[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authentication failed with ldaps configuration



smainklh@free.fr wrote:
> Hi everyone,
> 
> I configured my ldap server (debian lenny) to listen on port 636 (ldaps) but it doesn't seems to work when issuing a remote connexion.
> Perhaps i did a mistake when generating the certificates ?....
> 
> When i try to browse the ldap server from a remote server i get the following message :
> ----------
> root@vmtest:~# ldapsearch -d 1 -Wx -H ldaps://ldapserver.domain.tld -D cn=admin,dc=domain,dc=tld
> ldap_url_parse_ext(ldaps://ldapserver.domain.tld)
> ldap_create
> ldap_url_parse_ext(ldaps://ldapserver.domain.tld:636/??base)
> Enter LDAP Password:
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP ldapserver.domain.tld:636
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 10.10.48.40:636
> ldap_pvt_connect: fd: 3 tm: -1 async: 0
> TLS: peer cert untrusted or revoked (0x42)
> ldap_err2string
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> -----------
> 
> I generated the certificates with the following command :
> # openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650
> 
> -----------
> 
> Then i tried the connexion :
> openssl s_client -connect ldapserver.domain.tld:636 -showcerts
> CONNECTED(00000003)
> depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
> verify error:num=18:self signed certificate
> verify return:1
> depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
> verify return:1
> ---
> Certificate chain
>  0 s:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
>    i:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
> -----BEGIN CERTIFICATE-----
> MIIDDTCCAnagAwIBAgIJAM7IwuTIzhwqMA0GCSqGSIb3DQEBBQUAMGMxCzAJBgNV
> BAYTAkZSMRMwEQYDVQQIEwpTb21lLVN0YXRlMQ4wDAYDVQQHEwVQYXJpczELMAkG
> A1UEChMCQlQxIjAgBgNVBAMTGWlwb2MwMS5pcG9jLmJ0c2VydmljZXMuZnIwHhcN
> MDkxMTI0MTUwMTUxWhcNMTkxMTIyMTUwMTUxWjBjMQswCQYDVQQGEwJGUjETMBEG
> A1UECBMKU29tZS1TdGF0ZTEOMAwGA1UEBxMFUGFyaXMxCzAJBgNVBAoTAkJUMSIw
> IAYDVQQDExlpcG9jMDEuaXBvYy5idHNlcnZpY2VzLmZyMIGfMA0GCSqGSIb3DQEB
> AQUAA4GNADCBiQKBgQCm5FrQ3dN1Jkxj2SZsPr+vkYDlwVnvqDCxnAs3O5NJ/1uY
> F9/mwsCVdAnp04Eywo3BCbvP6tlzsF3JbAlqMLTb85ZTHOqRQncXGfVZ7bMnR071
> tQ70/b3vF/TuMYiOU7vXf2h863aRi11tT9xHD17wFfFaXBtRIIOioc3UpJWWPwID
> AQABo4HIMIHFMB0GA1UdDgQWBBREqX/HQEzU5TCDrBsbttUxa44fnDCBlQYDVR0j
> BIGNMIGKgBREqX/HQEzU5TCDrBsbttUxa44fnKFnpGUwYzELMAkGA1UEBhMCRlIx
> EzARBgNVBAgTClNvbWUtU3RhdGUxDjAMBgNVBAcTBVBhcmlzMQswCQYDVQQKEwJC
> VDEiMCAGA1UEAxMZaXBvYzAxLmlwb2MuYnRzZXJ2aWNlcy5mcoIJAM7IwuTIzhwq
> MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAd0Le1JyJF8zBs0RYvEn7
> c1nhVbsdD8FDBTa4IaNvkbIt8al6G7bBpfyDxcMVtgFc8zHt/+sYfTxWuHh7m+b1
> yjJtD9vMjIigbaZq4VJOz11JEWsQHc8wo3So+G+CelTz4HXPoGh5vqRtTkupjedz
> 0DDsA1jd9F4KpYSOkzxosdc=
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
> issuer=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1107 bytes and written 316 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 1024 bit
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : AES256-SHA
>     Session-ID: 9EF5F2D4FD72A0D1161C8334537F1ADF60C8B790A3F699B6DC52557E3C95D427
>     Session-ID-ctx:
>     Master-Key: 015D50D6D93F502E37EDB577691F05D157E80A439A2B129B370EEA24E651E828A172E43B3F6D29174BF33B96193202F0
>     Key-Arg   : None
>     Start Time: 1259761586
>     Timeout   : 300 (sec)
>     Verify return code: 18 (self signed certificate)
> ---
> 
> ------------------
> 
> My ldap.conf
> -----------------
> BASE    dc=domain,dc=tld
> URI     ldaps://ldapserver.domain.tld/
> TLS_REQCERT allow
> 
> 
> My slapd.conf :
> ----------------
> ...
> TLSCACertificateFile /etc/ldap/ssl/server.pem
> TLSCertificateFile /etc/ldap/ssl/server.pem
> TLSCertificateKeyFile /etc/ldap/ssl/server.pem
> ...
> 
> ------------------
> My /etc/default/slapd.conf
> ...
> SLAPD_SERVICES="ldaps://ldapserver.domain.tld"
> ...
> 
> Could you please help me ? 
> 

Hello,

are you sure the server is listetning at 636?

--- SNIP ---
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
------------

It seems more like a network problem to me.
Please, verify it by % netstat -nlp | grep 636; or eventually by %
netstat -nlp | grep 389; at the server.

Regards,
Zdenek

-- 
Zdenek Styblik
Net/Linux admin
OS TurnovFree.net
email: stybla@turnovfree.net
jabber: stybla@jabber.turnovfree.net