[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: problem with openldap ssl client

On Tue, 2008-07-08 at 00:06 -0400, Sambuddho Chakravarty wrote:
> Hello
>  I have an openldap server running slapd on 636 (LDAPS) . When I connect
> from a ldap browser , I am able to successfully browse the database.

Can you be more specific about the software you are using? Not all
graphical LDAP clients have SSL validation features (and if they do, in
some cases they aren't enabled by default).

> However when I try to connect from a linux client machine (Ubuntu Server
> 8.04) I am not able to connect to the ldaps. However regular ldap works
> fine.

So, assuming it is not a firewall problem, the most likely cause is
certificate validation.

> The /etc/ldap.conf looks like this
> ssl start_tls
> ssl on

You shouldn't use both of these, only use 'ssl on' if you are using
'host', in the 'uri' case it won't really make a difference.

> tls_checkpeer tes

"tes" ???

> tls_cacertdir /etc/ldap/cacerts
> tls_cacertfile /etc/ldap/cacert/cacert.pem
> #server IP
> uri ldaps://

What is the subject CN on the certificate the server has?

> pam_password md5
> base dc=example,dc=com
> The /etc/ldap/ldap.conf file is like this
> URI     ldaps://
> TLS_CACERTDIR /etc/ldap/cacerts
> TLS_CACERT   /etc/ldap/cacerts/cacert.pem
> BASE dc=example,dc=com
> The same configuration (with approprirate changes - replacing ldaps with
> ldap and so on) works fine for regular ldap. But the problem is the
> ldaps.

So, what do you get if you try something like this:

$ openssl s_client -CAfile /etc/ldap/cacerts/cacert.pem -connect

Does the CN attribute in the server certificate you get back match the
hostname in the URI?

> When ldaps client is enabled and I do a getent passed ,
> the /var/log/auth.log looks like this
> Jul  7 23:57:46 host3 getent: nss_ldap: reconnecting to LDAP server...
> Jul  7 23:57:46 host3 getent: nss_ldap: reconnecting to LDAP server
> (sleeping 1 seconds)...
> Jul  7 23:57:47 host3 getent: nss_ldap: could not search LDAP server -
> Server is unavailable
> Jul  7 23:58:18 host3 getent: nss_ldap: reconnecting to LDAP server...

For now, using the OpenLDAP client utilities (ldapsearch) to do the same
connection may be an easier way to debug, but once it is working, you
need to put the equivalent configuration in /etc/ldap.conf. So, with
your current configuration, this would be the way to test with

$ ldapsearch -x -H ldaps:// -s base -b dc=example,dc=com

However, and certificate-related aspects still need to be in the
OpenLDAP library configuration file (/etc/ldap/ldap.conf, or ~/.ldaprc).

> Please suggest where I could have gone wrong. Any suggestions would be
> really appreciated.

Hmm, if you were trying to get https working, you would be getting
warnings from your browser, this really isn't rocket science, but
nss_ldap can't show you warning dialogs, so you need to get the
configuration right ...