Problem with OpenLDAP with TLS configuration

Hi, if there isn’t enough information in this email don’t blame me, I tried to do a much longer email and the list server wouldn’t let me. If you go to the bottom and work your way up you’ll see exactly where I start to talk about my issue. The rest of the information is my configuration:

I installed Berekely Database in this directory: /home/d5/berkeleyDB

I install Cyrus-SASL in this directory: /home/d5/cyrus-sasl

I installed OpenSSL in this directory: /home/d5/openssl

Here is my LD_LIBRARY_PATH: export LD_LIBRARY_PATH=/home/d5/openssl/lib:/home/d5/berkeleyDB/lib:/home/d5/cyrus-sasl/lib

Here is my PATH: export PATH=/home/d5/openldap/bin:/home/d5/openldap/sbin:/home/d5/openssl/bin:/home/d5/openssl/sbin:/home/d5/openldap/bin:${PATH}

Here is how I compiled and installed OpenLDAP (this is a script):

export LD_LIBRARY_PATH=/home/d5/openssl/lib:/home/d5/berkeleyDB/lib:/home/d5/cyrus-sasl/lib

export CPPFLAGS="-I/home/d5/openssl/include -I/home/d5/berkeleyDB/include -I/home/d5/cyrus-sasl/include"

export LDFLAGS="-L/home/d5/openssl/lib -L/home/d5/berkeleyDB/lib -L/home/d5/cyrus-sasl/lib"

./configure --prefix=/home/d5/openldap \

--exec-prefix=/home/d5/openldap \

--with-tls \

--enable-slapd \

--with-cyrus-sasl \

--enable-crypt \

--enable-hdb \

--enable-bdb \

--enable-ldbm \

--with-ldbm-api=berkeley

make clean

make depend

make

make install

So I now have OpenLDAP installed in this directory: /home/d5/openldap

Here is relevant portions of my slapd.conf

<snip>

access to *

by self write

by users read

by anonymous auth

TLSCipherSuite HIGH:MEDIUM:+SSLv2

TLSCACertificateFile /home/d5/openldap/var/openldap-data/cacert.pem

TLSCertificateFile /home/d5/openldap/var/openldap-data/servercrt.pem

TLSCertificateKeyFile /home/d5/openldap/var/openldap-data/serverkey.pem

TLSVerifyClient try

#######################################################################

# BDB database definitions

#######################################################################

database bdb

suffix "dc=evasive,dc=com"

rootdn "cn=Manager,dc=evasive,dc=com"

rootpw {SSHA}bvkoCKHo0Qarz6z9xO6Chc4aa+4ARMeu

directory /home/d5/openldap/var/openldap-data

cachesize 5000

checkpoint 512 720

index objectClass eq

Here is my ldap.conf

# Global LDAP settings

# See ldap.conf(5) for details

# This file should be world readable but not world writable.

HOST ldapbkup.evasive.com

PORT 636

TLS_CACERT /home/d5/openldap/var/openldap-data/cacert.pem

TLS_REQCERT demand

# The distinguished name of the search base.

# base dc=example,dc=com

BASE dc=evasive,dc=com

Ok, so after all of this configuration, I created my certificates and put them in the correct places.

I want to test the certificates out so I do the following:

For the server test:

openssl s_server -accept 999 -cert /home/d5/openldap/var/openldap-data/servercrt.pem -key /home/d5/openldap/var/openldap-data/serverkey.pem -CAfile /home/d5/openldap/var/openldap-data/cacert.pem

For the client test:

openssl s_client -port 999 -cert /home/d5/openldap/var/openldap-data/servercrt.pem -key /home/d5/openldap/var/openldap-data/serverkey.pem -CAfile /home/d5/openldap/var/openldap-data/cacert.pem

And I assume they work as I get this:

---

New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA

Server public key is 1024 bit

SSL-Session:

Protocol : TLSv1

Cipher : EDH-RSA-DES-CBC3-SHA

Session-ID: F0A560AF1702FE58EA6BC1D2BA9E6DA9166A556766AAB54BB41D9DA9B087CB9B

Session-ID-ctx:

Master-Key: DB2F14858628E9311F53B6014BF7870F9E2B56C810986272520A305BBD03F93BCF4D9E707CD594956C388061C07977D7

Key-Arg : None

Start Time: 1101533419

Timeout : 300 (sec)

Verify return code: 0 (ok)

---

So now on to the LDAP client test:

I start the server like so:

export LD_LIBRARY_PATH=/home/d5/openssl/lib:/home/d5/berkeleyDB/lib:/home/d5/cyrus-sasl/lib

export PATH=/home/d5/openldap/bin:/home/d5/openldap/sbin:/home/d5/openssl/bin:/home/d5/openssl/sbin:/home/d5/openldap/bin:${PATH}

/home/d5/openldap/libexec/slapd -d256 -h "ldap:/// ldaps:///"

Then I try the following test:

/home/d5/openssl/bin/openssl s_client -connect localhost:636 -showcerts -state -CAfile /home/d5/openldap/var/openldap-data/cacert.pem

I think I’m still going good as I get this:

---

New, TLSv1/SSLv3, Cipher is AES256-SHA

Server public key is 1024 bit

SSL-Session:

Protocol : TLSv1

Cipher : AES256-SHA

Session-ID: DDB11129C23DA26CF249AF1D9C1CB37FD9ED952FEAFB382D33E76E056B11C287

Session-ID-ctx:

Master-Key: B98508387884B4FB517199F78054C67DABC8D9C53988F32FB039B9B61CF887AE5EFCD1865F086B5BE2464651348CC116

Key-Arg : None

Start Time: 1101533585

Timeout : 300 (sec)

Verify return code: 0 (ok)

---

So on to the next test

/home/d5/openssl/bin/openssl s_client -connect localhost:636 -showcerts -state -CAfile /home/d5/openldap/var/openldap-data/cacert.pem -cert /home/d5/certs/ldap.client.pem -key /home/d5/certs/keys/ldap.client.key.pem

And again:

---

New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA

Server public key is 1024 bit

SSL-Session:

Protocol : TLSv1

Cipher : DES-CBC3-SHA

Session-ID: 59A82915AD8E006C621BF0513F3D8C8D247190B313A023B2491F881863B047A5

Session-ID-ctx:

Master-Key: 5DBAAB63BFEBC9DD541D9522AC8178F25C9943A4D0FED2B2BE20721D6F4EFCEDC8C3C4594FFB617245A2D98B696EBD54

Key-Arg : None

Start Time: 1101533718

Timeout : 300 (sec)

Verify return code: 0 (ok)

---

=================Here is where I start to have issues============================

Then I try this test:

/home/d5/openldap/bin/ldapadd -x -D "cn=Manager,dc=evasive,dc=com" -wmynewldap -f init.ldif

Which works great (don’t worry about what init.ldif is, it’s adding some stuff)

HOWEVER when I try this test:

/home/d5/openldap/bin/ldapsearch -x -b 'dc=evasive,dc=com' -D "cn=Manager,dc=evasive,dc=com" '(objectclass=*)' -H ldaps://ldapbkup.evasive.com –wmynewldap

Forget it, I keep getting this on the client:

ldap_bind: Can't contact LDAP server (-1)

additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

and this on the server:

conn=15 fd=13 ACCEPT from IP=192.168.0.2:34837 (IP=0.0.0.0:636)

TLS: can't accept.

TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1052

conn=15 fd=13 closed

Oh! I almost forgot the weirdest part. I have an old version of OpenLDAP on my system as well. It’s version 2.0.23 and when I execute this line:

/usr/bin/ldapsearch -x -b 'dc=evasive,dc=com' -D "cn=Manager,dc=evasive,dc=com" '(objectclass=*)' -H ldaps://ldapbkup.evasive.com –wmynewldap

It works!

version: 2

# filter: (objectclass=*)

# requesting: ALL

# evasive, com

dn: dc=evasive,dc=com

objectClass: dcObject

objectClass: organization

o: ExampleOrg

dc: evasive

# my-name, evasive, com

dn: cn=my-name,dc=evasive,dc=com

objectClass: organizationalRole

cn: my-name

# my system, evasive, com

dn: ou=my system,dc=evasive,dc=com

objectClass: organizationalUnit

ou: my system

description: Test organizational unit to hold admin user

# mr admin, my system, evasive, com

dn: cn=mr admin,ou=my system,dc=evasive,dc=com

objectClass: person

userPassword:: dGVzdHBhc3M=

description: mr admin test user

cn: mr admin

sn: admin

# search result

search: 2

result: 0 Success

# numResponses: 5

# numEntries: 4

Very confused. I’m open for ideas, suggestions, things I may have done wrong.

Thanks

Thomas

--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.289 / Virus Database: 265.4.2 - Release Date: 11/24/2004