Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Distribution: Slackware Current, RedHat (RHEL, FC, CentOS), openSuSE, Mac OS X
Posts: 650
Rep:
LDAP can't bind "certificate verify error"
Hello there
The internet is full of these questions and i just can not spot what the issue is.
Firstly, this is not on the master node, but rather the node that is being replicated to. The problem occurs when i query using ldapsearch or an `getent passwd`
and the nss_ldap lookup results in an error in /var/log/messages:
Code:
Apr 15 09:47:40 cakeslave getent: nss_ldap: failed to bind to LDAP server ldaps://cakeslave.example.org/: Can't contact LDAP server
Apr 15 09:47:40 cakeslave getent: nss_ldap: could not search LDAP server - Server is unavailable
my slapd.conf is as follows:
Code:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
## custom includes
include /etc/openldap/custom/solaris.schema
include /etc/openldap/custom/openssh-lpk_openldap.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
access to attrs=userPassword,sshPrivateKey,sshPublicKey
by self write
by dn="cn=admin,dc=example,dc=org" read
by dn="cn=authenticated_LDAP,dc=example,dc=org" read
by anonymous auth
by * none
access to *
by self write
by dn="cn=admin,dc=example,dc=org" read
by dn="cn=unprivuser,dc=example,dc=org" read
by dn="cn=authenticated_LDAP,dc=example,dc=org" read
by users auth
by anonymous auth
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/openldap/certificate/cacert.pem
TLSCertificateFile /etc/openldap/certificate/cakeslavecert.pem
TLSCertificateKeyFile /etc/openldap/certificate/cakeslavekey.pem
TLSVerifyClient never
database bdb
suffix "dc=example,dc=org"
rootdn "cn=replica,dc=example,dc=org"
rootpw {SSHA}WSEae1GsFDN0aOnxHdslw1RaUuWb65gw
directory /var/lib/ldap
loglevel 127
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
syncrepl rid=123
provider=ldaps://cakewalk.example.org:636/
type=refreshOnly
interval=00:00:05:00
searchbase="dc=example,dc=org"
filter="(objectClass=*)"
scope=sub
attrs=""
schemachecking=off
bindmethod=simple
binddn="cn=admin,dc=example,dc=org"
credentials=cakewalk
The `getent passwd` results in a very similar error in the ldap log, which again indicates a TLS failure.
The cacert.pem in /etc/ssl/certs and /etc/openldap/certificate are identical (check using md5sum). I have done an strace and found that it looks at /etc/pki/tls/cert.pem . I don't know why it does that, since i did not reference it anywhere, and i'm guessing it might be a red herring.
I'm hoping it's an obvious n00b error ...
EDIT: oh yeah, if i tell it to use ldap (instead of ldaps) it works fine, but i would prefer to use ssl.
Last edited by chakkerz; 04-14-2010 at 07:17 PM.
Reason: missing the right url somewhere
Distribution: Slackware Current, RedHat (RHEL, FC, CentOS), openSuSE, Mac OS X
Posts: 650
Original Poster
Rep:
but TLS_REQCERT allow doesn't do what i want (see below for the difference).
Also, tcpdump only verifies communication, i'm running the server with debugging so i can see the interaction happening.
Code:
TLS_REQCERT <level>
Specifies what checks to perform on server certificates in a TLS
session, if any. The <level> can be specified as one of the fol-
lowing keywords:
allow The server certificate is requested. If no certificate is
provided, the session proceeds normally. If a bad cer-
tificate is provided, it will be ignored and the session
proceeds normally.
demand | hard
These keywords are equivalent. The server certificate is
requested. If no certificate is provided, or a bad cer-
tificate is provided, the session is immediately termi-
nated. This is the default setting.
Distribution: Slackware Current, RedHat (RHEL, FC, CentOS), openSuSE, Mac OS X
Posts: 650
Original Poster
Rep:
the more things change the more the stay the same
So, today my production LDAP infrastructure face planted... Turns out my CA ran out.
I guess the message to take away from this is: pay attention to when the certificates and ca run out because if you don't you're stuck scratching your head wondering why did it all the ldap clients start having issues... nothing changed.
Also sharing your issues with others can be quite handy, especially when you read the post and go ... "wow that guy is having the exact same problem ... the writing style seems familiar ... oh ... i posted that".
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
