[SOLVED] Centos 6.4 with OpenLDAP+TLS: OpenLDAP ok, add TLS =>not ok

chrism01 · 05-17-2013, 12:00 AM

Hi Guys,

managed to setup basic (unencrypted) openldap ok (http://www.linuxquestions.org/questi...ow-4175462161/) using guide http://www.server-world.info/en/note...S_6&p=ldap&f=1.

Cannot add TLS using associated guide http://www.server-world.info/en/note...S_6&p=ldap&f=3.
Everything appears to go ok, but when I try to login with test ldap user, it only works if I don't close the firewall for port 389.
If I do, so it only listens on 636, I get

Code:

May 17 14:47:11 boole nslcd[2058]: [0c50b3] ldap_start_tls_s() failed: Can't contact LDAP server: Transport endpoint is not connected (uri="ldap://192.168.122.97/")
May 17 14:47:11 boole nslcd[2058]: [0c50b3] failed to bind to LDAP server ldap://192.168.122.97/: Can't contact LDAP server: Transport endpoint is not connected
May 17 14:47:11 boole nslcd[2058]: [0c50b3] no available LDAP server found

multiple times in client messages file.

Its probably something simple, but any hints would be appreciated; feel like I'm 'this' close...

nslcd.conf

Code:

# This is the configuration file for the LDAP nameservice
# switch library's nslcd daemon. It configures the mapping
# between NSS names (see /etc/nsswitch.conf) and LDAP
# information in the directory.
# See the manual page nslcd.conf(5) for more information.

# The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used
# here should be resolvable without using LDAP (obviously).
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# uri ldap://127.0.0.1/

# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3

# The distinguished name of the search base.
# base dc=example,dc=com

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=com

# The credentials to bind with.
# Optional: default is no credentials.
# Note that if you set a bindpw you should check the permissions of this file.
#bindpw secret

# The distinguished name to perform password modifications by root by.
#rootpwmoddn cn=admin,dc=example,dc=com

# The default search scope.
#scope sub
#scope one
#scope base

# Customize certain database lookups.
#base   group  ou=Groups,dc=example,dc=com
#base   passwd ou=People,dc=example,dc=com
#base   shadow ou=People,dc=example,dc=com
#scope  group  onelevel
#scope  hosts  sub

# Bind/connect timelimit.
#bind_timelimit 30

# Search timelimit.
#timelimit 30

# Idle timelimit. nslcd will close connections if the
# server has not been contacted for the number of seconds.
#idle_timelimit 3600

# Use StartTLS without verifying the server certificate.
ssl start_tls
tls_reqcert allow

# CA certificates for server certificate verification
tls_cacertdir  /etc/openldap/cacerts
#tls_cacertfile /etc/ssl/ca.cert

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

# NDS mappings
#map group uniqueMember member

# Mappings for Services for UNIX 3.5
#filter passwd (objectClass=User)
#map    passwd uid              msSFU30Name
#map    passwd userPassword     msSFU30Password
#map    passwd homeDirectory    msSFU30HomeDirectory
#map    passwd homeDirectory    msSFUHomeDirectory
#filter shadow (objectClass=User)
#map    shadow uid              msSFU30Name
#map    shadow userPassword     msSFU30Password
#filter group  (objectClass=Group)
#map    group  uniqueMember     msSFU30PosixMember

# Mappings for Services for UNIX 2.0
#filter passwd (objectClass=User)
#map    passwd uid              msSFUName
#map    passwd userPassword     msSFUPassword
#map    passwd homeDirectory    msSFUHomeDirectory
#map    passwd gecos            msSFUName
#filter shadow (objectClass=User)
#map    shadow uid              msSFUName
#map    shadow userPassword     msSFUPassword
#map    shadow shadowLastChange pwdLastSet
#filter group  (objectClass=Group)
#map    group  uniqueMember     posixMember

# Mappings for Active Directory
#pagesize 1000
#referrals off
#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map    passwd uid              sAMAccountName
#map    passwd homeDirectory    unixHomeDirectory
#map    passwd gecos            displayName
#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map    shadow uid              sAMAccountName
#map    shadow shadowLastChange pwdLastSet
#filter group  (objectClass=group)
#map    group  uniqueMember     member

# Mappings for AIX SecureWay
#filter passwd (objectClass=aixAccount)
#map    passwd uid              userName
#map    passwd userPassword     passwordChar
#map    passwd uidNumber        uid
#map    passwd gidNumber        gid
#filter group  (objectClass=aixAccessGroup)
#map    group  cn               groupName
#map    group  uniqueMember     member
#map    group  gidNumber        gid
uid nslcd
gid ldap
# This comment prevents repeated auto-migration of settings.
uri ldap://192.168.122.97/
base dc=net,dc=local
#ssl no

[root@boole etc]# cp nslcd.conf /tmp
[root@boole etc]# cd /tmp
[root@boole tmp]# mv nslcd.conf nslcd.txt
[root@boole tmp]# cat nslcd.txt
# This is the configuration file for the LDAP nameservice
# switch library's nslcd daemon. It configures the mapping
# between NSS names (see /etc/nsswitch.conf) and LDAP
# information in the directory.
# See the manual page nslcd.conf(5) for more information.

