[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: fedora and openldap

To: "harry.jede@arcor.de" <harry.jede@arcor.de>
Subject: Re: fedora and openldap
From: Judith Flo Gaya <jflo@imppc.org>
Date: Tue, 12 Apr 2011 17:40:37 +0200
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <4DA470C5.8020700@imppc.org>
References: <4D9B87A2.8040400@imppc.org> <201104091723.01247.harry.jede@arcor.de> <4DA2CE65.70006@imppc.org> <201104111314.34875.harry.jede@arcor.de> <4DA470C5.8020700@imppc.org>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20110125 Lightning/1.0b2 Lanikai/3.1.7

SOrry I didn't attach the error that appears when the connection is madefrom another client:

slap_listener_activate(7):
>>> slap_listener(ldaps:///)
connection_get(12): got connid=1078
connection_read(12): checking for input on id=1078
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(12): got connid=1078
connection_read(12): checking for input on id=1078
TLS trace: SSL3 alert read:fatal:bad certificate
TLS trace: SSL_accept:failed in SSLv3 read client certificate A

TLS: can't accept: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3alert bad certificate.

connection_read(12): TLS accept failure error=-1 id=1078, closing
connection_close: conn=1078 sd=12


the other one was when running an ldapsearch -x within the server itself.

Hope the information is good enough.
Thanks,
j

On 04/12/2011 05:33 PM, Judith Flo Gaya wrote:

Hello,

On 04/11/2011 01:14 PM, harry.jede@arcor.de wrote:

Judith Flo Gaya wrote:
...

At least i could see that the password exop option in the
pam_ldap.conf lets the server to apply the security to the password,
so I think I can change it within the slapd.conf file.

Yes, and if you don't specify "password-hash" in slapd.conf, ssha is
used. It is the default.

do you suggest to use salt?

ssha use salt.

Thanks a lot for your help,
j


BTW
have you read rfc-3062 ?
http://www.faqs.org/rfcs/rfc3062.html

If you configure your clients to use "password exop" you should be sure
that the clients use any kind of network protection, TLS or SSL.

TinyCA is a perl based GTK-GUI which may help you to generate certs and
keys.

Until you are ready to use TLS/SSL I sugggest that you let the client
encrypt the passwords local.

As I didn't manage to make both client and server hash passwords in the
same way, I start creating certificates for clients and servers, but for
some reason they aren't able to comunicate.
I test the certificate connection and the server answers properly (using
openssl_client) both from client to server and from the server to the
server.
But when I do ldapsearch -x it says
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

In the logs of the server I can see this:
slap_listener_activate(7):
  >>>  slap_listener(ldaps:///)
connection_get(12): got connid=1077
connection_read(12): checking for input on id=1077
TLS trace: SSL_accept:before/accept initialization
TLS: can't accept: (unknown).
connection_read(12): TLS accept failure error=-1 id=1077, closing
connection_close: conn=1077 sd=12


Any idea?

I created the certificates like this:
# openssl genrsa 2048>  ca-key.pem
# openssl req -new -x509 -nodes -days 1000 -key ca-key.pem>  ca-cert.pem
# openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem
  >  server-req.pem
# openssl x509 -req -in server-req.pem -days 1000  -CA ca-cert.pem
-CAkey ca-key.pem -set_serial 01>  server-cert.pem

This on the server side, then I scp the ca-cert.pem file to the client
(and to the /etc/openldap/cacerts in the same server).
For the client I created the certificate like this:
# openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem
  >  client-req.pem
# openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey
ca-key.pem -set_serial 01>  client-cert.pem

And then copy those 3 files to the client.

I changed the slapd.conf to have the 3 tls variables with the generated
files from the beginning and changed the configuration to connect  to
the ldaps://server and marked the tls option.

Any hint about the error?

Thanks in advance.
j


--
Judith Flo Gaya
Systems Administrator IMPPC
e-mail: jflo@imppc.org
Tel (+34) 93 554-3079
Fax (+34) 93 465-1472

Institut de Medicina Predictiva i Personalitzada del CÃncer
Crta Can Ruti, CamÃ de les Escoles s/n
08916 Badalona, Barcelona,
Spain
http://www.imppc.org

References:
- fedora and openldap
  - From: Judith Flo Gaya <jflo@imppc.org>
- Re: fedora and openldap
  - From: harry.jede@arcor.de
- Re: fedora and openldap
  - From: Judith Flo Gaya <jflo@imppc.org>
- Re: fedora and openldap
  - From: harry.jede@arcor.de
- Re: fedora and openldap
  - From: Judith Flo Gaya <jflo@imppc.org>

Prev by Date: Re: fedora and openldap
Next by Date: Re: clarifications on cachesize, preferred db, et. al. from admin guide
Index(es):
- Chronological
- Thread