LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Desktop
User Name
Password
Linux - Desktop This forum is for the discussion of all Linux Software used in a desktop context.

Notices


Reply
  Search this Thread
Old 09-19-2011, 05:29 AM   #1
allinduke
LQ Newbie
 
Registered: Sep 2011
Distribution: Debian, OpenSUSE, Ubuntu
Posts: 5

Rep: Reputation: Disabled
OpenLDAP Client 2.4.23: TLS negotiation failure


Hi all,

I have OpenLDAP 2.4.19 Server installed on a CentOS 6 machine. When I use it without TLS, the client has no problem connecting to the LDAP server.

Now when I try to enable TLS,and try to login at the client (OpenSUSE 11.4 with OpenLDAP 2.4.23 client) the server log shows me:

Code:
Sep 19 12:11:45 centos6 slapd[16620]: conn=226 fd=14 ACCEPT from IP=client-IP:client-Port (IP=0.0.0.0:636)
Sep 19 12:11:45 centos6 slapd[16620]: conn=226 fd=14 closed (TLS negotiation failure)
When I do a (on the client)

Code:
ldapsearch -x -H ldaps://serverip/ -b 'dc=mydomain,dc=com' 'uid=b*'
I get a list of all users starting with a b as expected.

The server ldap log says:

Code:
Sep 19 12:16:40 centos6 slapd[16620]: conn=228 fd=14 ACCEPT from IP=client-IP:client-Port (IP=0.0.0.0:636)
Sep 19 12:16:40 centos6 slapd[16620]: conn=228 fd=14 TLS established tls_ssf=256 ssf=256
Sep 19 12:16:40 centos6 slapd[16620]: conn=228 op=0 BIND dn="" method=128
Sep 19 12:16:40 centos6 slapd[16620]: conn=228 op=0 RESULT tag=97 err=0 text=
Sep 19 12:16:40 centos6 slapd[16620]: conn=228 op=1 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(uid=bg*)"
Sep 19 12:16:40 centos6 slapd[16620]: conn=228 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Sep 19 12:16:40 centos6 slapd[16620]: conn=228 op=2 UNBIND
Sep 19 12:16:40 centos6 slapd[16620]: conn=228 fd=14 closed
So from this I conclude that the LDAP Server is TLS ready and works.

Here's my client conf (/etc/ldap.conf):

Code:
base    dc=mydomain,dc=com
binddn cn=Manager,dc=mydomain,dc=com
bindpw *somesecret*
bind_policy     soft
pam_lookup_policy       yes
pam_password    exop
nss_initgroups_ignoreusers      root,ldap
nss_schema      rfc2307bis
nss_map_attribute       uniqueMember member
uri     ldaps://*server-IP*
ldap_version    3
pam_filter      objectClass=posixAccount
tls_cacertfile /etc/ssl/ca.crt
and here is my /etc/openldap/ldap.conf:

Code:
uri     ldaps://*server-IP*
base    dc=mydomain,dc=com
TLS_REQCERT allow
Slapd runs on both ports (389 without TLS and 636 for TLS), I tested that with netstat. I can also telnet to both ports. User/PW is all fine.

Just TLS settings for the client seem to be wrong.

Any suggestions are welcome.

Thanks

allinduke
 
Old 09-19-2011, 07:01 AM   #2
cendryon
Member
 
Registered: Aug 2005
Location: France
Distribution: Slackware64 current
Posts: 82

Rep: Reputation: 30
Hi

TLS is only when you connect to the base ldap:// (port 389), to "bump up" the bare connection to a TLS encrypted one. When you connect to ldaps:// on port 636, you already are connected by LDAP protocol through a SSL tunnel.

Try using ldap:// instead of ldaps:// in the server URI

See TLS chapter in OpenLDAP Administrator's guide for more informations.

Cheers
 
Old 09-19-2011, 07:12 AM   #3
allinduke
LQ Newbie
 
Registered: Sep 2011
Distribution: Debian, OpenSUSE, Ubuntu
Posts: 5

Original Poster
Rep: Reputation: Disabled
I don't really get what you mean.

The docs say that when you connect to port 636 using LDAPS:// URI u don't need a directive like Start_tls, which I do not use. They also say that when you connect to port 389 using a LDAP:// URI and use Start_tls that then the protocol switches to TLS.

I've tried both of these, neither one did work.

So could you please be a little more precise on what you mean so I can get an advantage out of your knowledge.

Thanks for the help.

allinduke

P.S. using no TLS or SSL and port 389 already works in our environment, but I do have to make TLS/SSL work, so LDAP:/// is no choice, we want LDAPS://. The reason for using TLS/SSL is that we don't want the passwords to go over the internal network without encryption and that we do want to apply ppolicy.schema on the LDAP Server.

Last edited by allinduke; 09-19-2011 at 07:45 AM.
 
Old 09-19-2011, 09:43 AM   #4
allinduke
LQ Newbie
 
Registered: Sep 2011
Distribution: Debian, OpenSUSE, Ubuntu
Posts: 5

Original Poster
Rep: Reputation: Disabled
some more details from my side:

played around again with the settings and I put "ssl start_tls in /etc/ldap.conf and "TLS_CACERT /path_to_crt/ca.crt" into /etc/openldap/ldap.conf:

entering

Code:
ldapsearch -x -h server-IP -D "cn=Manager,dc=mydomain,dc=com" -w *secretPW*  -b "dc=mydomain,dc=com" 'uid=*' -ZZ
gives the following in the server log:

Code:
 
Sep 19 16:33:00 centos6 slapd[29915]: conn=52 fd=14 ACCEPT from IP=client-IP:38818 (IP=0.0.0.0:389)
Sep 19 16:33:00 centos6 slapd[29915]: conn=52 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Sep 19 16:33:00 centos6 slapd[29915]: conn=52 op=0 STARTTLS
Sep 19 16:33:00 centos6 slapd[29915]: conn=52 op=0 RESULT oid= err=0 text=
Sep 19 16:33:00 centos6 slapd[29915]: conn=52 fd=14 TLS established tls_ssf=256 ssf=256
Sep 19 16:33:00 centos6 slapd[29915]: conn=52 op=1 BIND dn="cn=Manager,dc=mydomain,dc=com" method=128
Sep 19 16:33:00 centos6 slapd[29915]: conn=52 op=1 BIND dn="cn=Manager,dc=mydomain,dc=com" mech=SIMPLE ssf=0
Sep 19 16:33:00 centos6 slapd[29915]: conn=52 op=1 RESULT tag=97 err=0 text=
Sep 19 16:33:00 centos6 slapd[29915]: conn=52 op=2 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(uid=bg*)"
Sep 19 16:33:00 centos6 slapd[29915]: conn=52 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Sep 19 16:33:00 centos6 slapd[29915]: conn=52 op=3 UNBIND
Sep 19 16:33:00 centos6 slapd[29915]: conn=52 fd=14 closed
entering

Code:
ldapsearch -x -H ldaps://server-IP:636 -D "cn=Manager,dc=mydomain,dc=com" -w *secretPW*  -b "dc=mydomain,dc=com" 'uid=*'
results in

Code:
Sep 19 16:34:28 centos6 slapd[29915]: conn=53 fd=14 ACCEPT from IP=client-IP:53899 (IP=0.0.0.0:636)
Sep 19 16:34:28 centos6 slapd[29915]: conn=53 fd=14 TLS established tls_ssf=256 ssf=256
Sep 19 16:34:28 centos6 slapd[29915]: conn=53 op=0 BIND dn="cn=Manager,dc=mydomain,dc=com" method=128
Sep 19 16:34:28 centos6 slapd[29915]: conn=53 op=0 BIND dn="cn=Manager,dc=mydomain,dc=com" mech=SIMPLE ssf=0
Sep 19 16:34:28 centos6 slapd[29915]: conn=53 op=0 RESULT tag=97 err=0 text=
Sep 19 16:34:28 centos6 slapd[29915]: conn=53 op=1 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(uid=bg*)"
Sep 19 16:34:28 centos6 slapd[29915]: conn=53 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Sep 19 16:34:28 centos6 slapd[29915]: conn=53 op=2 UNBIND
Sep 19 16:34:28 centos6 slapd[29915]: conn=53 fd=14 closed
so I'm pretty sure, the server side is ok, as both of the ldapsearch'es succeeded.

But still when I try to login to the client system the server logs show me

Code:
Sep 19 16:41:54 centos6 slapd[29915]: conn=58 fd=14 ACCEPT from IP=client-IP:33840 (IP=0.0.0.0:389)
Sep 19 16:41:54 centos6 slapd[29915]: conn=58 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Sep 19 16:41:54 centos6 slapd[29915]: conn=58 op=0 STARTTLS
Sep 19 16:41:54 centos6 slapd[29915]: conn=58 op=0 RESULT oid= err=0 text=
Sep 19 16:41:54 centos6 slapd[29915]: conn=58 fd=14 closed (TLS negotiation failure)
Sep 19 16:41:54 centos6 slapd[29915]: conn=59 fd=14 ACCEPT from IP=client-IP:33841 (IP=0.0.0.0:389)
Sep 19 16:41:54 centos6 slapd[29915]: conn=59 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Sep 19 16:41:54 centos6 slapd[29915]: conn=59 op=0 STARTTLS
Sep 19 16:41:54 centos6 slapd[29915]: conn=59 op=0 RESULT oid= err=0 text=
Sep 19 16:41:54 centos6 slapd[29915]: conn=59 fd=14 closed (TLS negotiation failure)
Sep 19 16:41:56 centos6 slapd[29915]: conn=60 fd=14 ACCEPT from IP=client-IP:33842 (IP=0.0.0.0:389)
Sep 19 16:41:56 centos6 slapd[29915]: conn=60 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Sep 19 16:41:56 centos6 slapd[29915]: conn=60 op=0 STARTTLS
Sep 19 16:41:56 centos6 slapd[29915]: conn=60 op=0 RESULT oid= err=0 text=
Sep 19 16:41:59 centos6 slapd[29915]: conn=60 fd=14 closed (TLS negotiation failure)
Help appreciated.

