LinuxQuestions.org - openldap SSL problem

- Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)

- - openldap SSL problem (https://www.linuxquestions.org/questions/linux-newbie-8/openldap-ssl-problem-4175495766/)

openldap SSL problem

Hello,

I am attempting to setup openldap using SSL connections. I've used the following tutorial, which seemed pretty straightforward.

http://easylinuxtutorials.blogspot.c...ap-server.html

But when I go to use client side tools (on the same host as the ldap server) I get the following error:

Code:

[root@puppet:/etc/puppet] #ldapsearch -x -h ldap -b "dc=mydomain,dc=com" sub "objectclass=*"

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

In my slapd.conf and in my /etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif files have the following entry:

Code:

TLSCACertificateFile /etc/pki/CA/certs/ca.crt

TLSCertificateFile /etc/pki/tls/certs/ldap.crt

TLSCertificateKeyFile /etc/pki/tls/private/ldap.key

In my /etc/openldap/ldap.conf file I have the following:

Code:

#

# LDAP Defaults

#

# See ldap.conf(5) for details

# This file should be world readable but not world writable.

#BASE  dc=example,dc=com

#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666



#SIZELIMIT      12

#TIMELIMIT      15

#DEREF          never



#TLS_CACERTDIR  /etc/openldap/certs

TLS_CACERT      /etc/pki/CA/certs

ssl            start_tls

TLS_REQCERT    allow

BASE            dc=mydomain,dc=com

URI            ldaps://puppet.mydomain.com

HOST            xx.xx.xx.xx

I'm not sure where the problem lie exactly. But I would really love for this to be solved. Been banging my head against this for days at this point.

Also I don't see a problem with the ca cert or the ldap.crt in the config. I've included text file versions of my slapd.conf olcDatabase, and output of openssl x509 -in $certfile -noout -text commands for both certs as text files.

I'm not an expert on LDAP but have you tried testing the connectivity to the LDAP server using telnet or openssl? You can use openssl to verify the certificates as well.

Code:

telnet puppet.mydomain.com 636

timeout 3 openssl s_client -CApath /etc/ssl/certs -servername puppet.mydomain.com -connect puppet.mydomain.com:636

The -CApath will allow openssl to validate the certificates. -servername is for Server Name Indication (SNI) which is usually associated with using Apache virtual hosts with SSL but I included it for the sake of being thorough. To learn more about the arguments see "man s_client". That is to say can you connect to the port? When you connect to the port do you get a validated certificate?

View the certificate information on that port as well....

Code:

timeout 3 openssl s_client -connect puppet.mydomain.com:636 < /dev/null | openssl x509 -text | less

That will convert the remote certificate information into a human readable format. Is the certificate what you expect? Is the common name of the certificate puppet.mydomain.com? To learn more about the arguments see "man x509".

Also, by providing your certificate you have provided the name of your server. Perhaps you'll want to edit that (the same could be said about your other attachments)? Assuming your host is what is in your certificate you have many ports open but the ldapssl port 636 is not one of them.

If you're using your LDAP command as you describe perhaps doing the following command.

Code:

ldapsearch -x -H 'ldaps://puppet.mydomain.com' -b "dc=mydomain,dc=com" sub "objectclass=*"

openladp ssl problem

Quote:

Originally Posted by sag47 (Post 5122694)

I'm not an expert on LDAP but have you tried testing the connectivity to the LDAP server using telnet or openssl? You can use openssl to verify the certificates as well.

Code:

telnet puppet.mydomain.com 636

timeout 3 openssl s_client -CApath /etc/ssl/certs -servername puppet.mydomain.com -connect puppet.mydomain.com:636

Thanks for your reply! Telnet can connect to port 636:

Code:

[bluethundr@vbox:~] #telnet puppet.mydomain.com 636

Trying xxx.xxx.xx.xxx...

Connected to puppet.mydomain.com.

Escape character is '^]'.

^]



telnet> quit

Connection closed.

However I can't seem to feed this command the correct path.. Either that or the cert I'm trying to give it is invalild.

First I tried pointing it at the directory where the cert is located:

Code:

[bluethundr@vbox:~] #timeout 3 openssl s_client -CApath /etc/pki/CA/certs -servername puppet.mydomain.com -connect puppet.mydomain.com:636

CONNECTED(00000003)

3073743112:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 0 bytes and written 253 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

---

And it failes as above. The command also fails when I give it the full path to the cert:

Code:

[bluethundr@vbox:~] #timeout 3 openssl s_client -CApath /etc/pki/CA/certs/ca.crt  -servername puppet.jokefire.com -connect puppet.mydomain.com:636

CONNECTED(00000003)

3073378568:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 0 bytes and written 253 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

---

Quote:

Originally Posted by sag47 (Post 5122694)

Code:

timeout 3 openssl s_client -connect puppet.mydomain.com:636 < /dev/null | openssl x509 -text | less

Hmmm.. it seems that the certifcate may in fact be invalid according to what I see here:

Code:

[bluethundr@vbox:~] #timeout 3 openssl s_client -connect puppet.mydomain.com:636 < /dev/null | openssl x509 -text | less

3073956104:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:

unable to load certificate

3073603848:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE

Quote:

Originally Posted by sag47 (Post 5122694)

Also, by providing your certificate you have provided the name of your server. Perhaps you'll want to edit that (the same could be said about your other attachments)? Assuming your host is what is in your certificate you have many ports open but the ldapssl port 636 is not one of them.

WHOOPS!!! I'll try not to make that mistake again! :)

Quote:

Originally Posted by sag47 (Post 5122694)

If you're using your LDAP command as you describe perhaps doing the following command.

Code:

ldapsearch -x -H 'ldaps://puppet.mydomain.com' -b "dc=mydomain,dc=com" sub "objectclass=*"

And as you might expect, given the nature of the cert, this command also fails:

Code:

[root@puppet:/etc/puppet] #ldapsearch -x -H 'ldaps://puppet.mydomain.com' -b "dc=mydomain,dc=com" sub "objectclass=*"

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

But the fact that the cert would be bad is a little troubling. This is the method I used to generate both the ca and the ldap server certs:

Code:

Create CA key

1) openssl genrsa -des3 -out ca.key 4096



Create CA cert

2) openssl req -new -x509 -days 3650 -key ca.key -out ca.crt



Create director1 key and certificate signing request

3) openssl genrsa -des3 -out director1key.key 4096

4) openssl req -new -key director1.key -out director1.csr



Sign the director1 certificate

5) openssl x509 -req -days 3650 -in director1.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out director1.crt



Don´t know if it is necessary, but converted .crt to .pem

6) openssl x509 -in director1.crt -out director1.pem

7) openssl x509 -in ca.crt -out ca.pem



Really important! Remove the password from the director1 private key

8) openssl rsa -in director1key.key -out director1.key

Where the term 'director' substitutes for the name of your cert (in my case ldap.crt).

This is puzzling also in light of the fact that other apache related certs I have created this way work just fine. But I suppose one thing I need to try is to recreate the cert. I'll give that a shot and let the thread know how it goes.

Ok, so I gave recreateing the cert pair a shot, and without any luck. As mentioned the ca cert pair is one I've used successfully before with apache certs. Here are the steps I took:

Code:

1077  openssl genrsa -des3 -out ldap.key 4096 

1078  openssl req -new -key ldap.key -out ldap.csr

1081  openssl x509 -req -days 3650 -in ldap.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ldap.crt

1082  openssl rsa -in ldap.key -out ldap.key

Here's the permissions on the cert pair:

Code:

[root@puppet:~/ldap-cert] #ls -l /etc/pki/*/* | grep ldap 

-r-------- 1 ldap root  1911 Feb 22 07:50 ldap.crt

-r-------- 1 ldap root 3243 Feb 22 07:50 ldap.key

still getting no joy at all:

Code:

[root@puppet:~/ldap-cert] #ldapsearch -x -b "dc=mydomain,dc=com" -H ldaps://puppet.mydomain.com

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I'd really appreciate any advice anyone may have.

Thanks

telnet can't negotiate SSL. I gave you that command to test connectivity only. If you wish to speak raw protocol then you can think of openssl s_client as telnet for SSL. In any case, are you sure your client has the certificate authority cert installed on the client? The -CApath arg of s_client can be pointed anywhere so if you have a directory for the cert you can point it there instead. In any case, can't contact LDAP server is not a very descriptive error.

I doubt your current problem is related to SSL. You would see error messages like described in this thread. It still sounds like a connectivity problem. Try using strace or turning up the verbosity of the client. Use tail -f on the server logs while you're connecting to see if the server is logging a connection at all.