[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: problem with openldap ssl client

Hello

On Tue, 2008-07-08 at 10:04 +0200, Buchan Milne wrote:
> On Tue, 2008-07-08 at 00:06 -0400, Sambuddho Chakravarty wrote:
> > Hello
> >  I have an openldap server running slapd on 636 (LDAPS) . When I connect
> > from a ldap browser , I am able to successfully browse the database.
> 
> Can you be more specific about the software you are using? Not all
> graphical LDAP clients have SSL validation features (and if they do, in
> some cases they aren't enabled by default).
> 
> > However when I try to connect from a linux client machine (Ubuntu Server
> > 8.04) I am not able to connect to the ldaps. However regular ldap works
> > fine.
> 
> So, assuming it is not a firewall problem, the most likely cause is
> certificate validation.
> 
> > The /etc/ldap.conf looks like this
> > 
> > ssl start_tls
> > ssl on
> 
> You shouldn't use both of these, only use 'ssl on' if you are using
> 'host', in the 'uri' case it won't really make a difference.
> 
> > tls_checkpeer tes
> 
> "tes" ???
> 
> > tls_cacertdir /etc/ldap/cacerts
> > tls_cacertfile /etc/ldap/cacert/cacert.pem
> > #server IP
> > uri ldaps://30.0.0.2/
> 
> What is the subject CN on the certificate the server has?

The subject CN on the certificate is the IP address of the server
(30.0.0.2); same as that in the HOST field.

> > pam_password md5
> > base dc=example,dc=com
> > 
> > The /etc/ldap/ldap.conf file is like this
> > 
> > URI     ldaps://30.0.0.2/
> > TLS_CACERTDIR /etc/ldap/cacerts
> > TLS_CACERT   /etc/ldap/cacerts/cacert.pem
> > HOST 30.0.0.2
> > BASE dc=example,dc=com
> > 
> > The same configuration (with approprirate changes - replacing ldaps with
> > ldap and so on) works fine for regular ldap. But the problem is the
> > ldaps.
> 
> So, what do you get if you try something like this:
> 
> $ openssl s_client -CAfile /etc/ldap/cacerts/cacert.pem -connect
> 30.0.0.2:636
> 
> Does the CN attribute in the server certificate you get back match the
> hostname in the URI?

The CN attribute is the server IP address. 
> 
> 
> > When ldaps client is enabled and I do a getent passed ,
> > the /var/log/auth.log looks like this
> > 
> > Jul  7 23:57:46 host3 getent: nss_ldap: reconnecting to LDAP server...
> > Jul  7 23:57:46 host3 getent: nss_ldap: reconnecting to LDAP server
> > (sleeping 1 seconds)...
> > Jul  7 23:57:47 host3 getent: nss_ldap: could not search LDAP server -
> > Server is unavailable
> > Jul  7 23:58:18 host3 getent: nss_ldap: reconnecting to LDAP server...
> > 
> 
> For now, using the OpenLDAP client utilities (ldapsearch) to do the same
> connection may be an easier way to debug, but once it is working, you
> need to put the equivalent configuration in /etc/ldap.conf. So, with
> your current configuration, this would be the way to test with
> ldapsearch:
> 
> $ ldapsearch -x -H ldaps://30.0.0.2 -s base -b dc=example,dc=com
> namingContexts

This results the following error : ldap_result: Can't contact LDAP
server (-1)


> 
> However, and certificate-related aspects still need to be in the
> OpenLDAP library configuration file (/etc/ldap/ldap.conf, or ~/.ldaprc).
> 
> > Please suggest where I could have gone wrong. Any suggestions would be
> > really appreciated.
> 
> Hmm, if you were trying to get https working, you would be getting
> warnings from your browser, this really isn't rocket science, but
> nss_ldap can't show you warning dialogs, so you need to get the
> configuration right ...
> 
> 

Thanks
Sambuddho

> Regards,
> Buchan
>