problem with TLS connectivity with LDAP

tanveer · 11-28-2009, 06:00 PM

Hi,
I was trying to secure the connectivity to openLDAP server to a client secure using TLS with PHP. Now the problem is it can't bind with the ldap server.
I am following the link:
http://www.linuxhomenetworking.com/w...DAP_and_RADIUS

Created the server certificate as with

Code:

openssl req -newkey rsa:1024  -x509 -nodes -out server.pem -keyout server.pem -days 3650

Then created a client.pem by certificate portion with:

Code:

grep -A 100 CERTIFICATE server.pem > client.pem

and copied that in /etc/openldap/cacerts folder of client machine.

In my slapd.conf file I have changed like this:

PHP Code:



TLSCipherSuite          HIGH:MEDIUM:+SSLv2:+SSLv3:RSA 
TLSCACertificateFile    /etc/openldap/cacerts/server.pem 
TLSCertificateFile      /etc/openldap/cacerts/server.pem 
TLSCertificateKeyFile   /etc/openldap/cacerts/server.pem 
TLSVerifyClient         allow

and the service starts properly also.

Now when give this command it gives me this:
ldapsearch -H ldaps://dc.example.com -x -b 'dc=example,dc=com' '(objectclass=*)'
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

But the normal connection works and gives the result
ldapsearch -H ldap://dc.example.com -x -b 'dc=example,dc=com' '(objectclass=*)'

I also used this command and it gives output as below:

PHP Code:



# openssl s_client -connect dc.example.com:636   -showcerts  
CONNECTED(00000003) 
depth=0 /C=CA/ST=QC/L=Ontario/O=TEST/OU=TEST/CN=dc.example.com 
verify error:num=18:self signed certificate 
verify return:1 
depth=0 /C=CA/ST=QC/L=Ontario/O=TEST/OU=TEST/CN=dc.example.com 
verify return:1 
--- 
Certificate chain 
 0 s:/C=CA/ST=QC/L=Ontario/O=TEST/OU=TEST/CN=dc.example.com 
   i:/C=CaA/ST=QC/L=Ontario/O=TEST/OU=TEST/CN=dc.example.com 
-----BEGIN CERTIFICATE----- 
MIIDCjCCAnOgAwIBAgIJAI0cCvZ/yDlyMA0GCSqGSIb3DQEBBQUAMGIxCzAJBgNV 
BAYTAkJEMQswCQYDVQQIEwJRQzEOMAwGA1UEBxMFRGhha2ExDTALBgNVBAoTBFRF 
U1QxDTALBgNVBAsTBFRFU1QxGDAWBgNVBAMTD2RjLmluc2U2MTIwLmNvbTAeFw0w 
OTExMjgxODI3MzBaFw0xOTExMjYxODI3MzBaMGIxCzAJBgNVBAYTAkJEMQswCQYD 
VQQIEwJRQzEOMAwGA1UEBxMFRGhha2ExDTALBgNVBAoTBFRFU1QxDTALBgNVBAsT 
BFRFU1QxGDAWBgNVBAMTD2RjLmluc2U2MTIwLmNvbTCBnzANBgkqhkiG9w0BAQEF 
AAOBjQAwgYkCgYEA24nLxvx7TzhGGZ922YwDv8SLn0p7k51diQVFYTJLmBIW1Pnd 
r6L2c0JMAVA/hlFJ5paSRKa6SZ/5BbhBzi/4ymjZf0yiAsFuj2SUSdRxHLZVQh0n 
QWtQxRfw4Ixj5ZLzh4hyto6qm5ngFCrQ9fGrF6HoXzJUlZz+YESkYJtq0V8CAwEA 
AaOBxzCBxDAdBgNVHQ4EFgQUgYW3/hA3vw30t+ECCxR+LiYz5xowgZQGA1UdIwSB 
jDCBiYAUgYW3/hA3vw30t+ECCxR+LiYz5xqhZqRkMGIxCzAJBgNVBAYTAkJEMQsw 
CQYDVQQIEwJRQzEOMAwGA1UEBxMFRGhha2ExDTALBgNVBAoTBFRFU1QxDTALBgNV 
BAsTBFRFU1QxGDAWBgNVBAMTD2RjLmluc2U2MTIwLmNvbYIJAI0cCvZ/yDlyMAwG 
A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAs9UOIfue9/K9+DDcL7gQnTw3 
Slxk8a/9zfDg3f1w3jodP6jLDc/1dKWDAXPr36CEUkcwlkJ/VOogfQP0XxqdpqKq 
iQ73gyJtmQv/nhmHerdulluCdzTb/CkeyxhVruGspcEc1uNVJGmNbLOSKJAW5WAn 
cKrrOmIjoJz4aLzN9Mw= 
-----END CERTIFICATE----- 
--- 
Server certificate 
subject=/C=CA/ST=QC/L=Ontario/O=TEST/OU=TEST/CN=dc.example.com 
issuer=/C=CA/ST=QC/L=Ontario/O=TEST/OU=TEST/CN=dc.example.com 
--- 
Acceptable client certificate CA names 
/C=CA/ST=QC/L=Ontaroio/O=TEST/OU=TEST/CN=dc.example.com 
--- 
SSL handshake has read 1055 bytes and written 334 bytes 
--- 
New, TLSv1/SSLv3, Cipher is AES256-SHA 
Server public key is 1024 bit 
Compression: NONE 
Expansion: NONE 
SSL-Session: 
    Protocol  : TLSv1 
    Cipher    : AES256-SHA 
    Session-ID: DA7F2DAA3DD25E1872D641AAA0AA66D41EA6A71C4A9CDA21D6928B2088809D63 
    Session-ID-ctx:  
    Master-Key: B972FCC838A2D579AD613B8A6CBF607C8EACF34398923B3685AFC356BB11BEF202C3252BA2DE1853C301EE871B0CC573 
    Key-Arg   : None 
    Start Time: 1259436526 
    Timeout   : 300 (sec) 
    Verify return code: 18 (self signed certificate) 
---

I am using the php code:
<?php

// Ldap bind user credentials
$LDAP_Auth_User = "cn=Manager,dc=example,dc=com";
$LDAP_Auth_PWD = "password";

// Connecting to ldap server
$ldapconnect = ldap_connect ("dc.example.com", 636 ) or die ("Cannot Connect to OpenLDAP Server");

// Checking whether ldap connection is successful
//if ($ldapconnect) {
$bindldap = ldap_bind($ldapconnect,$LDAP_Auth_User, $LDAP_Auth_PWD) or die ("Could not bind to LDAP Database");
//}

?>
It gives me the error:
"Could Not bind to LDAP Database"

Any idea where it's going wrong .
Thanks in advance.

below is the ethereal log when try to connect to ldaps:

Code:

2.019721 192.168.139.134 -> 192.168.139.135 TCP 46181 > ldaps [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=3138808 TSER=0 WS=3
  2.019803 192.168.139.135 -> 192.168.139.134 TCP ldaps > 46181 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=3184416 TSER=3138808 WS=3
  2.020178 192.168.139.134 -> 192.168.139.135 TCP 46181 > ldaps [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=3138808 TSER=3184416
  2.040603 192.168.139.134 -> 192.168.139.135 SSLv2 Client Hello
  2.040644 192.168.139.135 -> 192.168.139.134 TCP ldaps > 46181 [ACK] Seq=1 Ack=119 Win=5792 Len=0 TSV=3184430 TSER=3138827
  2.041009 192.168.139.135 -> 192.168.139.134 TLSv1 Server Hello, Certificate, Certificate Request, Server Hello Done
  2.041300 192.168.139.134 -> 192.168.139.135 TCP 46181 > ldaps [ACK] Seq=119 Ack=997 Win=7832 Len=0 TSV=3138828 TSER=3184430
  2.042116 192.168.139.134 -> 192.168.139.135 TLSv1 Alert (Level: Fatal, Description: Unknown CA)
  2.042283 192.168.139.135 -> 192.168.139.134 TCP ldaps > 46181 [FIN, ACK] Seq=997 Ack=126 Win=5792 Len=0 TSV=3184432 TSER=3138828
  2.042333 192.168.139.134 -> 192.168.139.1 SSH Encrypted response packet len=176
  2.042828 192.168.139.1 -> 192.168.139.134 TCP 52045 > ssh [ACK] Seq=81 Ack=225 Win=16245 Len=0
  2.047914 192.168.139.134 -> 192.168.139.1 SSH Encrypted response packet len=80
  2.047919 192.168.139.134 -> 192.168.139.135 TCP 46181 > ldaps [FIN, ACK] Seq=126 Ack=998 Win=7832 Len=0 TSV=3138829 TSER=3184432
  2.047987 192.168.139.135 -> 192.168.139.134 TCP ldaps > 46181 [ACK] Seq=998 Ack=127 Win=5792 Len=0 TSV=3184433 TSER=3138829
  2.047920 192.168.139.134 -> 192.168.139.135 TCP 46181 > ldaps [RST, ACK] Seq=127 Ack=998 Win=7832 Len=0 TSV=3138829 TSER=3184432
  2.048163 192.168.139.134 -> 192.168.139.135 TCP 46181 > ldaps [RST] Seq=127 Win=0 Len=0
  2.049101 192.168.139.134 -> 192.168.139.1 SSH Encrypted response packet len=64
  2.049883 192.168.139.1 -> 192.168.139.134 TCP 52045 > ssh [ACK] Seq=81 Ack=369 Win=16209 Len=0

btmiller · 11-28-2009, 07:19 PM

What happens if you bump up the verbosity (with the -v option) of your ldapsearch command? Did you remember to add the correct certificate path in your ldap.conf file on the client (I sewe you have it in slapd.conf on the server, but from my experience you need to have the correct cert on the client as well). Does the CN of the certificate match the host name of the LDAP server in ldap.conf? I've found OpenLDAP is very picky about things matching up exactly right, or it will refuse to bind. I'd suggest bumping up the verbosity level of your ldapsearch command as it might pinpoint the exact problem the client has with the certificate.

tanveer · 11-28-2009, 11:19 PM

Hi, Thanks for the reply. Its really pain to get things work in ldap; I also suffered with trailing spaces in ldif files.

Enabling verbose also gives the same output. I generated the certificates again but still doesn't work though.

Server Side:

Code:

[root@dc cacerts]# hostname
dc.example.com

[root@dc cacerts]# openssl req -newkey rsa:1024  -x509 -nodes -out server.pem -keyou
t server.pem -days 365
Generating a 1024 bit RSA private key
........++++++
....++++++
writing new private key to 'server.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:BD    
State or Province Name (full name) [Some-State]:Dhaka
Locality Name (eg, city) []:Dhaka
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Test Company LTd
Organizational Unit Name (eg, section) []:Test
Common Name (eg, YOUR name) []:dc.example.com
Email Address []:admin@dc.example.com
[root@dc cacerts]# 
[root@dc cacerts]# ll
total 8
-rw-r--r-- 1 root root 2225 Nov 28 19:02 server.pem
[root@dc cacerts]# grep -A 100 CERTIFICATE server.pem > client.pem
[root@dc cacerts]# ll
total 16
-rw-r--r-- 1 root root 1338 Nov 28 19:02 client.pem
-rw-r--r-- 1 root root 2225 Nov 28 19:02 server.pem

[root@dc cacerts]# cat /etc/openldap/ldap.conf 

#BASE   dc=example, dc=com
URI     ldaps://dc.example.com:636 ldap:/// 
TLS_CACERTDIR   /etc/openldap/cacerts

#TLS_CACERT /etc/openldap/cacerts
#TLS_REQCERT never

[root@dc cacerts]# cat /etc/openldap/slapd.conf 
....
TLSCipherSuite          HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
TLSCACertificateFile    /etc/openldap/cacerts/server.pem
TLSCertificateFile      /etc/openldap/cacerts/server.pem
TLSCertificateKeyFile   /etc/openldap/cacerts/server.pem
TLSVerifyClient         allow
......
database        bdb
suffix          "dc=example,dc=com"
rootdn          "cn=Manager,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw                secret
rootpw  {SSHA}nGJnmov31rITNW2KPznys+RKFepm9QHy

Client Side:
-------------

Code:

[root@peer1 cacerts]# cat /etc/openldap/ldap.conf 

#URI    ldaps://dc.example.com:636
#BASE   dc=example, dc=com
TLS_CACERTDIR   /etc/openldap/cacerts
#ssl start_tls


[root@peer1 cacerts]# pwd
/etc/openldap/cacerts

[root@peer1 cacerts]# ll
-rw-r--r-- 1 root root   1294 Nov 28 19:41 client.pem

[root@peer1 cacerts]# ldapsearch -H ldaps://dc.example.com -x -b 'dc=example,dc=com' '(objectclass=*)' -v
ldap_initialize( ldaps://dc.example.com )
ldap_bind: Can't contact LDAP server (-1)
        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

[root@peer1 cacerts]# openssl s_client -connect dc.example.com:636   -showcerts 
CONNECTED(00000003)
depth=0 /C=CA/ST=QC/L=Montreal/O=Test Ltd/OU=Test/CN=dc.example.com/emailAddress=admin@example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=CA/ST=QC/L=Montreal/O=Test Ltd/OU=Test/CN=dc.example.com/emailAddress=admin@example.com
verify return:1
---
Certificate chain
 0 s:/C=CA/ST=QC/L=Montreal/O=Test Ltd/OU=Test/CN=dc.example.com/emailAddress=admin@example.com
   i:/C=CA/ST=QC/L=Montreal/O=Test Ltd/OU=Test/CN=dc.example.com/emailAddress=admin@example.com
-----BEGIN CERTIFICATE-----
MIIDjTCCAvagAwIBAgIJAMnB66EPNXksMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYD
VQQGEwJDQTELMAkGA1UECBMCUUMxETAPBgNVBAcTCE1vbnRyZWFsMREwDwYDVQQK
EwhUZXN0IEx0ZDENMAsGA1UECxMEVGVzdDEYMBYGA1UEAxMPZGMuaW5zZTYxMjAu
Y29tMSEwHwYJKoZIhvcNAQkBFhJhZG1pbkBpbnNlNjEyMC5jb20wHhcNMDkxMTI4
MjM0NTE0WhcNMTAxMTI4MjM0NTE0WjCBjDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgT
AlFDMREwDwYDVQQHEwhNb250cmVhbDERMA8GA1UEChMIVGVzdCBMdGQxDTALBgNV
BAsTBFRlc3QxGDAWBgNVBAMTD2RjLmluc2U2MTIwLmNvbTEhMB8GCSqGSIb3DQEJ
ARYSYWRtaW5AaW5zZTYxMjAuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDjrE5wzzdB67160Y6ToATDahT68MJTQCTtvJNh9o6de7fi+HL6tYMFCfWJpBEt
WVy7EPmMgpPq0ehUU1g3M+c7I9PTwxa72DJfeQLsevb4XccZPYeq4Kw0pDHXB2wl
YleOkxzeKV8cqmNMei/CZF/TNADig7vVxzzirjnbkoAD6wIDAQABo4H0MIHxMB0G
A1UdDgQWBBSQIe8bU9+QJVXWFrDGLaL4RLxZJTCBwQYDVR0jBIG5MIG2gBSQIe8b
U9+QJVXWFrDGLaL4RLxZJaGBkqSBjzCBjDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgT
AlFDMREwDwYDVQQHEwhNb250cmVhbDERMA8GA1UEChMIVGVzdCBMdGQxDTALBgNV
BAsTBFRlc3QxGDAWBgNVBAMTD2RjLmluc2U2MTIwLmNvbTEhMB8GCSqGSIb3DQEJ
ARYSYWRtaW5AaW5zZTYxMjAuY29tggkAycHroQ81eSwwDAYDVR0TBAUwAwEB/zAN
BgkqhkiG9w0BAQUFAAOBgQABvt6C4Q8UZCWqGcldPf4ZGiNSyH6DLBh2sHO1Q70W
8jtUofBqQkEYujOC3zvZ8lDRfAvZ0qL5rX9ZQKL/yKM7KdoC1en+hLr/wLL2YbUh
9aMTZIV8LcDE58qc7qZk9kU2iPR8s1ULDNRaRpjNbn21K3z6eU54hhqe+7NCeH/p
kw==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=CA/ST=QC/L=Montreal/O=Test Ltd/OU=Test/CN=dc.example.com/emailAddress=admin@example.com
issuer=/C=CA/ST=QC/L=Montreal/O=Test Ltd/OU=Test/CN=dc.example.com/emailAddress=admin@example.com
---
Acceptable client certificate CA names
/C=CA/ST=QC/L=Montreal/O=Test Ltd/OU=Test/CN=dc.example.com/emailAddress=admin@example.com
---
SSL handshake has read 1229 bytes and written 334 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: EC0F64A7EE12B6F6B5B36E466DAC644DCB063F1D904990E072A53EC6F836D396
    Session-ID-ctx: 
    Master-Key: DC3CC8FEB41EC6F4753A5DE7C1603E590899DB31423145210ED7AEACC6DB8301CA9992C18730DEEC7B7ED81AF3004085
    Key-Arg   : None
    Start Time: 1259456596
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

tanveer · 11-29-2009, 11:41 PM

OK finally sorted it out.

In server the slapd.conf:

Code:

TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/cacerts/server-cert.pem
TLSCertificateKeyFile /etc/openldap/cacerts/server-key.pem
TLSVerifyClient      never

In Client side: ldap.conf

Code:

HOST    dc.example.com
PORT    636
TLS_CACERT /etc/openldap/cacerts/cacert.pem
TLS_REQCERT demand

And the PHP code to connect:

PHP Code:



<? 
// Ldap bind user credentials 
$LDAP_Auth_User = "cn=Manager,dc=inse6120,dc=com"; 
$LDAP_Auth_PWD  = "password"; 
 
// Connecting to ldap server 
$ldapconnect = ldap_connect ("ldaps://dc.example.com",636) or die ("Cannot Connect to OpenLDAP Server"); 
 
$bindldap = ldap_bind($ldapconnect,$LDAP_Auth_User, $LDAP_Auth_PWD) or die ("Could not bind to LDAP Database"); 
 
?>

This link will be a great help http://http://www.openldap.org/pub/k...nLDAP_TLS.html

Thanks.