[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
LDAP TLS/SSL Security problem
I am new to the LDAP sceen. I've looked through most of the postings on
this and other pages and found many of the same questions without answers.
I'm running OpenLDAP 2.1.30, nss_ldap-220, pam_ldap-169, Solaris 2.8 ,
OpenSSL 0.9.7b 10 Apr 2003. I am using LDAP for user authentication on all
UNIX server. I know Solaris has a LDAP client, but I wanted to use the
open source. This may make it easier to do password aging. I have LDAP
without TLS running fine. Only the communication between the client server
and the master server is in clear text. I have been trying to use TLS/SSL
to encrypt it.
I created the openssl keys with
openssl req -new -x509 -nodes -out server.pem -keyout server.pem -days 365
/etc/ldap.conf
HOST <LDAP Server FQDN>
BASE dc=*********,dc=com
URI ldaps://<LDAP Server FQDN>
TLS_CACER /usr/local/etc/server.pem
TLS_CACERTDIR /usr/local/etc/server.pem
TLS_KEY /usr/local/etc/server.pem
SIZELIMIT 12
TIMELIMIT 15
/usr/local/etc/openldap/slapd.conf
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24
23:19:14 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
#include /usr/local/etc/openldap/schema/solaris.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
loglevel 256
pidfile /usr/local/var/slapd.pid
argsfile /usr/local/var/slapd.args
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
##security ssf=128
#
TLSCertificateFile /etc/ssl/certs/servercrt.pem
TLSCertificateKeyFile /etc/ssl/private/serverkey.pem
TLSCACertificateFile /etc/ssl/certs/cacert.pem
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSVerifyClient never
#sasl-regexp uid=(.*),cn=ldaptest,cn=DIGEST-MD5,cn=auth uid
=$1,ou=people,,dc=focaldata,dc=net
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
access to attr=userPassword
by self write
by anonymous auth
by dn.base="cn=Manager,dc=*******,dc=com" write
# by * auth
# access to dn.base="cn=Subschema" by * read
access to *
by self read
by users read
by anonymous auth
#
# if no access controls are present, the default policy is:
# Allow read by all
#
# rootdn can always write!
#password-hash {SSHA}
#######################################################################
# ldbm database definitions
#######################################################################
database bdb
suffix "dc=*********,dc=comt"
##rootdn "cn=Manager,dc=*********,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
#rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
mode 0600
# Indices to maintain
index objectClass eq
index cn,uid eq
index uidNumber eq
index gidNumber eq
Slapd debug error messages when a client tries to login:
connection_get(10): got connid=6
connection_read(10): checking for input on id=6
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
TLS: can't accept.
TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
s23_srvr.c:585
connection_read(10): TLS accept error error=-1 id=6, closing
connection_closing: readying conn=6 sd=10 for close
connection_close: conn=6 sd=10
openssl s_client -connect localhost:636 -showcerts -debug
CONNECTED(00000003)
write to 00090DB0 [00092D08] (148 bytes => 148 (0x94))
0000 - 80 92 01 03 01 00 69 00-00 00 20 00 00 39 00 00 ......i... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............
0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03 ..3..2../.......
0030 - 00 80 00 00 66 00 00 05-00 00 04 01 00 80 08 00 ....f...........
0040 - 80 00 00 63 00 00 62 00-00 61 00 00 15 00 00 12 ...c..b..a......
0050 - 00 00 09 06 00 40 00 00-65 00 00 64 00 00 60 00 .....@..e..d..`.
0060 - 00 14 00 00 11 00 00 08-00 00 06 04 00 80 00 00 ................
0070 - 03 02 00 80 7f d5 e0 51-9f f9 d8 86 28 f9 ae 99 .......Q....(...
0080 - f9 a6 68 9d 32 dd be 19-d0 94 67 57 90 c2 8f bd ..h.2.....gW....
0090 - 5d 8f d9 6d ]..m
read from 00090DB0 [00098268] (7 bytes => 7 (0x7))
0000 - 16 03 01 00 4a 02 ....J.
0007 - <SPACES/NULS>
read from 00090DB0 [0009826F] (72 bytes => 72 (0x48))
0000 - 00 46 03 01 40 e1 d9 53-d7 2a e2 7c 9a 1e ea e7 .F..@..S.*.|....
0010 - 83 23 db fe e1 4a 32 3f-6a 92 31 2f b4 f7 19 38 .#...J2?j.1/...8
0020 - 97 54 c1 df 20 42 22 d1-de 96 df 91 5f 0b 4b bd .T.. B"....._.K.
0030 - 79 3b 80 84 5d 6a 7a 2d-fe 2d 24 4a 3d fb da 13 y;..]jz-.-$J=...
