LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   open LDAP + TLS/SSL bind Failed. (https://www.linuxquestions.org/questions/linux-server-73/open-ldap-tls-ssl-bind-failed-903306/)

sheelavantar 09-16-2011 02:55 AM
open LDAP + TLS/SSL bind Failed.
 
Hi,
I am trying to configure LDAP Client/server on 2 Fedora-10 linux machines.

I have installed and configured openldap-2.4.26 server on one machine and pam_ldap-186, nss_ldap-265 on the other machines.

I have created the TLS certificates using following command on the server.

openssl req -newkey rsa:1024 -x509 -nodes -out \ server.pem -keyout server.pem -days 3650

and I have created the client.pem by copying CERTIFICATE portion of the server.pem.

When my client try to connect to the server I get following errors.

TLS trace: SSL3 alert read:fatal:unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
connection_read(12): TLS accept failure error=-1 id=1012, closing
connection_closing: readying conn=1012 sd=12 for close
connection_close: conn=1012 sd=12
daemon: removing 12
conn=1012 fd=12 closed (TLS negotiation failure)

My Configurations are as follows.

slapd.conf

access to attrs=userPassword
by self write
by anonymous auth
by * none

access to *
by * read

#TLS Certificate section
TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
TLSCACertificateFile /etc/openldap/cacerts/server.pem
TLSCertificateFile /etc/openldap/cacerts/server.pem
TLSCertificateKeyFile /etc/openldap/cacerts/server.pem
TLSVerifyClient allow

and client side ldap.conf

base dc=samsung,dc=com
uri ldaps://10.254.204.181/
TLS_CACERT /etc/openldap/cacerts/client.pem
pam_password md5

nsswitch.conf

passwd: files ldap
shadow: files ldap
group: files ldap

netgroup: files ldap
automount: files ldap

I am not getting why it is saying Unknown ca. even though the certificate is created on server machine itself.

Kindly help me to solve this problem.

GlenOgilvie 09-16-2011 05:39 AM
SSL Cert
 
Hi,

Your SSL cert is not a signed cert. What you've done with that openssl command
is just step 1 in creating valid certs.

"openssl req" creates a signing request, but does not actually sign it. Also,
the request and the key should be different files.

IE:
openssl req -newkey rsa:1024 -x509 -nodes -out server.req -keyout server.pem -days 3650

you need to also use have an openssl ca, and then sign the server.req file, using
openssl x509.

Openssl usually ships with a program called CA.pl, or CA.sh. On my system, it's in:
/etc/pki/tls/misc/CA.pl

If you learn how to use this, it will make it easier for you to create a CA, then sign the certificate.

Regards
Glen Ogilvie

Quote:
Originally Posted by sheelavantar (Post 4473319)
Hi,
I am trying to configure LDAP Client/server on 2 Fedora-10 linux machines.
I have created the TLS certificates using following command on the server.

openssl req -newkey rsa:1024 -x509 -nodes -out \ server.pem -keyout server.pem -days 3650
and I have created the client.pem by copying CERTIFICATE portion of the server.pem.

sheelavantar 09-18-2011 09:03 PM
Hi Glen Ogilvie, Thank you very much for your reply .

I followed the steps given in the below link for certificate creation and LDAP TLS/SSL configuration.
http://www.linuxhomenetworking.com/w...he_LDAP_Client

I have CA.sh file in /etc/pki/tls/misc. Please let me know how I can use this to create/sign the certificate.

Please let me know the steps for creating/signing a certificate, if there is any proper document for this please let me know.

Thanks and Regards,
Vijay S,

GlenOgilvie 09-18-2011 11:45 PM
Quote:
Originally Posted by sheelavantar (Post 4475602)
I have CA.sh file in /etc/pki/tls/misc. Please let me know how I can use this to create/sign the certificate.

Please let me know the steps for creating/signing a certificate, if there is any proper document for this please let me know.
Hi Vijay S,

Try http://octaldream.com/~scottm/talks/ssl/opensslca.html for some documentation for CA.sh

Official doc: http://www.openssl.org/docs/apps/ca.html

CA.sh is a shell script you run, with specific options to create a CA and to sign certs.

Regards
Glen Ogilvie

sheelavantar 09-19-2011 12:58 AM
Hi Glen Ogilvie,
I have created the Server side certificate properly.
But I couldn't create the client side one. I am not able to understand the step for client side certification creation.

PHP Code:
Creating client-side certificates

openssl pkcs12 -export -in certs.pem -inkey certs.key -out file.p12 -name "Client Certificate" 
Can I repeate the same steps which I performed on server side at the client side also to create the cient certificate??

or can I copy the certificate files created at server side to the client side??

sheelavantar 09-19-2011 02:12 AM
Thank you very much Glen Ogilvie.

Now my client is able to communicate with LDAP server using TLS/SSL. I followed the steps given in below link which you suggested and copied the server side created cacert.pem file to client and sepecified the path in ldap.conf.
http://octaldream.com/~scottm/talks/ssl/opensslca.html

one more thing step i was doing wrong. i.e I was giving the IP address in the URI.
I changed "uri ldaps://10.254.204.181/" to "uri ldaps://localhost.localdomain/"

and added the entry for localhost.localdomain in /etc/hosts at both server and client side as follows.

10.254.204.181 localhost.localdomain

Thank you very much.

Warm Regards,
Vijay S.

sheelavantar 09-19-2011 02:59 AM
Hi Glen Ogilvie,

At the server side if I use "TLSVerifyClient demand" then I am not able to authenticate with server.
I tried copying the server certificate to the client side also. But didn't work.

Kindly suggest me some solution.


All times are GMT -5. The time now is 04:26 AM.