# The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used
# here should be resolvable without using LDAP (obviously).
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# uri ldap://127.0.0.1/

# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3

# The distinguished name of the search base.
# base dc=example,dc=com

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=com

# The credentials to bind with.
# Optional: default is no credentials.
# Note that if you set a bindpw you should check the permissions of this file.
#bindpw secret

# The distinguished name to perform password modifications by root by.
#rootpwmoddn cn=admin,dc=example,dc=com

# The default search scope.
#scope sub
#scope one
#scope base

# Customize certain database lookups.
#base   group  ou=Groups,dc=example,dc=com
#base   passwd ou=People,dc=example,dc=com
#base   shadow ou=People,dc=example,dc=com
#scope  group  onelevel
#scope  hosts  sub

# Bind/connect timelimit.
#bind_timelimit 30

# Search timelimit.
#timelimit 30

# Idle timelimit. nslcd will close connections if the
# server has not been contacted for the number of seconds.
#idle_timelimit 3600

# Use StartTLS without verifying the server certificate.
ssl start_tls
tls_reqcert allow

# CA certificates for server certificate verification
tls_cacertdir  /etc/openldap/cacerts
#tls_cacertfile /etc/ssl/ca.cert

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

# NDS mappings
#map group uniqueMember member

# Mappings for Services for UNIX 3.5
#filter passwd (objectClass=User)
#map    passwd uid              msSFU30Name
#map    passwd userPassword     msSFU30Password
#map    passwd homeDirectory    msSFU30HomeDirectory
#map    passwd homeDirectory    msSFUHomeDirectory
#filter shadow (objectClass=User)
#map    shadow uid              msSFU30Name
#map    shadow userPassword     msSFU30Password
#filter group  (objectClass=Group)
#map    group  uniqueMember     msSFU30PosixMember

# Mappings for Services for UNIX 2.0
#filter passwd (objectClass=User)
#map    passwd uid              msSFUName
#map    passwd userPassword     msSFUPassword
#map    passwd homeDirectory    msSFUHomeDirectory
#map    passwd gecos            msSFUName
#filter shadow (objectClass=User)
#map    shadow uid              msSFUName
#map    shadow userPassword     msSFUPassword
#map    shadow shadowLastChange pwdLastSet
#filter group  (objectClass=Group)
#map    group  uniqueMember     posixMember

# Mappings for Active Directory
#pagesize 1000
#referrals off
#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map    passwd uid              sAMAccountName
#map    passwd homeDirectory    unixHomeDirectory
#map    passwd gecos            displayName
#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map    shadow uid              sAMAccountName
#map    shadow shadowLastChange pwdLastSet
#filter group  (objectClass=group)
#map    group  uniqueMember     member

# Mappings for AIX SecureWay
#filter passwd (objectClass=aixAccount)
#map    passwd uid              userName
#map    passwd userPassword     passwordChar
#map    passwd uidNumber        uid
#map    passwd gidNumber        gid
#filter group  (objectClass=aixAccessGroup)
#map    group  cn               groupName
#map    group  uniqueMember     member
#map    group  gidNumber        gid
uid nslcd
gid ldap
# This comment prevents repeated auto-migration of settings.
uri ldap://192.168.122.97/
base dc=net,dc=local
#ssl no

Don't know why it wouldn't just attach

chrism01 · 05-17-2013, 01:27 AM

Solved

After some research and fine detail reading, apparently the 'start_tls' option (as specified in the above HOWTO) in the various cfg files don't always work so use 'ssl on' instead of that where specified in the guide.

Hope that helps others

CharlesMM · 10-27-2013, 03:15 PM

ok i cannot for the life of me work out how to get my tsl working on centos 6.4

from what i can see openldap is not sending extended props in the tls negotiation and so after the compression ... nothing

can anybody help?

[root@alty user]# ldapsearch -H ldaps://alty.abc.com:636 -D "cn=manager, dc=abc, dc=com" -wsecret -d7
ldap_url_parse_ext(ldaps://alty.abc.com:636)
ldap_create
ldap_url_parse_ext(ldaps://alty.abc.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP alty.abc.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.0.3:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/openldap/certs prefix .
TLS: loaded CA certificate file /etc/openldap/certs/abc.com.crt.
TLS: certificate 'alty.abc.com' successfully loaded from moznss database.
TLS: no unlocked certificate for certificate 'CN=alty.abc.com,DC=abc,DC=com'.
TLS: certificate [CN=alty.abc.com,DC=abc,DC=com] is valid
tls_write: want=102, written=102
0000: 16 03 01 00 61 01 00 00 5d 03 01 52 6d 6f df eb ....a...]..Rmo..
0010: e0 92 c2 2d 32 25 50 d8 93 94 0a 23 8b ca d0 ea ...-2%P....#....
0020: 57 1b 2c de 38 48 6c 19 bb 58 de 00 00 36 00 ff W.,.8Hl..X...6..
0030: 00 88 00 87 00 39 00 38 00 84 00 35 00 45 00 44 .....9.8...5.E.D
0040: 00 66 00 33 00 32 00 96 00 41 00 05 00 04 00 2f .f.3.2...A...../
0050: 00 16 00 13 00 0a 00 15 00 12 00 09 00 64 00 62 .............d.b
0060: 00 03 00 06 01 00 ......
tls_read: want=5, got=0

TLS: error: tlsm_PR_Recv returned 0 - error 21:Is a directory
TLS: error: connect - force handshake failure: errno 21 - moznss error -5938
TLS: can't connect: TLS error -5938:Encountered end of file.
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)