[Date Prev][Date Next] [Chronological] [Thread] [Top]

Newbie OpenLDAP/SSL/Certificates question (now works)

I managed to get it working (well, I think, future will tell more).

I'd like to point out two things that, IMHO, are quite "hidden" in the natural 
places where one looks for information (how-to's, faq). Could someone be kind 
enough to tell me if those statements are correct ? If so, I'll fill a change 
request so that the documentation gets updated a bit.

- white spaces at the end of a line have special meaning in ldif files. So if 
they are unnecessary, remove them (otherwise say hello to the problems)

- TLS_CERT / TLS_KEY must appear in .ldaprc, NOT in ldap.conf. In the man page 
of ldap.conf, it is said that these options are "user only". The hard part is 
that it translates to "these options can only appear in .ldaprc". 

- If one wants to make a "fully-localhost" test (that is, everything run on 
localhost, without access to the web, a DNS or whatever), then he has to set 
its host name to something that can be recognized as a FQDN (for exmaple, 
localhost.love.com). This is particularly an issue when one wants to use 
SSL/TSL with certificates. The client/server certificates needs to have their 
CN set to the FQDN of the machine they run on. However, "localhost" is not a 
valid FQDN therefore making certificates with CN=localhost won't work. So one 
has to find a way to name its machine with a proper FQDN, for example 
localhost.love.com. To achieve that, the simplest way is to set the hostname 
of the machine to the FQDN (on my debian, I put "localhost.love.com" as the 
sole content of /etc/hostname). And one has to make sure that FQDN can be 
resolved to an IP, for that I used " localhost.love.com" in 
my /etc/hosts.


> Dear you all,
> I'm (desperately :)) trying to get my OpenLDAP up and running with SSL. I
> had some success so far, but I'm stuck now.
> I've installed OpenLDAP,SSL,SASL,BDB successfuly. All work fine. OL
> recognizes SASL as well as SSL (well, I think so, but considering all the
> things I've done, it looks like everything is responding quite well).
> I've been able to "ldapsearch" on "ldaps://localhost", using
> TLSVerifyClient set to "never". I didn't check if the SSL flow is actually
> encrypted, but from what I read in the debug, everything looks fine.
> Now, I want to set TLSVerifyClient to "demand" (so that the server is
> better protected). And, this doesn't work. After reading a (loooong) while,
> I figured out that my certificates are probably broken. Here's what they
> look like :
> The client has :
>         Issuer: C=AU, ST=Some-State, O=CA Company
>         Validity
>             Not Before: Sep  9 13:19:53 2004 GMT
>             Not After : Sep  9 13:19:53 2005 GMT
>         Subject: C=AU, ST=Some-State, O=Client company, CN=localhost
> And the server has :
>         Issuer: C=AU, ST=Some-State, O=CA Company
>         Validity
>             Not Before: Sep  9 13:19:26 2004 GMT
>             Not After : Sep  9 13:19:26 2005 GMT
>         Subject: C=AU, ST=Some-State, O=Server company, CN=localhost
>         Subject Public Key Info:
> They were both signed with the same CA (that CA was created with openssl's
> ca.sh script). As you can see, I use localhost as a CN. And that's what is
> scaring me a bit : most of the places I've read say : "Don't use localhost
> as CN", "use FQDN" (btw, what is the FQDN of an ldapserver running on
> localhost and meant to be available only on the localhost,). Unfortunately,
> my setup is :
> slapd -f /home/stefan/Projects/server/openldap/etc/openldap/slapd.conf
> -d127 -h "ldaps://localhost:8087"
> ldapadd -H "ldaps://localhost:8087" -ZZ -D "cn=Manager,dc=love,dc=com" -f
> ~/ldaptest -x -w Leon -d 1
> So as you can see everything runs in local (I'm just testing, so no IP, no
> DNS, no real CA, no conenction to any intra/internet). So, what is openldap
> requesting that is particular and that I don't know ? (or maybe it can't
> simply work this way ?)
> Oh, by the way, the error I can read on the _server_ log is :
> TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
> return a certificate s3_srvr.c:1999
> Of course, I understand that using certificates only for local prupose is
> pointless, except that I just want to learn...
> Thank you for your patience,
> Stefan
> (PS: I've read in this ml policy that one shouldn't post about SSL issues,
> but because I think my certificates are right, well, you know...)