RE: Openldap server with TLS not working

[Christian Kratzer <ck-lists@cksoft.de>]

Hi,

On Thu, 3 Oct 2013, Axel Grosse wrote:

> Hi Ben, Dieter
> can we focus on LDAPS because TLS1 is not an option and even if LDAPS is deprecated I should be able to configure it ..
>
> TLSCACertificateFile /etc/openldap/ssl/VordelCA.crt
> TLSCertificateFile /etc/openldap/ssl/VordelDev.crt
> TLSCertificateKeyFile /etc/openldap/ssl/VordelDev.key
> TLSVerifyClient never
>
>
> are this entries in the slapd.conf sutable for LDAPS ?
> if not whats missing ?
>
> start the server with
> /usr/sbin/slapd -h ldap://192.168.30.169:636 -u ldap

in that case you need ldaps:// and not ldap:/ in the url. Now you are starting plaintext ldap on port 636.

Please just start slapd without any host specification and test using openssl s_client connect target:636

After that works start trimming down the ports slapd binds to.


Greetings
Christian

> thanks a lot
> Axel
>
>
> AXEL GROSSE
> Principal Solution Architect, Sales Solution Center, Axway
> P: +61-405-995-768
> 828 Pacific Highway
> Gordon, 2072 NSW
> agrosse@axway.com
> http://www.axway.com
>
>
> -----Original Message-----
> From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Dieter KlÃnter
> Sent: Thursday, 3 October 2013 6:46 PM
> To: openldap-technical@openldap.org
> Subject: Re: Openldap server with TLS not working
>
> Am Thu, 3 Oct 2013 00:16:28 +0000
> schrieb Axel Grosse <agrosse@axway.com>:
>
> > Hi ben,
> > thanks for the comment.
> > agree with you on TLS usage should be perferred
> > but the client that is connecting is only capable of LDAPS ... he has
> > not implemented TLS Client jet .
> >
> > But can you please take a look to the error I am facing
> >
> > openssl s_client -connect 192.168.30.169:389 -showcerts
> > -CAfile ./ssl/VordelCA.crt CONNECTED(00000003)
> > 710:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> > failure:s23_lib.c:188:
> >
> > any idea what can cause this ?
> >
> >
> > AXEL GROSSE
> > Principal Solution Architect, Sales Solution Center, Axway
> > P: +61-405-995-768
> > 828 Pacific Highway
> > Gordon, 2072 NSW
> > agrosse@axway.com
> > http://www.axway.com
> >
> > -----Original Message-----
> > From: openldap-technical-bounces@OpenLDAP.org
> > [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of btb
> > Sent: Wednesday, 2 October 2013 10:57 PM To:
> > openldap-technical@openldap.org Subject: Re: Openldap server with TLS
> > not working
> >
> > On 2013.10.02 07.29, Axel Grosse wrote:
> >
> > > when I test on the server itself ..
> > > openssl s_client -connect 192.168.30.169:389 -showcerts -CAfile
> > > ./ssl/VordelCA.crt
> > > CONNECTED(00000003)
> > > 710:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> > > failure:s23_lib.c:188:
> >
> > ldaps [port 636] is deprecated.  use starttls with the standard port
> > [389].  to test, just use ldapsearch [see the reference to -Z in the
> > man page]
>
> You are connnecting to port 389, but s_client is not able to initiate a
> LDAP startTLS  session (only SMTP and IMAP), so you have to connect
> ldaps and port 636.
>
> -Dieter

--
Christian Kratzer                      CK Software GmbH
Email:   ck@cksoft.de                  Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0          D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9          HRB 245288, Amtsgericht Stuttgart
Web:     http://www.cksoft.de/         Geschaeftsfuehrer: Christian Kratzer