0040 - d1 f0 49 c7 2e 00 35 ..I...5
0048 - <SPACES/NULS>
read from 00090DB0 [00098268] (5 bytes => 5 (0x5))
0000 - 16 03 01 03 3f ....?
read from 00090DB0 [0009826D] (831 bytes => 831 (0x33F))
0000 - 0b 00 03 3b 00 03 38 00-03 35 30 82 03 31 30 82 ...;..8..50..10.
0010 - 02 9a a0 03 02 01 02 02-01 01 30 0d 06 09 2a 86 ..........0...*.
0020 - 48 86 f7 0d 01 01 04 05-00 30 66 31 0b 30 09 06 H........0f1.0..
0030 - 03 55 04 06 13 02 55 53-31 0b 30 09 06 03 55 04 .U....US1.0...U.
0040 - 08 13 02 49 4c 31 0b 30-09 06 03 55 04 07 13 02 ...IL1.0...U....
0050 - 41 48 31 0e 30 0c 06 03-55 04 0a 13 05 46 6f 63 AH1.0...U....Foc
0060 - 61 6c 31 0c 30 0a 06 03-55 04 0b 13 03 4e 4d 53 al1.0...U....NMS
0070 - 31 1f 30 1d 06 03 55 04-03 13 16 6c 64 61 70 74 1.0...U....ldapt
0080 - 65 73 74 2e 66 6f 63 61-6c 64 61 74 61 2e 6e 65 est.focaldata.ne
0090 - 74 30 1e 17 0d 30 34 30-36 32 39 31 36 30 36 32 t0...04062916062
00a0 - 37 5a 17 0d 30 35 30 36-32 39 31 36 30 36 32 37 7Z..050629160627
00b0 - 5a 30 66 31 0b 30 09 06-03 55 04 06 13 02 55 53 Z0f1.0...U....US
00c0 - 31 0b 30 09 06 03 55 04-08 13 02 49 4c 31 0b 30 1.0...U....IL1.0
00d0 - 09 06 03 55 04 07 13 02-41 48 31 0e 30 0c 06 03 ...U....AH1.0...
00e0 - 55 04 0a 13 05 46 6f 63-61 6c 31 0c 30 0a 06 03 U....Focal1.0...
00f0 - 55 04 0b 13 03 4e 4d 53-31 1f 30 1d 06 03 55 04 U....NMS1.0...U.
0100 - 03 13 16 6c 64 61 70 74-65 73 74 2e 66 6f 63 61 ...ldaptest.foca
0110 - 6c 64 61 74 61 2e 6e 65-74 30 81 9f 30 0d 06 09 ldata.net0..0...
0120 - 2a 86 48 86 f7 0d 01 01-01 05 00 03 81 8d 00 30 *.H............0
0130 - 81 89 02 81 81 00 9b f8-3b 87 c0 76 3e 5a f3 17 ........;..v>Z..
0140 - 8b 23 1a 78 b3 69 15 de-09 fa b6 a0 d4 c2 7a 59 .#.x.i........zY
0150 - e4 c6 6c f2 7f 3f 2a 05-72 8e 1a db f7 e4 db b5 ..l..?*.r.......
0160 - ef 11 f2 d6 27 5e b7 6d-44 8f e8 db 3b 58 c0 04 ....'^.mD...;X..
0170 - 44 3d f1 67 29 d7 bb 54-05 fc 8c c1 9d 93 19 d9 D=.g)..T........
0180 - 90 40 8e 23 ec 6c 11 62-ee 61 13 69 27 f2 97 a2 .@.#.l.b.a.i'...
0190 - cd ae 0e 41 3f fc 61 59-d9 b1 24 56 ba 32 84 e1 ...A?.aY..$V.2..
01a0 - 3f 72 ff 10 e7 d5 a8 ce-4a 34 a5 01 79 95 35 75 ?r......J4..y.5u
01b0 - cd f8 ab d8 c0 4f 02 03-01 00 01 a3 81 ee 30 81 .....O........0.
01c0 - eb 30 09 06 03 55 1d 13-04 02 30 00 30 2c 06 09 .0...U....0.0,..
01d0 - 60 86 48 01 86 f8 42 01-0d 04 1f 16 1d 4f 70 65 `.H...B......Ope
01e0 - 6e 53 53 4c 20 47 65 6e-65 72 61 74 65 64 20 43 nSSL Generated C
01f0 - 65 72 74 69 66 69 63 61-74 65 30 1d 06 03 55 1d ertificate0...U.
0200 - 0e 04 16 04 14 d4 80 9b-fc 69 ed 54 05 c7 88 24 .........i.T...$
0210 - 64 38 c8 94 e9 bf 5b 64-7f 30 81 90 06 03 55 1d d8....[d.0....U.
0220 - 23 04 81 88 30 81 85 80-14 ed 4b 0b 12 65 58 66 #...0.....K..eXf
0230 - 1d 1e ef 01 f5 d9 57 6d-4e d1 cb 43 5c a1 6a a4 ......WmN..C\.j.
0240 - 68 30 66 31 0b 30 09 06-03 55 04 06 13 02 55 53 h0f1.0...U....US
0250 - 31 0b 30 09 06 03 55 04-08 13 02 49 4c 31 0b 30 1.0...U....IL1.0
0260 - 09 06 03 55 04 07 13 02-41 48 31 0e 30 0c 06 03 ...U....AH1.0...
0270 - 55 04 0a 13 05 46 6f 63-61 6c 31 0c 30 0a 06 03 U....Focal1.0...
0280 - 55 04 0b 13 03 4e 4d 53-31 1f 30 1d 06 03 55 04 U....NMS1.0...U.
0290 - 03 13 16 6c 64 61 70 74-65 73 74 2e 66 6f 63 61 ...ldaptest.foca
02a0 - 6c 64 61 74 61 2e 6e 65-74 82 01 00 30 0d 06 09 ldata.net...0...
02b0 - 2a 86 48 86 f7 0d 01 01-04 05 00 03 81 81 00 77 *.H............w
02c0 - c4 86 31 d9 46 c8 f7 2c-de 46 cd 18 80 65 2e 78 ..1.F..,.F...e.x
02d0 - cb 29 b3 f7 c2 dc 06 68-19 15 03 db 43 e3 ad 3b .).....h....C..;
02e0 - 34 4e a4 a3 f4 58 f0 0d-45 7b 53 b8 1d db 89 70 4N...X..E{S....p
02f0 - 12 28 26 c5 26 eb 9f 85-a3 8b 19 dd c1 fe 42 e4 .(&.&.........B.
0300 - fa cd 62 38 4c fc 02 78-5e aa 56 e5 12 50 e7 05 ..b8L..x^.V..P..
0310 - 2b 7a aa 99 f8 e3 28 8b-d3 a3 e6 1d a8 bc ec d4 +z....(.........
0320 - df cf 68 dd 02 0a 59 26-2c 84 3f 13 c9 78 d6 b3 ..h...Y&,.?..x..
0330 - 5a 85 09 58 0b a2 fb ac-ce ab 20 36 e4 80 1f Z..X...... 6...
depth=0 /C=US/ST=IL/L=AH/O=Focal/OU=NMS/CN=ldaptest.*********.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=IL/L=AH/O=Focal/OU=NMS/CN=ldaptest.**********.com
verify error:num=21:unable to verify the first certificate
verify return:1
read from 00090DB0 [00098268] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 04 .....
read from 00090DB0 [0009826D] (4 bytes => 4 (0x4))
0000 - 0e .
0004 - <SPACES/NULS>
write to 00090DB0 [000A2398] (139 bytes => 139 (0x8B))
0000 - 16 03 01 00 86 10 00 00-82 00 80 6a 1b 70 04 50 ...........j.p.P
0010 - 21 f1 c8 8f 68 91 d4 76-5b cf 55 03 53 6c b0 d5 !...h..v[.U.Sl..
0020 - 8d ab 78 cb 2c 15 6b 76-38 18 30 b0 e6 bc 26 65 ..x.,.kv8.0...&e
0030 - 1c de 44 8a d6 da 37 0c-75 2c 3b ce 2f 7b 40 82 ..D...7.u,;./{@.
0040 - 51 f8 f3 25 7c fb f4 7a-54 78 8c 23 8c cf 4b 96 Q..%|..zTx.#..K.
0050 - 0e ef 7c 88 49 67 dc a2-04 85 80 17 31 c7 4b 12 ..|.Ig......1.K.
0060 - c6 95 3b 9f ce 62 14 e2-7b 3d 16 58 e8 48 44 4c ..;..b..{=.X.HDL
0070 - 4c fa c0 2a 01 d5 4c bb-6a 5d 30 2b 25 77 94 4f L..*..L.j]0+%w.O
0080 - a8 f5 4c 7e fa 68 dc 48-78 b9 9c ..L~.h.Hx..
write to 00090DB0 [000A2398] (6 bytes => 6 (0x6))
0000 - 14 03 01 00 01 01 ......
write to 00090DB0 [000A2398] (53 bytes => 53 (0x35))
0000 - 16 03 01 00 30 e4 81 e2-d9 e6 0b 38 9d af bb c3 ....0......8....
0010 - 69 09 56 df 7a af cf ad-cf f6 67 85 47 1e fd dc i.V.z.....g.G...
0020 - 10 a3 44 3c 59 07 78 4e-11 8d 6e ae 1a bc 74 ba ..D<Y.xN..n...t.
0030 - d8 54 4c d9 d9 .TL..
read from 00090DB0 [00098268] (5 bytes => 5 (0x5))
0000 - 14 03 01 00 01 .....
read from 00090DB0 [0009826D] (1 bytes => 1 (0x1))
0000 - 01 .
read from 00090DB0 [00098268] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 30 ....0
read from 00090DB0 [0009826D] (48 bytes => 48 (0x30))
0000 - 1b b8 19 d2 58 a1 59 e2-23 9d b2 0d bd 99 d1 d4 ....X.Y.#.......
0010 - 17 a3 8d f9 74 4a e1 d8-75 60 45 6d c0 15 5b d2 ....tJ..u`Em..[.
0020 - 6d dd 92 c0 44 75 50 ce-52 1a ea d3 4c 59 fd 0f m...DuP.R...LY..
---
Certificate chain
0 s:/C=US/ST=IL/L=AH/O=Focal/OU=NMS/CN=ldaptest.********.com
i:/C=US/ST=IL/L=AH/O=Focal/OU=NMS/CN=ldaptest.*******.com
-----BEGIN CERTIFICATE-----
MIIDMTCCApqgAwIBAgIBATANBgkqhkiG9w0BAQQFADBmMQswCQYDVQQGEwJVUzEL
MAkGA1UECBMCSUwxCzAJBgNVBAcTAkFIMQ4wDAYDVQQKEwVGb2NhbDEMMAoGA1UE
CxMDTk1TMR8wHQYDVQQDExZsZGFwdGVzdC5mb2NhbGRhdGEubmV0MB4XDTA0MDYy
OTE2MDYyN1oXDTA1MDYyOTE2MDYyN1owZjELMAkGA1UEBhMCVVMxCzAJBgNVBAgT
AklMMQswCQYDVQQHEwJBSDEOMAwGA1UEChMFRm9jYWwxDDAKBgNVBAsTA05NUzEf
MB0GA1UEAxMWbGRhcHRlc3QuZm9jYWxkYXRhLm5ldDCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEAm/g7h8B2PlrzF4sjGnizaRXeCfq2oNTCelnkxmzyfz8qBXKO
Gtv35Nu17xHy1idet21Ej+jbO1jABEQ98Wcp17tUBfyMwZ2TGdmQQI4j7GwRYu5h
E2kn8peiza4OQT/8YVnZsSRWujKE4T9y/xDn1ajOSjSlAXmVNXXN+KvYwE8CAwEA
AaOB7jCB6zAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVy
YXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU1ICb/GntVAXHiCRkOMiU6b9bZH8w
gZAGA1UdIwSBiDCBhYAU7UsLEmVYZh0e7wH12VdtTtHLQ1yhaqRoMGYxCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJJTDELMAkGA1UEBxMCQUgxDjAMBgNVBAoTBUZvY2Fs
MQwwCgYDVQQLEwNOTVMxHzAdBgNVBAMTFmxkYXB0ZXN0LmZvY2FsZGF0YS5uZXSC
AQAwDQYJKoZIhvcNAQEEBQADgYEAd8SGMdlGyPcs3kbNGIBlLnjLKbP3wtwGaBkV
A9tD4607NE6ko/RY8A1Fe1O4HduJcBIoJsUm65+Fo4sZ3cH+QuT6zWI4TPwCeF6q
VuUSUOcFK3qqmfjjKIvTo+YdqLzs1N/PaN0CClkmLIQ/E8l41rNahQlYC6L7rM6r
IDbkgB8=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=IL/L=AH/O=Focal/OU=NMS/CN=ldaptest.*********.com
issuer=/C=US/ST=IL/L=AH/O=Focal/OU=NMS/CN=ldaptest.*********.com
---
No client certificate CA names sent
---
SSL handshake has read 983 bytes and written 346 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
4222D1DE96DF915F0B4BBD793B80845D6A7A2DFE2D244A3DFBDA13D1F049C72E
Session-ID-ctx:
Master-Key:
ECE722A9BC1A3D0194E70C62E59AAC35C7DF19CD476BEE06E802ECD090F391227B9A3BD4B281139F1E33A7082BDFB6A5
Key-Arg : None
Start Time: 1088543059
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
I really don't know where to go or whatt to do. Can someone please put me
in the correct direction.