[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Next stumbling block: TSL



You also need to added the following line to ldap.conf

TLS_CACERT=path to server CA certificate

The client tools need to have access to the CA certificate to confirm the authenticity of the server certificate.

http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
has a good guide too.

If the above does not fix your problem, how are you running the server?
Try with -d 256, and it will tell you if it had problems finding its certificates when it starts up.


-Patrick

On Jun 28, 2004, at 6:15 AM, Oliver Hoffmann wrote:

Hi all!

The next step is to provide security between client and server.
I have done the openssl preparations according to this tutorial:
http://linsec.ca/bin/view/Main/OpenLDAPAuth#Using_SSL_TLS_with_OpenLDAP

I made the keys, certified them and finally the command:
ldap# openssl x509 -in /etc/ssl/openldap/ldap.cert -text -noout
gives me a reasonable output.
Thus I assume that the openssl-preconditions are ok.

I went on with adding this three lines to the slapd.conf:

TLSCertificateFile /etc/ssl/openldap/ldap.cert
TLSCertificateKeyFile /etc/ssl/openldap/ldap.key
TLSCACertificateFile /etc/ssl/openldap/ca.cert

I set the rights to 0400 and ldap:ldap.
I also put these line to the ldap.conf:
ssl start_tls

Promptly something went wrong as you can see:

Client:
ldap# ldapsearch -v -n -Z -b 'dc=testldap,dc=org'
ldap_initialize( <DEFAULT> )
ldap_start_tls: Connect error (-11)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
ldap_bind: Can't contact LDAP server (-1)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Server:
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
TLS trace: SSL3 alert read:fatal:unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
ca /usr/src/crypto/openssl/ssl/s3_pkt.c:1052
connection_read(12): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=12 for close
connection_close: conn=0 sd=12

The command ldapsearch -x -b 'dc=testldap,dc=org' works. Even from a remote (a
real client ;)) machine.


I apologize if this is too off topic. Despite I hope somebody can push me in
the right direction.


Thanks to the list which helped a lot so far!

Cheers,

Oliver.