed. "-d 7" is a good start.
>
> If I add the line "tls_reqcert   never" to ldap.conf, then
> the ldapsearches
> will work.  What could
> be causing openldap to think the cert can't be verified when
> openssl says
> it's fine?  I've tried turning
> on tls_checkpeer and pointing tls_cacertfile to my demoCA
> cacert.pem and it
> still fails (it also fails
> with tls_checkpeer turned off).

It's better to run with debugging than to make random guesses.
>
> Regardless, I would actually be perfectly happy to leave
> "tls_reqcert" set
> to "never" if everything would
> work.  But even with ldapsearches working, people can't log
> in with ssh, and
> the errors I see when I
> run slapd with -d9 -h "ldaps:///" are:
>
> TLS trace: SSL_accept:before/accept initialization
> TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
> TLS: can't accept.
> TLS: error:140760FC:SSL
> routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> s23_srvr.c:585
> connection_read(8): TLS accept error error=-1 id=1, closing

This says to me that pam_ldap didn't connect using ldaps. Your PADL ldap.conf
file needs to be tweaked, add "ssl on" to the config. Make sure you're fixing
the right ldap.conf file. Which file that is depends on how you built your
software, but generally PADL uses /etc/ldap.conf and if you installed
OpenLDAP in /usr/local, then OpenLDAP uses /usr/local/etc/openldap/ldap.conf.

> What's wrong with this picture?  I've never been so
> frustrated with a piece
> of software as I am with
> openldap and TLS/SSL.  Any advice would be greatly appreciated!

Read the documentation thoroughly. The Admin Guide is neither overly verbose
nor redundant, so it won't waste your time. But if you skim it, you'll miss
something.

Or contract with a commercial support company to provide you a working setup.
Obviously, in my opinion, there's only one company worth checking out. Since
I wrote much of the TLS support and documentation in OpenLDAP, and actively
contribute to pam_ldap, nss_ldap, and OpenSSL, there's not likely to be
anyone else on this planet who can do the job as well...

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

References:
- Last attempt at TLS/SSL
  - From: "Lawrence, Mike (White Plains)" <Mike.Lawrence@starwoodhotels.com>

Prev by Date: RE: TLS-based authentication?
Next by Date: Re: ACL/ACI && SASL
Index(es):
- Chronological
- Thread