LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 09-30-2011, 04:31 PM   #1
LBM
Member
 
Registered: Aug 2010
Location: Denmark
Distribution: Debian
Posts: 87

Rep: Reputation: 0
Issues with OpenLDAP and SSL / TLS


I have configured OpenLDAP on Debian Squeee, which is working fine, but not as inteded with SSL or StartTLS.

It is actually two different issues, but I think they are very related.

The first problem is, that if I do not in the ldap.conf specify
"TLS_REQCERT allow", then, I am unable to get a connection from ldapsearch. Unless I use ldapsearch -x of course.

Code:
The ldap.conf
BASE	dc=example,dc=com
URI	ldap://ldap.example.com:389

TLS_CACERT /etc/ldap/certs/ca.crt
TLS_REQCERT	allow
The TLS entries in servers cn\=config.LDIF file

Code:
olcTLSCACertificateFile: /etc/ldap/certs/ca.crt
olcTLSCertificateFile: /etc/ldap/certs/openldap.crt
olcTLSCertificateKeyFile: /etc/ldap/certs/ca.key
The certificates and keys are created with OpenSSL.
ca.crt is the certificate from the CA server. This should be working, because I use this to other purposes as well, like SMTP, Web etc, to trust these certificates.

openldap.crt is the certificate I have created for use with the openldap server. It uses the common name of: ldap.example.com (which is the same as the URI).

ca.key, is the key file from the CA, which is used the create the two above certificates ca.crt and openldap.crt.

I try with this command which is working, as described above if TLS_REQCERT is set to allow in the ldap.conf.
Code:
ldapsearch -x -H ldaps://ldap.example.com -s base -b dc=example,dc=com
Second issue is wih StartTLS.
Testing StartTLS, i get this SASL issue? But I have not configured SASL, so I find this very weird!
Code:
ldapsearch -ZZ
SASL/DIGEST-MD5 authentication started
Please enter your password: 
ldap_sasl_interactive_bind_s: Invalid credentials (49)
	additional info: SASL(-13): user not found: no secret in database
If I set TLS_REQCERT to try or demand, I get this error, using the same command as above.

Code:
ldapsearch -x -H ldaps://ldap.example.com -s base -b dc=example,dc=com
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Testing StartTLS, I now get this error.
Code:
ldapsearch -ZZ
ldap_start_tls: Connect error (-11)
	additional info: (unknown error code)
Any ideas, on how I can fix this? It seems to be certificate issues, but testing with openssl, I get this. (output cutted, but the important is, that it verifys OK?).
Code:
openssl s_client -connect localhost:636 -showcerts -state -CAfile /etc/ldap/certs/ca.crt
... CUT ...
---
No client certificate CA names sent
---
SSL handshake has read 3426 bytes and written 703 bytes
---
... CUT ...

    Verify return code: 0 (ok)

Last edited by LBM; 09-30-2011 at 04:41 PM.
 
Old 09-30-2011, 04:44 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,398

Rep: Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965
you are still doing a simple bind in every stage, not SASL, so stick with the -x in all tests.
 
Old 10-01-2011, 04:48 AM   #3
LBM
Member
 
Registered: Aug 2010
Location: Denmark
Distribution: Debian
Posts: 87

Original Poster
Rep: Reputation: 0
Can you clarify this for me?. Does the ZZ require SASL?

But, the -x parameter is used here, and is not working, unless TLS_REQCERT is set to allow.
But, as you say, it seems to be that SASL is trying to be used here, but why?

Code:
ldapsearch -x -H ldaps://ldap.example.com -s base -b dc=example,dc=com
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
 
Old 10-01-2011, 05:57 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,398

Rep: Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965
TLS and SASL have *NOTHING* in common, TLS provides connection security, SASL provides authentication. These two things do not cross paths here, save for possible cert based authentication, which is not relevant here.
 
Old 10-01-2011, 07:38 AM   #5
LBM
Member
 
Registered: Aug 2010
Location: Denmark
Distribution: Debian
Posts: 87

Original Poster
Rep: Reputation: 0
Yes, I know, that is why I am very confused, why I get this SASL error, when I use certificates. But with no certificates, it is working fine.
 
Old 10-01-2011, 02:18 PM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,398

Rep: Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965
why? because you've removed to -x. put it back in.
 
Old 10-01-2011, 08:04 PM   #7
LBM
Member
 
Registered: Aug 2010
Location: Denmark
Distribution: Debian
Posts: 87

Original Poster
Rep: Reputation: 0
After quite a long time of researching, googleling, and debugging I found out that I sign the ldap certificate using MD5RSA, with openssl!
It seems to be that GnuTLS, which is used in openldap in Debian, does not like this at all. So I created a new server certificate, and signed it with sha1 instead, and now things seems to be ok!

Doing a test with GnuTLS, failed with the following command, BUT OpenSSL verified this as OK, again because of the signing method.
I do not have the output, and this time, but the errors are very clear.
With the sha1 certificate BOTH GnuTLS, and openssl verify this as ok! SUCCESS!
Code:
gnutls-cli --x509cafile /etc/ldap/certs/ca.crt -p 636 example.com
The ldap.conf, now looks like this, so I am sure that I use SSL!
Code:
BASE	dc=example,dc=com
URI	ldaps://ldap.example.com:636

TLS_CACERT /etc/ldap/certs/ca.crt
TLS_REQCERT	demand
Using the BAD MD5-RSA certificate, on the server I get this error, using ldapsearch.
Code:
ldapsearch -x
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
With the exact same setup and ldap.conf client file, just with the sha1 signed certificate, I get this.
Code:
ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
... REST OF OUTPUT CUTTED ...
I am happy, thank god for debugging.

Last edited by LBM; 10-01-2011 at 08:17 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
openLDAP SSL/TLS error phaniakkina Linux - Software 1 05-25-2011 02:43 PM
[SOLVED] OpenLDAP Commands Over TLS/SSL Behaves Differently? peridian Linux - Security 1 02-20-2011 01:31 PM
OpenLDAP and TLS-SSL karlochacon Linux - Server 5 02-03-2011 01:01 AM
OpenLDAP SSL/TLS problem with pam/nss humbletech99 Linux - Server 0 06-12-2009 07:39 AM
OpenLDAP - Active Directory & TLS/SSL ecsjohn Linux - Software 2 05-07-2007 10:05 AM


All times are GMT -5. The time now is 01:11 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration