[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: TLSVerifyClient => no login possible
Dieter Kluenter schrieb:
> Hello Sebastian,
>
> Sebastian Reinhardt <snr@lmv-hartmannsdorf.de> writes:
>
>
>> Dieter Kluenter schrieb:
>>
>>> Sebastian Reinhardt <snr@lmv-hartmannsdorf.de> writes:
>>>
>>>
>>>
>>>> Hello,
>>>>
>>>> I have configured an openSUSE 11.0 (x86_64) with openldap- server. Also
>>>> the TLS is activated. All clients are set to "TLS_REQCERT demand"
>>>> and is working.
>>>> Then I created client certificates by using the servers Yast2 CA-
>>>> management. I copied teh client certificates and also the servers
>>>> "cacert" into the "/etc/openldap/" directory on client computer. With
>>>> "TLSVerifyClient allow" clients can login, but if I activate the
>>>> "TLSVerifyClient demand" option in servers slapd.conf no user can
>>>> perform an login and it causes errors in /var/log/messages:
>>>>
>>>>
>>> [...]
>>>
>>>
>>>
>>>> What is wrong? The clients certificate "common name" is set to the
>>>> clients hostname. Is this ok?
>>>>
>>>>
>>> Clients don't read slapd.conf(5) but only ldap.conf(5), run slapd with
>>> debug level 3 to analyse the tls session.
>>>
>>> -Dieter
>>>
>>>
>>>
>> Hello Dieter,
>>
>> Now I have set the loglevel to "3" and I get the following output if I
>> try to login (still fails):
>>
>
> loglevel is != debug level, man slapd(8), run slapd -d3
>
>> -------------------/var/log/messages---------------------------------------------------------------------
>>
>
> [...]
>
>> Feb 25 16:41:49 lmvserver kdm: :0[11544]: nss_ldap: could not search
>> LDAP server - Server is unavailable
>>
> [...]
>
>
>> Feb 25 16:41:49 lmvserver kdm: :0[11544]: pam_ldap: ldap_starttls_s:
>> Connect error
>> -------------------/var/log/messages---------------------------------------------------------------------
>>
>> I am not sure, if this is an configuration or certificate error? Do You
>> understand this output above?
>>
>
> The clients are nss_ldap and pam_ldap, check the clients
> configuration for starttls parameters.
> With debug level 3 you should see something like
>
> TLS trace: SSL_accept:before/accept initialization
> tls_read: want=11, got=11
> TLS trace: SSL_accept:SSLv3 read client hello A
> TLS trace: SSL_accept:SSLv3 write server hello A
> TLS trace: SSL_accept:SSLv3 write certificate A
> TLS trace: SSL_accept:SSLv3 write certificate request A
> tls_write: want=1931, written=1931
> TLS trace: SSL_accept:SSLv3 flush data
> TLS trace: SSL3 alert write:warning:close notify
>
> -Dieter
>
>
Sorry. I had not configured the pam_ldap (/etc/ldap.conf) config file
properly. The certifikate entries were missing.
Here is my /etc/ldap.conf:
-------------------/etc/ldap.conf-------------------------------------------
host 127.0.0.1
base dc=lmv,dc=lmv
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
#ldap_version 3
#binddn cn=proxyuser,dc=example,dc=com
#bindpw secret
rootbinddn cn=ldaproot,dc=lmv,dc=lmv
port 389
scope sub
scope one
scope base
#timelimit 30
#bind_timelimit 30
bind_policy soft
#nss_connect_policy persist
#idle_timelimit 3600
#nss_paged_results yes
#pagesize 1000
#pam_filter objectclass=account
#pam_login_attribute uid
pam_lookup_policy yes
#pam_check_host_attr yes
#pam_check_service_attr yes
#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com
#pam_member_attribute uniquemember
#pam_min_uid 0
#pam_max_uid 0
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody
#pam_password clear
#pam_password crypt
#pam_password nds
#pam_password racf
#pam_password ad
pam_password crypt
#pam_password_prohibit_message Please visit http://internal to change
your password.
#nss_initgroups backlink
nss_initgroups_ignoreusers root,ldap
#nss_schema rfc2307bis
nss_schema nis
nss_base_passwd ou=users,dc=lmv,dc=lmv
nss_base_shadow ou=users,dc=lmv,dc=lmv
nss_base_group ou=groups,dc=lmv,dc=lmv
nss_base_hosts ou=hosts,dc=lmv,dc=lmv
#nss_base_services ou=Services,dc=example,dc=com?one
#nss_base_networks ou=Networks,dc=example,dc=com?one
#nss_base_protocols ou=Protocols,dc=example,dc=com?one
#nss_base_rpc ou=Rpc,dc=example,dc=com?one
#nss_base_ethers ou=Ethers,dc=example,dc=com?one
#nss_base_netmasks ou=Networks,dc=example,dc=com?ne
#nss_base_bootparams ou=Ethers,dc=example,dc=com?one
#nss_base_aliases ou=Aliases,dc=example,dc=com?one
#nss_base_netgroup ou=Netgroup,dc=example,dc=com?one
#nss_map_attribute rfc2307attribute mapped_attribute
#nss_map_objectclass rfc2307objectclass mapped_objectclass
nss_map_attribute uniqueMember member
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount User
#nss_map_attribute uid msSFU30Name
#nss_map_attribute uniqueMember msSFU30PosixMember
#nss_map_attribute userPassword msSFU30Password
#nss_map_attribute homeDirectory msSFU30HomeDirectory
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFU30Name
#pam_filter objectclass=User
#pam_password ad
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad
#nss_map_objectclass posixAccount user
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup group
#nss_map_attribute uniqueMember member
#pam_login_attribute sAMAccountName
#pam_filter objectclass=User
#pam_password ad
#nss_map_attribute userPassword authPassword
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear
#nss_map_objectclass automountMap nisMap
#nss_map_attribute automountMapName nisMapName
#nss_map_objectclass automount nisObject
#nss_map_attribute automountKey cn
#nss_map_attribute automountInformation nisMapEntry
#ssl on
sslpath /etc/openldap/
ssl start_tls
ldap_version 3
pam_filter objectclass=posixAccount
nss_base_passwd ou=users,dc=lmv,dc=lmv
nss_base_shadow ou=users,dc=lmv,dc=lmv
nss_base_group ou=groups,dc=lmv,dc=lmv
tls_checkpeer yes
#ssl on
tls_cacertfile /etc/openldap/cacert.pem
tls_cacertdir /etc/openldap/
#tls_randfile /var/run/egd-pool
#tls_ciphers TLSv1
tls_cert /etc/openldap/clientcert_201.pem
tls_key /etc/openldap/clientkey_201.pem
#sasl_secprops maxssf=0
#krb5_ccname FILE:/etc/.ldapcache
-------------------/etc/ldap.conf-------------------------------------------
And also my /etc/openldap/ldap.conf:
-------------------/etc/openldap/ldap.conf-----------------------------
TLS_CACERT /etc/openldap/cacert.pem
TLS_CERT /etc/openldap/clientcert_201.pem
TLS_KEY /etc/openldap/clientkey_201.pem
TLS_REQCERT demand
host 127.0.0.1
base dc=lmv,dc=lmv
-------------------/etc/openldap/ldap.conf-----------------------------
-------------------/etc/nsswitch.conf-------------------------------------
passwd: compat
group: files ldap
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files dns
services: files ldap
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files ldap
publickey: files
bootparams: files
automount: files nis
aliases: files ldap
passwd_compat: ldap
-------------------/etc/nsswitch.conf-------------------------------------
Now I have started with "-d 3" and I get some output:
--------------------------------------------------------------------------------------------
slap_listener_activate(8):
>>> slap_listener(ldap://)
connection_get(13): got connid=32
connection_read(13): checking for input on id=32
ber_get_next
ldap_read: want=8, got=8
0000: 30 1d 02 01 01 77 18 80 0....w..
ldap_read: want=23, got=23
0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146
0010: 36 2e 32 30 30 33 37 6.20037
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
conn=32 op=0 do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush2: 14 bytes to sd 13
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
slap_listener_activate(8):
connection_get(13): got connid=32
connection_read(13): checking for input on id=32
>>> slap_listener(ldap://)
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=7
0000: 30 05 02 01 02 42 00 0....B.
tls_read: want=4, got=0
TLS: can't accept.
connection_read(13): TLS accept failure error=-1 id=32, closing
connection_closing: readying conn=32 sd=13 for close
connection_close: conn=32 sd=13
connection_get(14): got connid=33
connection_read(14): checking for input on id=33
ber_get_next
ldap_read: want=8, got=8
0000: 30 1d 02 01 01 77 18 80 0....w..
ldap_read: want=23, got=23
0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146
0010: 36 2e 32 30 30 33 37 6.20037
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
conn=33 op=0 do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush2: 14 bytes to sd 14
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
connection_get(14): got connid=33
connection_read(14): checking for input on id=33
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=7
0000: 30 05 02 01 02 42 00 0....B.
tls_read: want=4, got=0
TLS: can't accept.
connection_read(14): TLS accept failure error=-1 id=33, closing
connection_closing: readying conn=33 sd=14 for close
connection_close: conn=33 sd=14
slap_listener_activate(8):
>>> slap_listener(ldap://)
connection_get(13): got connid=34
connection_read(13): checking for input on id=34
ber_get_next
ldap_read: want=8, got=8
0000: 30 1d 02 01 01 77 18 80 0....w..
ldap_read: want=23, got=23
0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146
0010: 36 2e 32 30 30 33 37 6.20037
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
conn=34 op=0 do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush2: 14 bytes to sd 13
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
connection_get(13): got connid=34
connection_read(13): checking for input on id=34
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=7
0000: 30 05 02 01 02 42 00 0....B.
tls_read: want=4, got=0
TLS: can't accept.
connection_read(13): TLS accept failure error=-1 id=34, closing
connection_closing: readying conn=34 sd=13 for close
connection_close: conn=34 sd=13
--------------------------------------------------------------------------------------------
What is wrong? The certificate is not accepted? Is the certificae not ok?
--
Mit freundlichen GrÃÃen
Sebastian Reinhardt