LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
LinkBack Search this Thread
Old 11-28-2009, 06:00 PM   #1
tanveer
Member
 
Registered: Feb 2004
Location: e@rth
Distribution: RHEL-3/4/5,Gloria,opensolaris
Posts: 488

Rep: Reputation: 37
problem with TLS connectivity with LDAP


Hi,
I was trying to secure the connectivity to openLDAP server to a client secure using TLS with PHP. Now the problem is it can't bind with the ldap server.
I am following the link:
http://www.linuxhomenetworking.com/w...DAP_and_RADIUS

Created the server certificate as with
Code:
openssl req -newkey rsa:1024  -x509 -nodes -out server.pem -keyout server.pem -days 3650
Then created a client.pem by certificate portion with:
Code:
grep -A 100 CERTIFICATE server.pem > client.pem
and copied that in /etc/openldap/cacerts folder of client machine.

In my slapd.conf file I have changed like this:
PHP Code:
TLSCipherSuite          HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
TLSCACertificateFile    
/etc/openldap/cacerts/server.pem
TLSCertificateFile      
/etc/openldap/cacerts/server.pem
TLSCertificateKeyFile   
/etc/openldap/cacerts/server.pem
TLSVerifyClient         allow 
and the service starts properly also.


Now when give this command it gives me this:
ldapsearch -H ldaps://dc.example.com -x -b 'dc=example,dc=com' '(objectclass=*)'
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

But the normal connection works and gives the result
ldapsearch -H ldap://dc.example.com -x -b 'dc=example,dc=com' '(objectclass=*)'

I also used this command and it gives output as below:
PHP Code:
# openssl s_client -connect dc.example.com:636   -showcerts 
CONNECTED(00000003)
depth=/C=CA/ST=QC/L=Ontario/O=TEST/OU=TEST/CN=dc.example.com
verify error
:num=18:self signed certificate
verify 
return:1
depth
=/C=CA/ST=QC/L=Ontario/O=TEST/OU=TEST/CN=dc.example.com
verify 
return:1
---
Certificate chain
 0 s
:/C=CA/ST=QC/L=Ontario/O=TEST/OU=TEST/CN=dc.example.com
   i
:/C=CaA/ST=QC/L=Ontario/O=TEST/OU=TEST/CN=dc.example.com
-----BEGIN CERTIFICATE-----
MIIDCjCCAnOgAwIBAgIJAI0cCvZ/yDlyMA0GCSqGSIb3DQEBBQUAMGIxCzAJBgNV
BAYTAkJEMQswCQYDVQQIEwJRQzEOMAwGA1UEBxMFRGhha2ExDTALBgNVBAoTBFRF
U1QxDTALBgNVBAsTBFRFU1QxGDAWBgNVBAMTD2RjLmluc2U2MTIwLmNvbTAeFw0w
OTExMjgxODI3MzBaFw0xOTExMjYxODI3MzBaMGIxCzAJBgNVBAYTAkJEMQswCQYD
VQQIEwJRQzEOMAwGA1UEBxMFRGhha2ExDTALBgNVBAoTBFRFU1QxDTALBgNVBAsT
BFRFU1QxGDAWBgNVBAMTD2RjLmluc2U2MTIwLmNvbTCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEA24nLxvx7TzhGGZ922YwDv8SLn0p7k51diQVFYTJLmBIW1Pnd
r6L2c0JMAVA
/hlFJ5paSRKa6SZ/5BbhBzi/4ymjZf0yiAsFuj2SUSdRxHLZVQh0n
QWtQxRfw4Ixj5ZLzh4hyto6qm5ngFCrQ9fGrF6HoXzJUlZz
+YESkYJtq0V8CAwEA
AaOBxzCBxDAdBgNVHQ4EFgQUgYW3
/hA3vw30t+ECCxR+LiYz5xowgZQGA1UdIwSB
jDCBiYAUgYW3
/hA3vw30t+ECCxR+LiYz5xqhZqRkMGIxCzAJBgNVBAYTAkJEMQsw
CQYDVQQIEwJRQzEOMAwGA1UEBxMFRGhha2ExDTALBgNVBAoTBFRFU1QxDTALBgNV
BAsTBFRFU1QxGDAWBgNVBAMTD2RjLmluc2U2MTIwLmNvbYIJAI0cCvZ
/yDlyMAwG
A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAs9UOIfue9
/K9+DDcL7gQnTw3
Slxk8a
/9zfDg3f1w3jodP6jLDc/1dKWDAXPr36CEUkcwlkJ/VOogfQP0XxqdpqKq
iQ73gyJtmQv
/nhmHerdulluCdzTb/CkeyxhVruGspcEc1uNVJGmNbLOSKJAW5WAn
cKrrOmIjoJz4aLzN9Mw
=
-----
END CERTIFICATE-----
---
Server certificate
subject
=/C=CA/ST=QC/L=Ontario/O=TEST/OU=TEST/CN=dc.example.com
issuer
=/C=CA/ST=QC/L=Ontario/O=TEST/OU=TEST/CN=dc.example.com
---
Acceptable client certificate CA names
/C=CA/ST=QC/L=Ontaroio/O=TEST/OU=TEST/CN=dc.example.com
---
SSL handshake has read 1055 bytes and written 334 bytes
---
New, 
TLSv1/SSLv3Cipher is AES256-SHA
Server 
public key is 1024 bit
Compression
NONE
Expansion
NONE
SSL
-Session:
    
Protocol  TLSv1
    Cipher    
AES256-SHA
    Session
-IDDA7F2DAA3DD25E1872D641AAA0AA66D41EA6A71C4A9CDA21D6928B2088809D63
    Session
-ID-ctx
    
Master-KeyB972FCC838A2D579AD613B8A6CBF607C8EACF34398923B3685AFC356BB11BEF202C3252BA2DE1853C301EE871B0CC573
    Key
-Arg   None
    Start Time
1259436526
    Timeout   
300 (sec)
    
Verify return code18 (self signed certificate)
--- 
I am using the php code:
<?php

// Ldap bind user credentials
$LDAP_Auth_User = "cn=Manager,dc=example,dc=com";
$LDAP_Auth_PWD = "password";

// Connecting to ldap server
$ldapconnect = ldap_connect ("dc.example.com", 636 ) or die ("Cannot Connect to OpenLDAP Server");

// Checking whether ldap connection is successful
//if ($ldapconnect) {
$bindldap = ldap_bind($ldapconnect,$LDAP_Auth_User, $LDAP_Auth_PWD) or die ("Could not bind to LDAP Database");
//}

?>
It gives me the error:
"Could Not bind to LDAP Database"

Any idea where it's going wrong .
Thanks in advance.

below is the ethereal log when try to connect to ldaps:
Code:
2.019721 192.168.139.134 -> 192.168.139.135 TCP 46181 > ldaps [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=3138808 TSER=0 WS=3
  2.019803 192.168.139.135 -> 192.168.139.134 TCP ldaps > 46181 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=3184416 TSER=3138808 WS=3
  2.020178 192.168.139.134 -> 192.168.139.135 TCP 46181 > ldaps [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=3138808 TSER=3184416
  2.040603 192.168.139.134 -> 192.168.139.135 SSLv2 Client Hello
  2.040644 192.168.139.135 -> 192.168.139.134 TCP ldaps > 46181 [ACK] Seq=1 Ack=119 Win=5792 Len=0 TSV=3184430 TSER=3138827
  2.041009 192.168.139.135 -> 192.168.139.134 TLSv1 Server Hello, Certificate, Certificate Request, Server Hello Done
  2.041300 192.168.139.134 -> 192.168.139.135 TCP 46181 > ldaps [ACK] Seq=119 Ack=997 Win=7832 Len=0 TSV=3138828 TSER=3184430
  2.042116 192.168.139.134 -> 192.168.139.135 TLSv1 Alert (Level: Fatal, Description: Unknown CA)
  2.042283 192.168.139.135 -> 192.168.139.134 TCP ldaps > 46181 [FIN, ACK] Seq=997 Ack=126 Win=5792 Len=0 TSV=3184432 TSER=3138828
  2.042333 192.168.139.134 -> 192.168.139.1 SSH Encrypted response packet len=176
  2.042828 192.168.139.1 -> 192.168.139.134 TCP 52045 > ssh [ACK] Seq=81 Ack=225 Win=16245 Len=0
  2.047914 192.168.139.134 -> 192.168.139.1 SSH Encrypted response packet len=80
  2.047919 192.168.139.134 -> 192.168.139.135 TCP 46181 > ldaps [FIN, ACK] Seq=126 Ack=998 Win=7832 Len=0 TSV=3138829 TSER=3184432
  2.047987 192.168.139.135 -> 192.168.139.134 TCP ldaps > 46181 [ACK] Seq=998 Ack=127 Win=5792 Len=0 TSV=3184433 TSER=3138829
  2.047920 192.168.139.134 -> 192.168.139.135 TCP 46181 > ldaps [RST, ACK] Seq=127 Ack=998 Win=7832 Len=0 TSV=3138829 TSER=3184432
  2.048163 192.168.139.134 -> 192.168.139.135 TCP 46181 > ldaps [RST] Seq=127 Win=0 Len=0
  2.049101 192.168.139.134 -> 192.168.139.1 SSH Encrypted response packet len=64
  2.049883 192.168.139.1 -> 192.168.139.134 TCP 52045 > ssh [ACK] Seq=81 Ack=369 Win=16209 Len=0
 
Old 11-28-2009, 07:19 PM   #2
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 3,995

Rep: Reputation: 261Reputation: 261Reputation: 261
What happens if you bump up the verbosity (with the -v option) of your ldapsearch command? Did you remember to add the correct certificate path in your ldap.conf file on the client (I sewe you have it in slapd.conf on the server, but from my experience you need to have the correct cert on the client as well). Does the CN of the certificate match the host name of the LDAP server in ldap.conf? I've found OpenLDAP is very picky about things matching up exactly right, or it will refuse to bind. I'd suggest bumping up the verbosity level of your ldapsearch command as it might pinpoint the exact problem the client has with the certificate.
 
Old 11-28-2009, 11:19 PM   #3
tanveer
Member
 
Registered: Feb 2004
Location: e@rth
Distribution: RHEL-3/4/5,Gloria,opensolaris
Posts: 488

Original Poster
Rep: Reputation: 37
Hi, Thanks for the reply. Its really pain to get things work in ldap; I also suffered with trailing spaces in ldif files.

Enabling verbose also gives the same output. I generated the certificates again but still doesn't work though.

Server Side:

Code:
[root@dc cacerts]# hostname
dc.example.com

[root@dc cacerts]# openssl req -newkey rsa:1024  -x509 -nodes -out server.pem -keyou
t server.pem -days 365
Generating a 1024 bit RSA private key
........++++++
....++++++
writing new private key to 'server.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:BD    
State or Province Name (full name) [Some-State]:Dhaka
Locality Name (eg, city) []:Dhaka
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Test Company LTd
Organizational Unit Name (eg, section) []:Test
Common Name (eg, YOUR name) []:dc.example.com
Email Address []:admin@dc.example.com
[root@dc cacerts]# 
[root@dc cacerts]# ll
total 8
-rw-r--r-- 1 root root 2225 Nov 28 19:02 server.pem
[root@dc cacerts]# grep -A 100 CERTIFICATE server.pem > client.pem
[root@dc cacerts]# ll
total 16
-rw-r--r-- 1 root root 1338 Nov 28 19:02 client.pem
-rw-r--r-- 1 root root 2225 Nov 28 19:02 server.pem

[root@dc cacerts]# cat /etc/openldap/ldap.conf 

#BASE   dc=example, dc=com
URI     ldaps://dc.example.com:636 ldap:/// 
TLS_CACERTDIR   /etc/openldap/cacerts

#TLS_CACERT /etc/openldap/cacerts
#TLS_REQCERT never

[root@dc cacerts]# cat /etc/openldap/slapd.conf 
....
TLSCipherSuite          HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
TLSCACertificateFile    /etc/openldap/cacerts/server.pem
TLSCertificateFile      /etc/openldap/cacerts/server.pem
TLSCertificateKeyFile   /etc/openldap/cacerts/server.pem
TLSVerifyClient         allow
......
database        bdb
suffix          "dc=example,dc=com"
rootdn          "cn=Manager,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw                secret
rootpw  {SSHA}nGJnmov31rITNW2KPznys+RKFepm9QHy
Client Side:
-------------
Code:
[root@peer1 cacerts]# cat /etc/openldap/ldap.conf 

#URI    ldaps://dc.example.com:636
#BASE   dc=example, dc=com
TLS_CACERTDIR   /etc/openldap/cacerts
#ssl start_tls


[root@peer1 cacerts]# pwd
/etc/openldap/cacerts

[root@peer1 cacerts]# ll
-rw-r--r-- 1 root root   1294 Nov 28 19:41 client.pem

[root@peer1 cacerts]# ldapsearch -H ldaps://dc.example.com -x -b 'dc=example,dc=com' '(objectclass=*)' -v
ldap_initialize( ldaps://dc.example.com )
ldap_bind: Can't contact LDAP server (-1)
        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

[root@peer1 cacerts]# openssl s_client -connect dc.example.com:636   -showcerts 
CONNECTED(00000003)
depth=0 /C=CA/ST=QC/L=Montreal/O=Test Ltd/OU=Test/CN=dc.example.com/emailAddress=admin@example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=CA/ST=QC/L=Montreal/O=Test Ltd/OU=Test/CN=dc.example.com/emailAddress=admin@example.com
verify return:1
---
Certificate chain
 0 s:/C=CA/ST=QC/L=Montreal/O=Test Ltd/OU=Test/CN=dc.example.com/emailAddress=admin@example.com
   i:/C=CA/ST=QC/L=Montreal/O=Test Ltd/OU=Test/CN=dc.example.com/emailAddress=admin@example.com
-----BEGIN CERTIFICATE-----
MIIDjTCCAvagAwIBAgIJAMnB66EPNXksMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYD
VQQGEwJDQTELMAkGA1UECBMCUUMxETAPBgNVBAcTCE1vbnRyZWFsMREwDwYDVQQK
EwhUZXN0IEx0ZDENMAsGA1UECxMEVGVzdDEYMBYGA1UEAxMPZGMuaW5zZTYxMjAu
Y29tMSEwHwYJKoZIhvcNAQkBFhJhZG1pbkBpbnNlNjEyMC5jb20wHhcNMDkxMTI4
MjM0NTE0WhcNMTAxMTI4MjM0NTE0WjCBjDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgT
AlFDMREwDwYDVQQHEwhNb250cmVhbDERMA8GA1UEChMIVGVzdCBMdGQxDTALBgNV
BAsTBFRlc3QxGDAWBgNVBAMTD2RjLmluc2U2MTIwLmNvbTEhMB8GCSqGSIb3DQEJ
ARYSYWRtaW5AaW5zZTYxMjAuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDjrE5wzzdB67160Y6ToATDahT68MJTQCTtvJNh9o6de7fi+HL6tYMFCfWJpBEt
WVy7EPmMgpPq0ehUU1g3M+c7I9PTwxa72DJfeQLsevb4XccZPYeq4Kw0pDHXB2wl
YleOkxzeKV8cqmNMei/CZF/TNADig7vVxzzirjnbkoAD6wIDAQABo4H0MIHxMB0G
A1UdDgQWBBSQIe8bU9+QJVXWFrDGLaL4RLxZJTCBwQYDVR0jBIG5MIG2gBSQIe8b
U9+QJVXWFrDGLaL4RLxZJaGBkqSBjzCBjDELMAkGA1UEBhMCQ0ExCzAJBgNVBAgT
AlFDMREwDwYDVQQHEwhNb250cmVhbDERMA8GA1UEChMIVGVzdCBMdGQxDTALBgNV
BAsTBFRlc3QxGDAWBgNVBAMTD2RjLmluc2U2MTIwLmNvbTEhMB8GCSqGSIb3DQEJ
ARYSYWRtaW5AaW5zZTYxMjAuY29tggkAycHroQ81eSwwDAYDVR0TBAUwAwEB/zAN
BgkqhkiG9w0BAQUFAAOBgQABvt6C4Q8UZCWqGcldPf4ZGiNSyH6DLBh2sHO1Q70W
8jtUofBqQkEYujOC3zvZ8lDRfAvZ0qL5rX9ZQKL/yKM7KdoC1en+hLr/wLL2YbUh
9aMTZIV8LcDE58qc7qZk9kU2iPR8s1ULDNRaRpjNbn21K3z6eU54hhqe+7NCeH/p
kw==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=CA/ST=QC/L=Montreal/O=Test Ltd/OU=Test/CN=dc.example.com/emailAddress=admin@example.com
issuer=/C=CA/ST=QC/L=Montreal/O=Test Ltd/OU=Test/CN=dc.example.com/emailAddress=admin@example.com
---
Acceptable client certificate CA names
/C=CA/ST=QC/L=Montreal/O=Test Ltd/OU=Test/CN=dc.example.com/emailAddress=admin@example.com
---
SSL handshake has read 1229 bytes and written 334 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: EC0F64A7EE12B6F6B5B36E466DAC644DCB063F1D904990E072A53EC6F836D396
    Session-ID-ctx: 
    Master-Key: DC3CC8FEB41EC6F4753A5DE7C1603E590899DB31423145210ED7AEACC6DB8301CA9992C18730DEEC7B7ED81AF3004085
    Key-Arg   : None
    Start Time: 1259456596
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
 
Old 11-29-2009, 11:41 PM   #4
tanveer
Member
 
Registered: Feb 2004
Location: e@rth
Distribution: RHEL-3/4/5,Gloria,opensolaris
Posts: 488

Original Poster
Rep: Reputation: 37
OK finally sorted it out.

In server the slapd.conf:
Code:
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/cacerts/server-cert.pem
TLSCertificateKeyFile /etc/openldap/cacerts/server-key.pem
TLSVerifyClient      never
In Client side: ldap.conf
Code:
HOST    dc.example.com
PORT    636
TLS_CACERT /etc/openldap/cacerts/cacert.pem
TLS_REQCERT demand
And the PHP code to connect:
PHP Code:
<?
// Ldap bind user credentials
$LDAP_Auth_User "cn=Manager,dc=inse6120,dc=com";
$LDAP_Auth_PWD  "password";

// Connecting to ldap server
$ldapconnect ldap_connect ("ldaps://dc.example.com",636) or die ("Cannot Connect to OpenLDAP Server");

$bindldap ldap_bind($ldapconnect,$LDAP_Auth_User$LDAP_Auth_PWD) or die ("Could not bind to LDAP Database");

?>
This link will be a great help http://http://www.openldap.org/pub/k...nLDAP_TLS.html

Thanks.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Verifying that TLS is used when contacting LDAP server kenneho Linux - Security 5 05-14-2008 08:28 AM
LDAP connection problems after enabling TLS kenneho Linux - Software 3 05-13-2008 06:04 AM
TLS in phpLDAPadmin can not connect to LDAP server. nui Linux - Software 0 12-28-2006 08:22 PM
Ldap replication using TLS/SSL jitender.rajpal Linux - Networking 0 10-18-2006 07:59 AM
LDAP TLS lockups blueplazma Linux - Software 2 04-23-2005 01:48 PM


All times are GMT -5. The time now is 02:29 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration