[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authentication failed with ldaps configuration



        -------- Message initial --------
        De: Zdenek Styblik <stybla@turnovfree.net>
        À: smainklh@free.fr
        Cc: openldap-technical@openldap.org
        Sujet: Re: Authentication failed with ldaps configuration
        Date: Thu, 03 Dec 2009 17:03:32 +0100
        
        smainklh@free.fr wrote:
        > ----- Mail Original -----
        > De: "Zdenek Styblik" <stybla@turnovfree.net>
        > À: smainklh@free.fr
        > Cc: openldap-technical@openldap.org
        > Envoyé: Mercredi 2 Décembre 2009 16h37:01 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
        > Objet: Re: Authentication failed with ldaps configuration
        > 
        > smainklh@free.fr wrote:
        >> Hi everyone,
        >>
        >> I configured my ldap server (debian lenny) to listen on port 636 (ldaps) but it doesn't seems to work when issuing a remote connexion.
        >> Perhaps i did a mistake when generating the certificates ?....
        >>
        >> When i try to browse the ldap server from a remote server i get the following message :
        >> ----------
        >> root@vmtest:~# ldapsearch -d 1 -Wx -H ldaps://ldapserver.domain.tld -D cn=admin,dc=domain,dc=tld
        >> ldap_url_parse_ext(ldaps://ldapserver.domain.tld)
        >> ldap_create
        >> ldap_url_parse_ext(ldaps://ldapserver.domain.tld:636/??base)
        >> Enter LDAP Password:
        >> ldap_sasl_bind
        >> ldap_send_initial_request
        >> ldap_new_connection 1 1 0
        >> ldap_int_open_connection
        >> ldap_connect_to_host: TCP ldapserver.domain.tld:636
        >> ldap_new_socket: 3
        >> ldap_prepare_socket: 3
        >> ldap_connect_to_host: Trying 10.10.48.40:636
        >> ldap_pvt_connect: fd: 3 tm: -1 async: 0
        >> TLS: peer cert untrusted or revoked (0x42)
        >> ldap_err2string
        >> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
        >> -----------
        >>
        >> I generated the certificates with the following command :
        >> # openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650
        >>
        >> -----------
        >>
        >> Then i tried the connexion :
        >> openssl s_client -connect ldapserver.domain.tld:636 -showcerts
        >> CONNECTED(00000003)
        >> depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
        >> verify error:num=18:self signed certificate
        >> verify return:1
        >> depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
        >> verify return:1
        >> ---
        >> Certificate chain
        >>  0 s:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
        >>    i:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
        >> -----BEGIN CERTIFICATE-----
        >> MIIDDTCCAnagAwIBAgIJAM7IwuTIzhwqMA0GCSqGSIb3DQEBBQUAMGMxCzAJBgNV
        >> BAYTAkZSMRMwEQYDVQQIEwpTb21lLVN0YXRlMQ4wDAYDVQQHEwVQYXJpczELMAkG
        >> A1UEChMCQlQxIjAgBgNVBAMTGWlwb2MwMS5pcG9jLmJ0c2VydmljZXMuZnIwHhcN
        >> MDkxMTI0MTUwMTUxWhcNMTkxMTIyMTUwMTUxWjBjMQswCQYDVQQGEwJGUjETMBEG
        >> A1UECBMKU29tZS1TdGF0ZTEOMAwGA1UEBxMFUGFyaXMxCzAJBgNVBAoTAkJUMSIw
        >> IAYDVQQDExlpcG9jMDEuaXBvYy5idHNlcnZpY2VzLmZyMIGfMA0GCSqGSIb3DQEB
        >> AQUAA4GNADCBiQKBgQCm5FrQ3dN1Jkxj2SZsPr+vkYDlwVnvqDCxnAs3O5NJ/1uY
        >> F9/mwsCVdAnp04Eywo3BCbvP6tlzsF3JbAlqMLTb85ZTHOqRQncXGfVZ7bMnR071
        >> tQ70/b3vF/TuMYiOU7vXf2h863aRi11tT9xHD17wFfFaXBtRIIOioc3UpJWWPwID
        >> AQABo4HIMIHFMB0GA1UdDgQWBBREqX/HQEzU5TCDrBsbttUxa44fnDCBlQYDVR0j
        >> BIGNMIGKgBREqX/HQEzU5TCDrBsbttUxa44fnKFnpGUwYzELMAkGA1UEBhMCRlIx
        >> EzARBgNVBAgTClNvbWUtU3RhdGUxDjAMBgNVBAcTBVBhcmlzMQswCQYDVQQKEwJC
        >> VDEiMCAGA1UEAxMZaXBvYzAxLmlwb2MuYnRzZXJ2aWNlcy5mcoIJAM7IwuTIzhwq
        >> MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAd0Le1JyJF8zBs0RYvEn7
        >> c1nhVbsdD8FDBTa4IaNvkbIt8al6G7bBpfyDxcMVtgFc8zHt/+sYfTxWuHh7m+b1
        >> yjJtD9vMjIigbaZq4VJOz11JEWsQHc8wo3So+G+CelTz4HXPoGh5vqRtTkupjedz
        >> 0DDsA1jd9F4KpYSOkzxosdc=
        >> -----END CERTIFICATE-----
        >> ---
        >> Server certificate
        >> subject=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
        >> issuer=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
        >> ---
        >> No client certificate CA names sent
        >> ---
        >> SSL handshake has read 1107 bytes and written 316 bytes
        >> ---
        >> New, TLSv1/SSLv3, Cipher is AES256-SHA
        >> Server public key is 1024 bit
        >> Compression: NONE
        >> Expansion: NONE
        >> SSL-Session:
        >>     Protocol  : TLSv1
        >>     Cipher    : AES256-SHA
        >>     Session-ID: 9EF5F2D4FD72A0D1161C8334537F1ADF60C8B790A3F699B6DC52557E3C95D427
        >>     Session-ID-ctx:
        >>     Master-Key: 015D50D6D93F502E37EDB577691F05D157E80A439A2B129B370EEA24E651E828A172E43B3F6D29174BF33B96193202F0
        >>     Key-Arg   : None
        >>     Start Time: 1259761586
        >>     Timeout   : 300 (sec)
        >>     Verify return code: 18 (self signed certificate)
        >> ---
        >>
        >> ------------------
        >>
        >> My ldap.conf
        >> -----------------
        >> BASE    dc=domain,dc=tld
        >> URI     ldaps://ldapserver.domain.tld/
        >> TLS_REQCERT allow
        >>
        >>
        >> My slapd.conf :
        >> ----------------
        >> ...
        >> TLSCACertificateFile /etc/ldap/ssl/server.pem
        >> TLSCertificateFile /etc/ldap/ssl/server.pem
        >> TLSCertificateKeyFile /etc/ldap/ssl/server.pem
        >> ...
        >>
        >> ------------------
        >> My /etc/default/slapd.conf
        >> ...
        >> SLAPD_SERVICES="ldaps://ldapserver.domain.tld"
        >> ...
        >>
        >> Could you please help me ? 
        >>
        > 
        > Hello,
        > 
        > are you sure the server is listetning at 636?
        > 
        > --- SNIP ---
        > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
        > ------------
        > 
        > It seems more like a network problem to me.
        > Please, verify it by % netstat -nlp | grep 636; or eventually by %
        > netstat -nlp | grep 389; at the server.
        > 
        > Regards,
        > Zdenek
        > 
        > Hi Zdenek,
        > 
        > Yes i'm.
        > 
        > netstat -nlp | grep 636
        > tcp        0      0 10.10.48.40:636         0.0.0.0:*               LISTEN 
        > netstat -nlp | grep 389
        > 
        > Logs from the ldap server
        > -----------
        > Dec  3 10:10:04 ldapserver slapd[20754]: slap_listener_activate(8):
        > Dec  3 10:10:04 ldapserver slapd[20754]: >>> slap_listener(ldaps://ldapserver.domain.tld)
        > Dec  3 10:10:04 ldapserver slapd[20754]: connection_get(14): got connid=42
        > Dec  3 10:10:04 ldapserver slapd[20754]: connection_read(14): checking for input on id=42
        > Dec  3 10:10:04 ldapserver slapd[20754]: connection_get(14): got connid=42
        > Dec  3 10:10:04 ldapserver slapd[20754]: connection_read(14): checking for input on id=42
        > Dec  3 10:10:04 ldapserver slapd[20754]: connection_read(14): unable to get TLS client DN, error=49 id=42
        > Dec  3 10:10:04 ldapserver slapd[20754]: connection_get(14): got connid=42
        > Dec  3 10:10:04 ldapserver slapd[20754]: connection_read(14): checking for input on id=42
        > Dec  3 10:10:04 ldapserver slapd[20754]: ber_get_next on fd 14 failed errno=0 (Success)
        > Dec  3 10:10:04 ldapserver slapd[20754]: connection_closing: readying conn=42 sd=14 for close
        > Dec  3 10:10:04 ldapserver slapd[20754]: connection_close: conn=42 sd=14
        > 
        > It seems to be a certificate problem.
        > -----
        > TLS: peer cert untrusted or revoked
        > -----
        > 
        > Do you have any idea ?
        > Grifith
        
