LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-21-2014, 09:17 AM   #1
bluethundr
Member
 
Registered: Jun 2003
Location: Summit, NJ
Distribution: CentOS 5.4
Posts: 124

Rep: Reputation: 15
Post openldap SSL problem


Hello,

I am attempting to setup openldap using SSL connections. I've used the following tutorial, which seemed pretty straightforward.


http://easylinuxtutorials.blogspot.c...ap-server.html

But when I go to use client side tools (on the same host as the ldap server) I get the following error:

Code:
[root@puppet:/etc/puppet] #ldapsearch -x -h ldap -b "dc=mydomain,dc=com" sub "objectclass=*"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
In my slapd.conf and in my /etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif files have the following entry:

Code:
TLSCACertificateFile /etc/pki/CA/certs/ca.crt
TLSCertificateFile /etc/pki/tls/certs/ldap.crt
TLSCertificateKeyFile /etc/pki/tls/private/ldap.key
In my /etc/openldap/ldap.conf file I have the following:

Code:
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

#TLS_CACERTDIR  /etc/openldap/certs
TLS_CACERT      /etc/pki/CA/certs
ssl             start_tls
TLS_REQCERT     allow
BASE            dc=mydomain,dc=com
URI             ldaps://puppet.mydomain.com
HOST            xx.xx.xx.xx
I'm not sure where the problem lie exactly. But I would really love for this to be solved. Been banging my head against this for days at this point.

Also I don't see a problem with the ca cert or the ldap.crt in the config. I've included text file versions of my slapd.conf olcDatabase, and output of openssl x509 -in $certfile -noout -text commands for both certs as text files.
Attached Files
File Type: txt olcDatabase.txt (821 Bytes, 11 views)
File Type: txt slapd.txt (4.7 KB, 12 views)
File Type: txt cert.txt (5.1 KB, 12 views)

Last edited by bluethundr; 02-21-2014 at 10:26 PM.
 
Old 02-22-2014, 04:11 AM   #2
sag47
Senior Member
 
Registered: Sep 2009
Location: Orange County, CA
Distribution: Kubuntu x64, Raspbian, CentOS
Posts: 1,851
Blog Entries: 36

Rep: Reputation: 455Reputation: 455Reputation: 455Reputation: 455Reputation: 455
I'm not an expert on LDAP but have you tried testing the connectivity to the LDAP server using telnet or openssl? You can use openssl to verify the certificates as well.

Code:
telnet puppet.mydomain.com 636
timeout 3 openssl s_client -CApath /etc/ssl/certs -servername puppet.mydomain.com -connect puppet.mydomain.com:636
The -CApath will allow openssl to validate the certificates. -servername is for Server Name Indication (SNI) which is usually associated with using Apache virtual hosts with SSL but I included it for the sake of being thorough. To learn more about the arguments see "man s_client". That is to say can you connect to the port? When you connect to the port do you get a validated certificate?

View the certificate information on that port as well....

Code:
timeout 3 openssl s_client -connect puppet.mydomain.com:636 < /dev/null | openssl x509 -text | less
That will convert the remote certificate information into a human readable format. Is the certificate what you expect? Is the common name of the certificate puppet.mydomain.com? To learn more about the arguments see "man x509".

Also, by providing your certificate you have provided the name of your server. Perhaps you'll want to edit that (the same could be said about your other attachments)? Assuming your host is what is in your certificate you have many ports open but the ldapssl port 636 is not one of them.

If you're using your LDAP command as you describe perhaps doing the following command.

Code:
ldapsearch -x -H 'ldaps://puppet.mydomain.com' -b "dc=mydomain,dc=com" sub "objectclass=*"

Last edited by sag47; 02-22-2014 at 04:17 AM.
 
Old 02-22-2014, 07:43 AM   #3
bluethundr
Member
 
Registered: Jun 2003
Location: Summit, NJ
Distribution: CentOS 5.4
Posts: 124

Original Poster
Rep: Reputation: 15
openladp ssl problem

Quote:
Originally Posted by sag47 View Post
I'm not an expert on LDAP but have you tried testing the connectivity to the LDAP server using telnet or openssl? You can use openssl to verify the certificates as well.

Code:
telnet puppet.mydomain.com 636
timeout 3 openssl s_client -CApath /etc/ssl/certs -servername puppet.mydomain.com -connect puppet.mydomain.com:636


The -CApath will allow openssl to validate the certificates. -servername is for Server Name Indication (SNI) which is usually associated with using Apache virtual hosts with SSL but I included it for the sake of being thorough. To learn more about the arguments see "man s_client". That is to say can you connect to the port? When you connect to the port do you get a validated certificate?

View the certificate information on that port as well....
Thanks for your reply! Telnet can connect to port 636:

Code:
[bluethundr@vbox:~] #telnet puppet.mydomain.com 636
Trying xxx.xxx.xx.xxx...
Connected to puppet.mydomain.com.
Escape character is '^]'.
^]

telnet> quit
Connection closed.
However I can't seem to feed this command the correct path.. Either that or the cert I'm trying to give it is invalild.

