[Date Prev][Date Next]
Re: problem with openldap ssl client
On Tue, 2008-07-08 at 10:04 +0200, Buchan Milne wrote:
> On Tue, 2008-07-08 at 00:06 -0400, Sambuddho Chakravarty wrote:
> > Hello
> > I have an openldap server running slapd on 636 (LDAPS) . When I connect
> > from a ldap browser , I am able to successfully browse the database.
> Can you be more specific about the software you are using? Not all
> graphical LDAP clients have SSL validation features (and if they do, in
> some cases they aren't enabled by default).
> > However when I try to connect from a linux client machine (Ubuntu Server
> > 8.04) I am not able to connect to the ldaps. However regular ldap works
> > fine.
> So, assuming it is not a firewall problem, the most likely cause is
> certificate validation.
> > The /etc/ldap.conf looks like this
> > ssl start_tls
> > ssl on
> You shouldn't use both of these, only use 'ssl on' if you are using
> 'host', in the 'uri' case it won't really make a difference.
> > tls_checkpeer tes
> "tes" ???
> > tls_cacertdir /etc/ldap/cacerts
> > tls_cacertfile /etc/ldap/cacert/cacert.pem
> > #server IP
> > uri ldaps://188.8.131.52/
> What is the subject CN on the certificate the server has?
The subject CN on the certificate is the IP address of the server
(184.108.40.206); same as that in the HOST field.
> > pam_password md5
> > base dc=example,dc=com
> > The /etc/ldap/ldap.conf file is like this
> > URI ldaps://220.127.116.11/
> > TLS_CACERTDIR /etc/ldap/cacerts
> > TLS_CACERT /etc/ldap/cacerts/cacert.pem
> > HOST 18.104.22.168
> > BASE dc=example,dc=com
> > The same configuration (with approprirate changes - replacing ldaps with
> > ldap and so on) works fine for regular ldap. But the problem is the
> > ldaps.
> So, what do you get if you try something like this:
> $ openssl s_client -CAfile /etc/ldap/cacerts/cacert.pem -connect
> Does the CN attribute in the server certificate you get back match the
> hostname in the URI?
The CN attribute is the server IP address.
> > When ldaps client is enabled and I do a getent passed ,
> > the /var/log/auth.log looks like this
> > Jul 7 23:57:46 host3 getent: nss_ldap: reconnecting to LDAP server...
> > Jul 7 23:57:46 host3 getent: nss_ldap: reconnecting to LDAP server
> > (sleeping 1 seconds)...
> > Jul 7 23:57:47 host3 getent: nss_ldap: could not search LDAP server -
> > Server is unavailable
> > Jul 7 23:58:18 host3 getent: nss_ldap: reconnecting to LDAP server...
> For now, using the OpenLDAP client utilities (ldapsearch) to do the same
> connection may be an easier way to debug, but once it is working, you
> need to put the equivalent configuration in /etc/ldap.conf. So, with
> your current configuration, this would be the way to test with
> $ ldapsearch -x -H ldaps://22.214.171.124 -s base -b dc=example,dc=com
This results the following error : ldap_result: Can't contact LDAP
> However, and certificate-related aspects still need to be in the
> OpenLDAP library configuration file (/etc/ldap/ldap.conf, or ~/.ldaprc).
> > Please suggest where I could have gone wrong. Any suggestions would be
> > really appreciated.
> Hmm, if you were trying to get https working, you would be getting
> warnings from your browser, this really isn't rocket science, but
> nss_ldap can't show you warning dialogs, so you need to get the
> configuration right ...