        
        Evening Grifith,
        
        I'm sorry I've missed that one. I'm no expert, but I can give you my
        config-files.
        I've used 'easy-rsa' to generate all certificates. It comes with
        OpenVPN, but it might be as standalone package in Debian. It's set of
        scripts for certificate manipulation, and it surely eases up things.
        One thing that came to my mind, certificate "has" to bear same FQDN as
        IP eg. if 192.168.1.1 -eq server1.mydomain.tld then certificate should
        be generated and contain server1.mydomain.tld.
        Another thing is .key files should have chmod 400.
        
        --- client side ---
        cat /etc/openldap/ldap.conf
        
        BASE	dc=mydomain,dc=tld
        URI		ldaps://server1.mydomain.tld
        port	636
        ssl		yes
        #ssl             start_tls
        TLS_CACERT  /etc/openldap/ssl/ca.mydomain.crt
        TLS_CERT	/etc/ssl/certs/server2.mydomain.tld.crt
        TLS_KEY	/etc/ssl/private/server2.mydomain.tld.key
        TLS_REQCERT never
        TLS_CIPHER_SUITE  HIGH:MEDIUM:+SSLv3
        ------------------
        
        --- server ---
        cat /etc/openldap/slapd.conf
        ...
        TLSCipherSuite  HIGH:MEDIUM:+SSLv3
        TLSCACertificateFile    /etc/ssl/certs/ca.mydomain.crt
        TLSCertificateFile      /etc/ssl/certs/server1.mydomain.tld.crt
        TLSCertificateKeyFile   /etc/ssl/private/server1.mydomain.tld.key
        TLSVerifyClient never
        ...
        --------------
        
        I hope it helps, at least a bit.
        
        Have a nice evening,
        Zdenek
        
        PS: Thunderbird refused to accept the rest of the text for some reason,
        I had to c&p it inside.
--------------------------------

Hi,

Thanks for your help Zdenek
I made it work with the following configuration :


SERVER
-------------
My slapd.conf :
----------------
...
TLSCACertificateFile /etc/ssl/certs/ldap-cert.pem
TLSCertificateFile /etc/ssl/certs/ldap-cert.pem
TLSCertificateKeyFile /etc/ldap/ssl/ldap-key.pem

I created the certificate with this command
# openssl req -config /etc/ssl/openssl.cnf -new -x509 nodes -out /etc/ssl/certs/ldap-cert.pem -keyout /etc/ldap/ssl/ldap-key.pem -days 999999

My ldap.conf :
----------------
BASE	dc=mydomain,dc=tld
URI	ldaps://ldapserver.mydomain.tld
port	636
ssl	on
ssl             start_tls
TLS_CACERT  /etc/ssl/certs/ldap-cert.pem
TLS_REQCERT allow

CLIENT
------------

The ldap.conf is exactly the same as the server's.

And it works !