Thanks in advance.

allinduke

Last edited by allinduke; 09-19-2011 at 09:46 AM.
 
Old 09-20-2011, 07:05 AM   #5
cendryon
Member
 
Registered: Aug 2005
Location: France
Distribution: Slackware64 current
Posts: 82

Rep: Reputation: 30
Hi

To achieve TLS connection from a second host, I had to complete ldap.conf and .ldaprc on that host.

In /etc/openldap/ldap.conf, I added
Code:
# start TLS
SSL ON

# Acceptable client CA
TLS_CACERT /etc/ssl/certs/ca_clients.crt
#TLS_CACERTDIR /etc/ssl/certs
TLS_REQCERT allow
and in the user's .ldaprc
Code:
#
# User specific LDAP settings
#

HOST server-dns-name
BINDDN dc=example,dc=com

# Override global directive (if set)
TLS_REQCERT demand

# client authentication
TLS_CERT /home/ldap-user/.ssl/certs/client_ldap.crt
TLS_KEY /home/ldap-user/.ssl/private/client_ldap.key
Then, ldapsearch TLS connection to base (389) port succeeds with my client certificate authenticated
Code:
$ ldapsearch -x -D "cn=Manager,dc=tigres,dc=ls" '(objectclass=*)' -W -ZZ
Enter PEM pass phrase:
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 3
result: 32 No such object

# numResponses: 1
Even if it's considered obsolete, I used the following howto, as that part of LDAP client and server configurations for TLS is in accordance with OpenLDAP FAQ-O-Matic
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html
http://www.openldap.org/faq/data/cache/185.html

Last but not least, I use different CAs, with the same root CA, for the server and the client certificates
Code:
CA_root -> CA_servers -> ldap server certificate
        -> CA_clients -> ldap client certificate
Cheers
 
Old 09-20-2011, 09:38 AM   #6
allinduke
LQ Newbie
 
Registered: Sep 2011
Distribution: Debian, OpenSUSE, Ubuntu
Posts: 5

Original Poster
Rep: Reputation: Disabled
Thx for the help so far.

Can you please show me how your /etc/ldap.conf looks like. I'm on OpenSUSE, so this is probably nss_ldap.conf and pam_ldap.conf on your system.

I hope I will finally manage to get it work tomorrow, when I have some more time do some testing on LDAP with TLS.

allinduke
 
Old 09-21-2011, 01:23 AM   #7
cendryon
Member
 
Registered: Aug 2005
Location: France
Distribution: Slackware64 current
Posts: 82

Rep: Reputation: 30
Hi

I'm on Slackware, so ldap.conf is standard /etc/openldap/ldap.conf, and I don't have PAM in my way

Here's the content
Code:
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

# directory root
BASE dc=example,dc=com
# Space separated list of server(s) FQDN or IP
URI ldap://server-dns-name.example.lan

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# start TLS
SSL ON

# Acceptable client CA
TLS_CACERT /etc/ssl/certs/ca_clients.crt
#TLS_CACERTDIR /etc/ssl/certs
# Ask for server certificate
#TLS_REQCERT ([demand],never,allow,try)
TLS_REQCERT demand
Cheers
 
Old 09-21-2011, 09:35 AM   #8
allinduke
LQ Newbie
 
Registered: Sep 2011
Distribution: Debian, OpenSUSE, Ubuntu
Posts: 5

Original Poster
Rep: Reputation: Disabled
Thx for your help, I appreciate it.

Finally got TLS working.


allinduke
 
Old 09-21-2011, 02:13 PM   #9
cendryon
Member
 
Registered: Aug 2005
Location: France
Distribution: Slackware64 current
Posts: 82

Rep: Reputation: 30
You're welcome

As they say, don't forget to mark this thread [SOLVED] (under "Thread tools" at the top)

Cheers
 
Old 02-21-2012, 01:08 PM   #10
sd_davis
LQ Newbie
 
Registered: Sep 2003
Posts: 2

Rep: Reputation: 0
What did you do to SOLVE it!!!


Help, same deal here...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
openLDAP SSL/TLS error phaniakkina Linux - Software 1 05-25-2011 02:43 PM
Using TLS with Openldap - How to nqk28703 Linux - Software 2 04-25-2011 02:59 AM
OpenLDAP and TLS-SSL karlochacon Linux - Server 5 02-03-2011 01:01 AM
Testing negotiation between server and client raj4frns Linux - Newbie 5 04-14-2010 12:04 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Desktop

All times are GMT -5. The time now is 05:43 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration