[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap 2.4.40-13.el7 on CentOS 7 and SSL/TLS

To: openldap-technical@openldap.org
Subject: Re: Openldap 2.4.40-13.el7 on CentOS 7 and SSL/TLS
From: Christopher Wood <christopher_wood@pobox.com>
Date: Fri, 22 Sep 2017 16:32:42 -0400
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date:from:to :subject:message-id:references:mime-version:content-type :in-reply-to; s=sasl; bh=PbzXK1iT3sRcXnVjc6eizecLPbM=; b=DkXGi51 tQFNHWF3J7FMa+5xlluDLnZV206EL4TdYGfXOIrUspgLipE+2GTGt8e4ecclQVRq NWzXQsA/oOhqEkwRU4w7GWEAmChKrjqmzO9pS9rRJ4kNsmRrC+Xzr5ecCpvL4g7B r/MclPKCSeTTkcsl4AQCYqdJfGnHbVCPgPj8=
Domainkey-signature: a=rsa-sha1; c=nofws; d=pobox.com; h=date:from:to :subject:message-id:references:mime-version:content-type :in-reply-to; q=dns; s=sasl; b=w2Fa3UvvuVu+1W5Gss5+YZQjXzhVLKSbv mYx3DQUoZcRP7arZNy5eOgJa+nHI6dBQy4JrT/0EMLFK19rXQi5O1krF/w+VsLta 9QcqECkICkYIQjrotJ5aXG0RGLOqLUFrArFL25UrgqDh5ksaaBkBn0DBNCAIDiZk YXg9+aJva0=
In-reply-to: <20170922201643.B211C732214@sharky3.deepsoft.com>
References: <20170922201643.B211C732214@sharky3.deepsoft.com>
User-agent: NeoMutt/20170113 (1.7.2)

Two things I notice from below:

olcTLSCACertificateFile: /etc/openldap/certs/ca_cert.pem
  -rw-r--r--. 1 root root  1696 Sep 22 14:18 ca-cert.pem

Underscore in the first, dash in the second.

Per netstat you're running ldaps on 636 so you can start your TLS diagnostics with openssl and work your way down to ldapsearch.

openssl s_client -CApath /etc/openldap/certs -connect
(if I recall correctly)

ldapsearch -H ldaps://host:636 -x -D binddn -W filter=what
(or something)

On Fri, Sep 22, 2017 at 04:16:43PM -0400, Robert Heller wrote:
> What is the *correct* way to set up Openldap to use SSL/TLS?  The 
> documentation is somewhat confusing.
> 
> My cn=config.ldif file looks like this:
> 
> dn: cn=config
> objectClass: olcGlobal
> cn: config
> olcArgsFile: /var/run/openldap/slapd.args
> olcPidFile: /var/run/openldap/slapd.pid
> olcTLSCACertificatePath: /etc/openldap/certs
> olcTLSCACertificateFile: /etc/openldap/certs/ca_cert.pem
> olcTLSCertificateFile: /etc/openldap/certs/c764guest.cert
> olcTLSCertificateKeyFile: /etc/openldap/certs/privkey.pem
> structuralObjectClass: olcGlobal
> entryUUID: 7e6a3298-30da-1037-9c4f-458bcc6c0ce0
> creatorsName: cn=config
> createTimestamp: 20170918163057Z
> entryCSN: 20170918163057.597791Z#000000#000#000000
> modifiersName: cn=config
> modifyTimestamp: 20170918163057Z
> 
> in /etc/openldap/certs are these files:
> 
> [root@c764guest heller]# ls -l /etc/openldap/certs
> total 104
> -rw-r--r--. 1 root root  5137 Sep 22 14:42 c764guest.cert
> -rw-r--r--. 1 root root  1074 Sep 22 14:37 c764guest.csr
> -rw-r--r--. 1 root root  1696 Sep 22 14:18 ca-cert.pem
> -rw-r--r--. 1 root root 65536 Sep 18 12:30 cert8.db
> -rw-r--r--. 1 root root 16384 Sep 18 12:30 key3.db
> -r--r-----. 1 root ldap    45 Jan 10  2016 password
> -rw-r--r--. 1 root root  1834 Sep 22 14:37 privkey.pem
> -rw-r--r--. 1 root root 16384 Jan 10  2016 secmod.db
> 
> /etc/sysconfig/slapd contains:
> 
> # OpenLDAP server configuration
> # see 'man slapd' for additional information
> 
> # Where the server will run (-h option)
> # - ldapi:/// is required for on-the-fly configuration using client tools
> #   (use SASL with EXTERNAL mechanism for authentication)
> # - default: ldapi:/// ldap:///
> # - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:///
> SLAPD_URLS="ldapi:/// ldap://127.0.0.1/ ldap://192.168.250.98/ ldaps:///"
> 
> # Any custom options
> #SLAPD_OPTIONS="-s 128"
> 
> # Keytab location for GSSAPI Kerberos authentication
> #KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
> 
> /etc/openldap/ldap.conf contains:
> 
> #
> # LDAP Defaults
> #
> 
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
> 
> BASE dc=deepsoft,dc=com
> URI ldaps://192.168.250.98/
> TLS_CACERT /etc/openldap/certs/ca-cert.pem
> TLS_CACERTDIR /etc/openldap/certs
> TLS_REQCERT demand
> 
> #SIZELIMIT      12
> #TIMELIMIT      15
> #DEREF          never
> 
> TLS_CACERTDIR /etc/openldap/cacerts
> 
> # Turning this off breaks GSSAPI used with krb5 when rdns = false
> SASL_NOCANON    on
> 
> 
> But now when I try to do a ldapsearch I get:
> 
> [heller@c764guest ~]$ ldapsearch -x
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> 
> even though:
> [root@c764guest heller]# netstat -a|grep ldap
> tcp        0      0 0.0.0.0:ldaps           0.0.0.0:*               LISTEN     
> tcp        0      0 c764guest.deepsoft:ldap 0.0.0.0:*               LISTEN     
> tcp        0      0 localhost:ldap          0.0.0.0:*               LISTEN     
> tcp        0      0 c764guest.deepsof:33302 c764guest.deepsoft:ldap ESTABLISHED
> tcp        0      0 c764guest.deepsoft:ldap c764guest.deepsof:33302 ESTABLISHED
> tcp6       0      0 [::]:ldaps              [::]:*                  LISTEN     
> 
> Is this correct?  I am not sure if I should be using ldaps:/// or not.  And I 
> am not sure what the proper "magic" to get TLS working is.
> 
> 
>  
> 
> -- 
> Robert Heller             -- 978-544-6933
> Deepwoods Software        -- Custom Software Services
> http://www.deepsoft.com/  -- Linux Administration Services
> heller@deepsoft.com       -- Webhosting Services
>              
>

References:
- Openldap 2.4.40-13.el7 on CentOS 7 and SSL/TLS
  - From: Robert Heller <heller@deepsoft.com>

Prev by Date: Openldap 2.4.40-13.el7 on CentOS 7 and SSL/TLS
Next by Date: Re: Openldap 2.4.40-13.el7 on CentOS 7 and SSL/TLS
Index(es):
- Chronological
- Thread