[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Authentication failed with ldaps configuration
On Fri, 2009-12-04 at 14:27 +0100, Smaïne Kahlouch wrote:
> -------- Message initial --------
> De: Zdenek Styblik <stybla@turnovfree.net>
> À: smainklh@free.fr
> Cc: openldap-technical@openldap.org
> Sujet: Re: Authentication failed with ldaps configuration
> Date: Thu, 03 Dec 2009 17:03:32 +0100
>
> smainklh@free.fr wrote:
> > ----- Mail Original -----
> > De: "Zdenek Styblik" <stybla@turnovfree.net>
> > À: smainklh@free.fr
> > Cc: openldap-technical@openldap.org
> > Envoyé: Mercredi 2 Décembre 2009 16h37:01 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
> > Objet: Re: Authentication failed with ldaps configuration
> >
> > smainklh@free.fr wrote:
> >> Hi everyone,
> >>
> >> I configured my ldap server (debian lenny) to listen on port 636 (ldaps) but it doesn't seems to work when issuing a remote connexion.
> >> Perhaps i did a mistake when generating the certificates ?....
> >>
> >> When i try to browse the ldap server from a remote server i get the following message :
> >> ----------
> >> root@vmtest:~# ldapsearch -d 1 -Wx -H ldaps://ldapserver.domain.tld -D cn=admin,dc=domain,dc=tld
> >> ldap_url_parse_ext(ldaps://ldapserver.domain.tld)
> >> ldap_create
> >> ldap_url_parse_ext(ldaps://ldapserver.domain.tld:636/??base)
> >> Enter LDAP Password:
> >> ldap_sasl_bind
> >> ldap_send_initial_request
> >> ldap_new_connection 1 1 0
> >> ldap_int_open_connection
> >> ldap_connect_to_host: TCP ldapserver.domain.tld:636
> >> ldap_new_socket: 3
> >> ldap_prepare_socket: 3
> >> ldap_connect_to_host: Trying 10.10.48.40:636
> >> ldap_pvt_connect: fd: 3 tm: -1 async: 0
> >> TLS: peer cert untrusted or revoked (0x42)
> >> ldap_err2string
> >> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> >> -----------
> >>
> >> I generated the certificates with the following command :
> >> # openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650
> >>
> >> -----------
> >>
> >> Then i tried the connexion :
> >> openssl s_client -connect ldapserver.domain.tld:636 -showcerts
> >> CONNECTED(00000003)
> >> depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
> >> verify error:num=18:self signed certificate
> >> verify return:1
> >> depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
> >> verify return:1
> >> ---
> >> Certificate chain
> >> 0 s:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
> >> i:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
> >> -----BEGIN CERTIFICATE-----
> >> MIIDDTCCAnagAwIBAgIJAM7IwuTIzhwqMA0GCSqGSIb3DQEBBQUAMGMxCzAJBgNV
> >> BAYTAkZSMRMwEQYDVQQIEwpTb21lLVN0YXRlMQ4wDAYDVQQHEwVQYXJpczELMAkG
> >> A1UEChMCQlQxIjAgBgNVBAMTGWlwb2MwMS5pcG9jLmJ0c2VydmljZXMuZnIwHhcN
> >> MDkxMTI0MTUwMTUxWhcNMTkxMTIyMTUwMTUxWjBjMQswCQYDVQQGEwJGUjETMBEG
> >> A1UECBMKU29tZS1TdGF0ZTEOMAwGA1UEBxMFUGFyaXMxCzAJBgNVBAoTAkJUMSIw
> >> IAYDVQQDExlpcG9jMDEuaXBvYy5idHNlcnZpY2VzLmZyMIGfMA0GCSqGSIb3DQEB
> >> AQUAA4GNADCBiQKBgQCm5FrQ3dN1Jkxj2SZsPr+vkYDlwVnvqDCxnAs3O5NJ/1uY
> >> F9/mwsCVdAnp04Eywo3BCbvP6tlzsF3JbAlqMLTb85ZTHOqRQncXGfVZ7bMnR071
> >> tQ70/b3vF/TuMYiOU7vXf2h863aRi11tT9xHD17wFfFaXBtRIIOioc3UpJWWPwID
> >> AQABo4HIMIHFMB0GA1UdDgQWBBREqX/HQEzU5TCDrBsbttUxa44fnDCBlQYDVR0j
> >> BIGNMIGKgBREqX/HQEzU5TCDrBsbttUxa44fnKFnpGUwYzELMAkGA1UEBhMCRlIx
> >> EzARBgNVBAgTClNvbWUtU3RhdGUxDjAMBgNVBAcTBVBhcmlzMQswCQYDVQQKEwJC
> >> VDEiMCAGA1UEAxMZaXBvYzAxLmlwb2MuYnRzZXJ2aWNlcy5mcoIJAM7IwuTIzhwq
> >> MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAd0Le1JyJF8zBs0RYvEn7
> >> c1nhVbsdD8FDBTa4IaNvkbIt8al6G7bBpfyDxcMVtgFc8zHt/+sYfTxWuHh7m+b1
> >> yjJtD9vMjIigbaZq4VJOz11JEWsQHc8wo3So+G+CelTz4HXPoGh5vqRtTkupjedz
> >> 0DDsA1jd9F4KpYSOkzxosdc=
> >> -----END CERTIFICATE-----
> >> ---
> >> Server certificate
> >> subject=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
> >> issuer=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
> >> ---
> >> No client certificate CA names sent
> >> ---
> >> SSL handshake has read 1107 bytes and written 316 bytes
> >> ---
> >> New, TLSv1/SSLv3, Cipher is AES256-SHA
> >> Server public key is 1024 bit
> >> Compression: NONE
> >> Expansion: NONE
> >> SSL-Session:
> >> Protocol : TLSv1
> >> Cipher : AES256-SHA
> >> Session-ID: 9EF5F2D4FD72A0D1161C8334537F1ADF60C8B790A3F699B6DC52557E3C95D427
> >> Session-ID-ctx:
> >> Master-Key: 015D50D6D93F502E37EDB577691F05D157E80A439A2B129B370EEA24E651E828A172E43B3F6D29174BF33B96193202F0
> >> Key-Arg : None
> >> Start Time: 1259761586
> >> Timeout : 300 (sec)
> >> Verify return code: 18 (self signed certificate)
> >> ---
> >>
> >> ------------------
> >>
> >> My ldap.conf
> >> -----------------
> >> BASE dc=domain,dc=tld
> >> URI ldaps://ldapserver.domain.tld/
> >> TLS_REQCERT allow
> >>
> >>
> >> My slapd.conf :
> >> ----------------
> >> ...
> >> TLSCACertificateFile /etc/ldap/ssl/server.pem
> >> TLSCertificateFile /etc/ldap/ssl/server.pem
> >> TLSCertificateKeyFile /etc/ldap/ssl/server.pem
> >> ...
> >>
> >> ------------------
> >> My /etc/default/slapd.conf
> >> ...
> >> SLAPD_SERVICES="ldaps://ldapserver.domain.tld"
> >> ...
> >>
> >> Could you please help me ?
> >>
> >
> > Hello,
> >
> > are you sure the server is listetning at 636?
> >
> > --- SNIP ---
> > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> > ------------
> >
> > It seems more like a network problem to me.
> > Please, verify it by % netstat -nlp | grep 636; or eventually by %
> > netstat -nlp | grep 389; at the server.
> >
> > Regards,
> > Zdenek
> >
> > Hi Zdenek,
> >
> > Yes i'm.
