[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: fedora and openldap

To: "harry.jede@arcor.de" <harry.jede@arcor.de>
Subject: Re: fedora and openldap
From: Judith Flo Gaya <jflo@imppc.org>
Date: Tue, 12 Apr 2011 19:10:06 +0200
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <201104111314.34875.harry.jede@arcor.de>
References: <4D9B87A2.8040400@imppc.org> <201104091723.01247.harry.jede@arcor.de> <4DA2CE65.70006@imppc.org> <201104111314.34875.harry.jede@arcor.de>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20110125 Lightning/1.0b2 Lanikai/3.1.7

I'm posting all the information together in this e-mail, hope you canhelp me out, I'm quite desperate at this point.


Following your advise I tried to set TLS in my server and client.

I generated the certificates for both client and server (self signed)and sent the cacert file from the server to the clients.


I started the server like this:

/usr/local/libexec/slapd -u ldap -h ldaps://curri0.imppc.local:636 -f/usr/local/openldap-2.4.25/etc/openldap/slapd.conf -d 1

( I installed a newer version of openldap in my server as the RH6 usesan old one, I compiled it with tls and openssl)


From the client I do :
 ldapsearch -x -ZZ -d1 -h curri0.imppc.local:636
ldap_create
ldap_url_parse_ext(ldap://curri0.imppc.local:636)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP curri0.imppc.local:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 172.19.5.13:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x1b4c170 msgid 1
wait4msg ld 0x1b4c170 msgid 1 (infinite timeout)
wait4msg continue ld 0x1b4c170 msgid 1 all 1
** ld 0x1b4c170 Connections:
* host: curri0.imppc.local  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Tue Apr 12 18:56:35 2011


** ld 0x1b4c170 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x1b4c170 request count 1 (abandoned 0)
** ld 0x1b4c170 Response Queue:
   Empty
  ld 0x1b4c170 response count 0
ldap_chkResponseList ld 0x1b4c170 msgid 1 all 1
ldap_chkResponseList returns ld 0x1b4c170 NULL
ldap_int_select
read1msg: ld 0x1b4c170 msgid 1 all 1
ber_get_next
ldap_err2string
ldap_start_tls: Can't contact LDAP server (-1)



And the server shows this:

slap_listener_activate(8):
>>> slap_listener(ldaps://curri0.imppc.local:636)
connection_get(12): got connid=1000
connection_read(12): checking for input on id=1000
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:error in SSLv2/v3 read client hello A

TLS: can't accept: error:140760FC:SSLroutines:SSL23_GET_CLIENT_HELLO:unknown protocol.

connection_read(12): TLS accept failure error=-1 id=1000, closing
connection_close: conn=1000 sd=12



If I do this from the client or the server:

# openssl s_client -connect curri0.imppc.local:636 -showcerts
CONNECTED(00000003)
(...)
verify return:1
---
Certificate chain
 0 s:(...)
-----BEGIN CERTIFICATE-----
(...)
-----END CERTIFICATE-----
---
Server certificate
subject=(...)
---
No client certificate CA names sent
---
SSL handshake has read 1254 bytes and written 439 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: (...)
    Session-ID-ctx:
    Master-Key: (...)
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket:
(...)

    Compression: 1 (zlib compression)
    Start Time: 1302627455
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)



I get this on server:

slap_listener_activate(8):
>>> slap_listener(ldaps://curri0.imppc.local:636)
connection_get(12): got connid=1002
connection_read(12): checking for input on id=1002
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(12): got connid=1002
connection_read(12): checking for input on id=1002
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write session ticket A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(12): unable to get TLS client DN, error=49 id=1002


I generated the certificates like this:
# generate CA
openssl genrsa 2048 > ca-key.pem
# create certificate
openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem

openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem >server-req.pem

# self sign the cert

openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkeyca-key.pem -set_serial 01 > server-cert.pem


#For the client:
# create cert

openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem >client-req.pem

# sign cert

openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkeyca-key.pem -set_serial 01 > client-cert.pem


Here is my slapd.conf tls related

TLSCACertificateFile/usr/local/openldap-2.4.25/etc/openldap/imppccerts/ca-cert.pemTLSCertificateFile/usr/local/openldap-2.4.25/etc/openldap/imppccerts/server-cert.pemTLSCertificateKeyFile/usr/local/openldap-2.4.25/etc/openldap/imppccerts/server-key.pem


Am I missing something?

Thanks a lot in advance for any help, it is very appreciated.
j

On 04/11/2011 01:14 PM, harry.jede@arcor.de wrote:

Judith Flo Gaya wrote:
...

At least i could see that the password exop option in the
pam_ldap.conf lets the server to apply the security to the password,
so I think I can change it within the slapd.conf file.

Yes, and if you don't specify "password-hash" in slapd.conf, ssha is
used. It is the default.

do you suggest to use salt?

ssha use salt.

Thanks a lot for your help,
j


BTW
have you read rfc-3062 ?
http://www.faqs.org/rfcs/rfc3062.html

If you configure your clients to use "password exop" you should be sure
that the clients use any kind of network protection, TLS or SSL.

TinyCA is a perl based GTK-GUI which may help you to generate certs and
keys.

Until you are ready to use TLS/SSL I sugggest that you let the client
encrypt the passwords local.

Follow-Ups:
- Re: fedora and openldap
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: fedora and openldap
  - From: Tom Leach <leach@coas.oregonstate.edu>

References:
- fedora and openldap
  - From: Judith Flo Gaya <jflo@imppc.org>
- Re: fedora and openldap
  - From: harry.jede@arcor.de
- Re: fedora and openldap
  - From: Judith Flo Gaya <jflo@imppc.org>
- Re: fedora and openldap
  - From: harry.jede@arcor.de

Prev by Date: Re: clarifications on cachesize, preferred db, et. al. from admin guide
Next by Date: Re: fedora and openldap
Index(es):
- Chronological
- Thread