[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS over ldap not working properly on debian etch - slapd 2.3.30]


Seems the previous mail didnt go through (sent 24 hours ago), if it did - sorry for dupe.

Im having a problem getting TLS over ldap to work on my setup. Normal LDAP operations work fine, ldaps works fine, but TLS over ldap does not.
I've tried following various guides from debian-administration, gentoo wiki, openldap.org docs etc but I could never get this last bit to work.

On my last effort i followed this guide:
http://www.bayour.com/LDAPv3-HOWTO.html and create my certificate with:

openssl req -new -x509 -nodes -out server.pem -keyout server.pem -days 365
(and yes, i did make sure the common name matches the host.network.com for the ldapserver)

and in slapd.conf:

TLSCertificateFile      /etc/ldap/server.pem
TLSCertificateKeyFile   /etc/ldap/server.pem
TLSCACertificateFile    /etc/ldap/server.pem

and started the server with:

slapd -h 'ldap:// ldaps://' -g openldap -u openldap -d127

Now to test the encryption on the ldaps port with:
openssl s_client -connect <ldaphost>:636 -showcerts -state -CAfile /etc/ldap/server.pem

which results in the following output:

SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 /C=NO/ST=Some-State/L=Oslo/O=company AS/CN=<ldaphost>/emailAddress=mail@company
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
Certificate chain
Server certificate
subject=/C=NO/ST=Some-State/<certificate info>
issuer=/C=NO/ST=Some-State/<certificate info>
No client certificate CA names sent
SSL handshake has read 1080 bytes and written 316 bytes
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: CBE0DD206D44248AAC8766578CFEDCD5205ECAF2D466F87827432D870A2A6209
Session-ID-ctx: Master-Key: F4794B77D23C66E40CB80A25B3E270A7B474B4A6F3A1942C9184FFE3948135AA4449F9BC5DAE442ADA4FA9EAC6471D32
Key-Arg : None
Start Time: 1211962435
Timeout : 300 (sec)
Verify return code: 0 (ok)

BUT, when I try the same for the ldap port:

openssl s_client -connect <ldaphost>:389 -showcerts -state -CAfile /etc/ldap/server.pem CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
2135:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

According to the various guides I read i thought this should be working with my current setup. Maybe I am missing something?