> >
> > netstat -nlp | grep 636
> > tcp 0 0 10.10.48.40:636 0.0.0.0:* LISTEN
> > netstat -nlp | grep 389
> >
> > Logs from the ldap server
> > -----------
> > Dec 3 10:10:04 ldapserver slapd[20754]: slap_listener_activate(8):
> > Dec 3 10:10:04 ldapserver slapd[20754]: >>> slap_listener(ldaps://ldapserver.domain.tld)
> > Dec 3 10:10:04 ldapserver slapd[20754]: connection_get(14): got connid=42
> > Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): checking for input on id=42
> > Dec 3 10:10:04 ldapserver slapd[20754]: connection_get(14): got connid=42
> > Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): checking for input on id=42
> > Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): unable to get TLS client DN, error=49 id=42
> > Dec 3 10:10:04 ldapserver slapd[20754]: connection_get(14): got connid=42
> > Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): checking for input on id=42
> > Dec 3 10:10:04 ldapserver slapd[20754]: ber_get_next on fd 14 failed errno=0 (Success)
> > Dec 3 10:10:04 ldapserver slapd[20754]: connection_closing: readying conn=42 sd=14 for close
> > Dec 3 10:10:04 ldapserver slapd[20754]: connection_close: conn=42 sd=14
> >
> > It seems to be a certificate problem.
> > -----
> > TLS: peer cert untrusted or revoked
> > -----
> >
> > Do you have any idea ?
> > Grifith
>
>
> Evening Grifith,
>
> I'm sorry I've missed that one. I'm no expert, but I can give you my
> config-files.
> I've used 'easy-rsa' to generate all certificates. It comes with
> OpenVPN, but it might be as standalone package in Debian. It's set of
> scripts for certificate manipulation, and it surely eases up things.
> One thing that came to my mind, certificate "has" to bear same FQDN as
> IP eg. if 192.168.1.1 -eq server1.mydomain.tld then certificate should
> be generated and contain server1.mydomain.tld.
> Another thing is .key files should have chmod 400.
>
> --- client side ---
> cat /etc/openldap/ldap.conf
>
> BASE dc=mydomain,dc=tld
> URI ldaps://server1.mydomain.tld
> port 636
> ssl yes
> #ssl start_tls
> TLS_CACERT /etc/openldap/ssl/ca.mydomain.crt
> TLS_CERT /etc/ssl/certs/server2.mydomain.tld.crt
> TLS_KEY /etc/ssl/private/server2.mydomain.tld.key
> TLS_REQCERT never
> TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3
> ------------------
>
> --- server ---
> cat /etc/openldap/slapd.conf
> ...
> TLSCipherSuite HIGH:MEDIUM:+SSLv3
> TLSCACertificateFile /etc/ssl/certs/ca.mydomain.crt
> TLSCertificateFile /etc/ssl/certs/server1.mydomain.tld.crt
> TLSCertificateKeyFile /etc/ssl/private/server1.mydomain.tld.key
> TLSVerifyClient never
> ...
> --------------
>
> I hope it helps, at least a bit.
>
> Have a nice evening,
> Zdenek
>
> PS: Thunderbird refused to accept the rest of the text for some reason,
> I had to c&p it inside.
> --------------------------------
>
> Hi,
>
> Thanks for your help Zdenek
> I made it work with the following configuration :
>
>
> SERVER
> -------------
> My slapd.conf :
> ----------------
> ...
> TLSCACertificateFile /etc/ssl/certs/ldap-cert.pem
> TLSCertificateFile /etc/ssl/certs/ldap-cert.pem
> TLSCertificateKeyFile /etc/ldap/ssl/ldap-key.pem
>
> I created the certificate with this command
> # openssl req -config /etc/ssl/openssl.cnf -new -x509 nodes -out /etc/ssl/certs/ldap-cert.pem -keyout /etc/ldap/ssl/ldap-key.pem -days 999999
>
> My ldap.conf :
> ----------------
> BASE dc=mydomain,dc=tld
> URI ldaps://ldapserver.mydomain.tld
> port 636
> ssl on
> ssl start_tls
> TLS_CACERT /etc/ssl/certs/ldap-cert.pem
> TLS_REQCERT allow
>
> CLIENT
> ------------
>
> The ldap.conf is exactly the same as the server's.
>
> And it works !
Hi - I tried the exact same thing but ended up with no luck. I'm on
Ubuntu 9.04 (slapd 2.4.15). Though I can see my ldapssl service gets
started I cannot perform any ldap operations from the client machine. I
think this is because of a SSL issue. When I tried to verify my cert
using;
openssl s_client -connect my_ip:636 -showcerts , I'm getting the
following error.
13761:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
Any help is appreciated.
Thanks,
~Chamith