[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Turning off clear text - how 2 get tls only communications?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jim C. wrote:
| Given this starting point, I wanted to turn off clear text and ensure
| that ldap would not talk to clients in anything other than a tls
| encrypted means.
The only way to ensure this is to limit access on the server to clients
with a high enough ssf via ACLs.
| It would be fine for the client on the server to use
| clear text however, since that is fairly safe.
|
| This is what is puzzleing me:
|
| I made the following changes:
|
| I set SLAPDURLLIST="ldap://127.0.0.1/ ldaps:///"
Note with this configuration, tls will only work from the localhost, it
will not work from any remote clients.
|
| Given this setting I would assume that ldap would be turned off on
| remote clients and tls would still work.
No, tls will not.
| Now my ldap user which I am
| using for test is called "njim"
|
| Before the change, I got:
|
| [root@kaliklak root]# getent passwd njim
| njim:x:1000:100:System User:/mnt/home/njim:/bin/bash
| [root@kaliklak root]#
|
| After the change, I restarted the server:
|
| [root@enigma sysconfig]# service ldap restart
| Stopping slapd: [ OK ]
| Starting slapd (ldap + ldaps): [ OK ]
| [root@enigma sysconfig]#
|
| ...and then made sure nscd wasn't running for the first test:
|
| [root@kaliklak root]# service nscd stop;ssh enigma service nscd stop
|
| Stopping nscd: [FAILED]
| Stopping nscd: [FAILED]
| [root@kaliklak root]#
|
| Note: enigma is the server, kaliklak is the client. Also the failure
| mentioned above is because nscd wasn't running in the first place.
|
| Then I restarted the server...
|
| [root@enigma sysconfig]# service ldap restart
| Stopping slapd: [ OK ]
| Starting slapd (ldap + ldaps): [ OK ]
|
| ...and on the client I got:
|
| [root@kaliklak root]# getent passwd njim
| [root@kaliklak root]#
|
| i.e. nada. Hmmm... is it an nscd issue? Lets find out:
Well, it can't be, since nscd wasnt' running.
| ...anyway I've tried a whole host of combinations to try and get
| SLAPDURLLIST="ldap://127.0.0.1/ ldaps:///" to work with my clients but
| no dice.
|
| Client side settings I've tried:
|
| host ldap.j9starr.net
| ssl start_tls
|
| host ldap.j9starr.net:389
| ssl start_tls
|
| host ldap.j9starr.net:636
| ssl start_tls
Can't work.
|
| uri ldaps://ldap.j9starr.net/
| ssl start_tls
Can't work.
| uri ldaps://ldap.j9starr.net:389/
| ssl start_tls
|
Can't work.
| uri ldaps://ldap.j9starr.net:636/
| ssl start_tls
You can't use both ldaps and tls. Also note that the use of uri's is
currently broken in our pam_ldap package (due to a patch allowing LDAP
server location via SRV records - I haven't had time to look into
pam_ldap yet though ...).
|
| ...round about here I reached the point of maximal frustration and tried
| something different. Namely searches from the server:
|
Best to test this *first* after making any changes.
|
| [root@enigma sysconfig]# ldapsearch -LL -H ldap://localhost
| -b"dc=j9starr,dc=net" -x "(cn=njim)"
|
| version: 1
|
| dn: uid=njim,ou=People,dc=j9starr,dc=net
| objectClass: top
| objectClass: inetOrgPerson
| objectClass: posixAccount
| cn: njim
| sn: njim
| uid: njim
| uidNumber: 1000
| gidNumber: 100
| homeDirectory: /mnt/home/njim
| loginShell: /bin/bash
| gecos: System User
| description: System User
|
| [root@enigma sysconfig]# ldapsearch -LL -Z -H ldap://localhost
| -b"dc=j9starr,dc=net" -x "(cn=njim)"
|
| ldap_start_tls: Connect error (91)
| ~~ additional info: error:14090086:SSL
| routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
| ldap_bind: Can't contact LDAP server (81)
| ~~ additional info: error:14090086:SSL
| routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
| [root@enigma sysconfig]# ldapsearch -LL -Z -H ldaps://localhost
| -b"dc=j9starr,dc=net" -x "(cn=njim)"
|
| ldap_start_tls: Can't contact LDAP server (81)
| ~~ additional info: error:14090086:SSL
| routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
| ldap_bind: Can't contact LDAP server (81)
| ~~ additional info: error:14090086:SSL
| routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
| [root@enigma sysconfig]# ldapsearch -LL -Z -H ldaps://localhost:389
| -b"dc=j9starr,dc=net" -x "(cn=njim)"
| ldap_start_tls: Can't contact LDAP server (81)
| ldap_bind: Can't contact LDAP server (81)
| [root@enigma sysconfig]# ldapsearch -LL -Z -H ldaps://localhost:636
| -b"dc=j9starr,dc=net" -x "(cn=njim)"
| ldap_start_tls: Can't contact LDAP server (81)
| ~~ additional info: error:14090086:SSL
| routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
| ldap_bind: Can't contact LDAP server (81)
| ~~ additional info: error:14090086:SSL
| routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
|
| [root@enigma sysconfig]# ldapsearch -LL -Z -H ldap://localhost
| -b"dc=j9starr,dc=net" -x "(cn=njim)"
|
| ldap_start_tls: Connect error (91)
| ~~ additional info: error:14090086:SSL
| routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
| ldap_bind: Can't contact LDAP server (81)
| ~~ additional info: error:14090086:SSL
| routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Please, first note the difference between /etc/openldap/ldap.conf (used
by openldap tools and the default config file for libldap-based clients)
and /etc/ldap.conf (used by pam_ldap, nss_ldap and some other clients).
Secondly, you are requiring SSL cert verification on your clients,
without a certificate on your server that can be validated against any
CA certificate the client could find. Either turn off cert verification,
or generate certs signed by a CA cert which is available and configured
on the client.
After that, you may still have to do the equivalent for nss_ldap/pam_ldap.
Regards,
Buchan
- --
Buchan Milne Senior Support Technician
Obsidian Systems http://www.obsidian.co.za
B.Eng RHCE (803004789010797)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFA0YljrJK6UGDSBKcRAnOYAKCTa44anV4aXMQiocLseFBhsUtSwACgs16T
DfkxQP+Xs86ddqOiC6nxOaY=
=HTxW
-----END PGP SIGNATURE-----