First I tried pointing it at the directory where the cert is located:

Code:
[bluethundr@vbox:~] #timeout 3 openssl s_client -CApath /etc/pki/CA/certs -servername puppet.mydomain.com -connect puppet.mydomain.com:636
CONNECTED(00000003)
3073743112:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 253 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

And it failes as above. The command also fails when I give it the full path to the cert:

Code:
[bluethundr@vbox:~] #timeout 3 openssl s_client -CApath /etc/pki/CA/certs/ca.crt  -servername puppet.jokefire.com -connect puppet.mydomain.com:636
CONNECTED(00000003)
3073378568:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 253 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
Quote:
Originally Posted by sag47 View Post
Code:
timeout 3 openssl s_client -connect puppet.mydomain.com:636 < /dev/null | openssl x509 -text | less
That will convert the remote certificate information into a human readable format. Is the certificate what you expect? Is the common name of the certificate puppet.mydomain.com? To learn more about the arguments see "man x509".
Hmmm.. it seems that the certifcate may in fact be invalid according to what I see here:

Code:
[bluethundr@vbox:~] #timeout 3 openssl s_client -connect puppet.mydomain.com:636 < /dev/null | openssl x509 -text | less
3073956104:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
unable to load certificate
3073603848:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
Quote:
Originally Posted by sag47 View Post
Also, by providing your certificate you have provided the name of your server. Perhaps you'll want to edit that (the same could be said about your other attachments)? Assuming your host is what is in your certificate you have many ports open but the ldapssl port 636 is not one of them.
WHOOPS!!! I'll try not to make that mistake again!

Quote:
Originally Posted by sag47 View Post
If you're using your LDAP command as you describe perhaps doing the following command.

Code:
ldapsearch -x -H 'ldaps://puppet.mydomain.com' -b "dc=mydomain,dc=com" sub "objectclass=*"
And as you might expect, given the nature of the cert, this command also fails:

Code:
[root@puppet:/etc/puppet] #ldapsearch -x -H 'ldaps://puppet.mydomain.com' -b "dc=mydomain,dc=com" sub "objectclass=*"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
But the fact that the cert would be bad is a little troubling. This is the method I used to generate both the ca and the ldap server certs:

Code:
Create CA key
1) openssl genrsa -des3 -out ca.key 4096

Create CA cert
2) openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

Create director1 key and certificate signing request
3) openssl genrsa -des3 -out director1key.key 4096
4) openssl req -new -key director1.key -out director1.csr

Sign the director1 certificate
5) openssl x509 -req -days 3650 -in director1.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out director1.crt

Donīt know if it is necessary, but converted .crt to .pem
6) openssl x509 -in director1.crt -out director1.pem
7) openssl x509 -in ca.crt -out ca.pem

Really important! Remove the password from the director1 private key
8) openssl rsa -in director1key.key -out director1.key
Where the term 'director' substitutes for the name of your cert (in my case ldap.crt).

This is puzzling also in light of the fact that other apache related certs I have created this way work just fine. But I suppose one thing I need to try is to recreate the cert. I'll give that a shot and let the thread know how it goes.
 
Old 02-22-2014, 07:56 AM   #4
bluethundr
Member
 
Registered: Jun 2003
Location: Summit, NJ
Distribution: CentOS 5.4
Posts: 124

Original Poster
Rep: Reputation: 15
Ok, so I gave recreateing the cert pair a shot, and without any luck. As mentioned the ca cert pair is one I've used successfully before with apache certs. Here are the steps I took:

Code:
1077  openssl genrsa -des3 -out ldap.key 4096 
1078  openssl req -new -key ldap.key -out ldap.csr
1081  openssl x509 -req -days 3650 -in ldap.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ldap.crt
1082  openssl rsa -in ldap.key -out ldap.key
Here's the permissions on the cert pair:

Code:
[root@puppet:~/ldap-cert] #ls -l /etc/pki/*/* | grep ldap 
-r-------- 1 ldap root   1911 Feb 22 07:50 ldap.crt
-r-------- 1 ldap root 3243 Feb 22 07:50 ldap.key

still getting no joy at all:

Code:
[root@puppet:~/ldap-cert] #ldapsearch -x -b "dc=mydomain,dc=com" -H ldaps://puppet.mydomain.com
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
I'd really appreciate any advice anyone may have.

Thanks
 
Old 02-22-2014, 08:39 PM   #5
sag47
Senior Member
 
Registered: Sep 2009
Location: Orange County, CA
Distribution: Kubuntu x64, Raspbian, CentOS
Posts: 1,851
Blog Entries: 36

Rep: Reputation: 455Reputation: 455Reputation: 455Reputation: 455Reputation: 455
telnet can't negotiate SSL. I gave you that command to test connectivity only. If you wish to speak raw protocol then you can think of openssl s_client as telnet for SSL. In any case, are you sure your client has the certificate authority cert installed on the client? The -CApath arg of s_client can be pointed anywhere so if you have a directory for the cert you can point it there instead. In any case, can't contact LDAP server is not a very descriptive error.

I doubt your current problem is related to SSL. You would see error messages like described in this thread. It still sounds like a connectivity problem. Try using strace or turning up the verbosity of the client. Use tail -f on the server logs while you're connecting to see if the server is logging a connection at all.
 
  


Reply

Tags
openldap


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Installation problem: openldap with SSL stanpal Linux - Newbie 2 01-15-2013 05:32 AM
[SOLVED] openldap - problem finding ssl library shuple Linux - Server 4 02-23-2011 06:11 PM
OpenLDAP and TLS-SSL karlochacon Linux - Server 5 02-03-2011 02:01 AM
OpenLDAP SSL/TLS problem with pam/nss humbletech99 Linux - Server 0 06-12-2009 08:39 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 02:59 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration