[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL/TLS



I have to add one more thing. It appears that with the proper certs specified in slapd.conf, no -h ldaps:/// is needed to make TLS available over port 389. My command line is now:
/usr/libexec/slapd -u ldap -g ldap -f /etc/openldap/slapd.conf


and TLS is available. I don't think the man page or faq makes this clear. I've added a note to the faq

\\Greg



Greg Martin wrote:
Sorry for the long post, but I resolved most of this. It was all configuration detail. There were two things happening:

I was using:
TLS_CACertificateFile
TLS_CertificateFile
TLS_CertificateKeyFile
(Note the extra underscore)

not:
TLSCACertificateFile
TLSCertificateFile
TLSCertificateKeyFile

I guess I got ldap.conf & slapd.conf directives confused. When I ran slapd in -d 255 I found that mistake.

Second:
I had the following in slapd.conf & ldap.conf
TLSCipherSuite DHE-RSA-AES256-SHA
(which I cut & pasted from 'openssl cipers')

replaced it with
TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
It's still not clear to me what the syntax should be. Trying to translate the openssl -v ciphers into what's mention in the manpage doesn't help me much. But I can be dense.



So a couple questions that don't need answers:
- would there be value in making the slapd.conf & ldap.conf TLS directives align?
- Should slaptest report the bad TLS directives?


And one more. In the man page for slapd, there is this explanation for the -h option
-h URLlist
slapd will by default serve ldap:/// (LDAP over TCP on all interfaces on default LDAP port). That is, it will bind using INADDR_ANY and port 389. The -h option may be used to specify LDAP (and other scheme) URLs to serve. For example, if slapd is given -h "ldap://127.0.0.1:9009/ ldaps:/// ldapi:///", it will listen on 127.0.0.1:9009 for LDAP, 0.0.0.0:636 for LDAP over TLS,


The last part seems inexact. It says -h ldaps:/// will cause slapd to listen on port 636 for LDAP over TLS. should that say something like:

"will cause slapd to listen for LDAP over SSL on port 636 and for start_tls on port 389?"

I've dropped all this in my blog at: http://linux2.gmartin.org:82/tiki/tiki-view_blog_post.php?blogId=2&postId=107


BTW, I still can't get phpldapadmin to connect using tls, but that's for another day.


\\Greg




Greg Martin wrote:
I know there are a lot of question on this topic and ask for your patience.

I'm trying to figure out how to discern if slapd is properly configured for SSL/TLS. Reading through the slapd strace output shows that the cacert & certfile are being opened & read

slapd v2.3.27

When I look at netstat -an ports 389 & 636 are listening:
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN



slapd.conf: TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLS_CACertificateFile /var/data/ca/cacert.pem TLS_CertificateFile /var/data/ca/newcerts/ldap1cert.pem TLS_CertificateKeyFile /etc/openldap/ldap1keyclear.txt TLSVerifyClient never

Reading through the strace output shows that the cacert & certfile are being opened.

ldap.conf
BASE    dc=gmartin, dc=org
URI    ldap://linux2.gmartin.org
TLS_CACERT /var/data/ca/cacert.pem

ldaprc:
TLS_CACERT /var/data/ca/cacert.pem

When I try ldapsearch or openssl s_client, I receive:
sslv3 alert handshake failure

And using slapd debug I see:
TLS: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr.c:97


I checked the FAQ and I think I've looked at everything there. Not sure where to look next.

\\Greg