LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 09-16-2011, 03:55 AM   #1
sheelavantar
Member
 
Registered: Aug 2010
Posts: 69

Rep: Reputation: 1
Unhappy open LDAP + TLS/SSL bind Failed.


Hi,
I am trying to configure LDAP Client/server on 2 Fedora-10 linux machines.

I have installed and configured openldap-2.4.26 server on one machine and pam_ldap-186, nss_ldap-265 on the other machines.

I have created the TLS certificates using following command on the server.

openssl req -newkey rsa:1024 -x509 -nodes -out \ server.pem -keyout server.pem -days 3650

and I have created the client.pem by copying CERTIFICATE portion of the server.pem.

When my client try to connect to the server I get following errors.

TLS trace: SSL3 alert read:fatal:unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
connection_read(12): TLS accept failure error=-1 id=1012, closing
connection_closing: readying conn=1012 sd=12 for close
connection_close: conn=1012 sd=12
daemon: removing 12
conn=1012 fd=12 closed (TLS negotiation failure)

My Configurations are as follows.

slapd.conf

access to attrs=userPassword
by self write
by anonymous auth
by * none

access to *
by * read

#TLS Certificate section
TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
TLSCACertificateFile /etc/openldap/cacerts/server.pem
TLSCertificateFile /etc/openldap/cacerts/server.pem
TLSCertificateKeyFile /etc/openldap/cacerts/server.pem
TLSVerifyClient allow

and client side ldap.conf

base dc=samsung,dc=com
uri ldaps://10.254.204.181/
TLS_CACERT /etc/openldap/cacerts/client.pem
pam_password md5

nsswitch.conf

passwd: files ldap
shadow: files ldap
group: files ldap

netgroup: files ldap
automount: files ldap

I am not getting why it is saying Unknown ca. even though the certificate is created on server machine itself.

Kindly help me to solve this problem.
 
Old 09-16-2011, 06:39 AM   #2
GlenOgilvie
LQ Newbie
 
Registered: Dec 2010
Location: Auckland, New Zealand
Distribution: Mandriva
Posts: 3

Rep: Reputation: 0
SSL Cert

Hi,

Your SSL cert is not a signed cert. What you've done with that openssl command
is just step 1 in creating valid certs.

"openssl req" creates a signing request, but does not actually sign it. Also,
the request and the key should be different files.

IE:
openssl req -newkey rsa:1024 -x509 -nodes -out server.req -keyout server.pem -days 3650

you need to also use have an openssl ca, and then sign the server.req file, using
openssl x509.

Openssl usually ships with a program called CA.pl, or CA.sh. On my system, it's in:
/etc/pki/tls/misc/CA.pl

If you learn how to use this, it will make it easier for you to create a CA, then sign the certificate.

Regards
Glen Ogilvie

Quote:
Originally Posted by sheelavantar View Post
Hi,
I am trying to configure LDAP Client/server on 2 Fedora-10 linux machines.
I have created the TLS certificates using following command on the server.

openssl req -newkey rsa:1024 -x509 -nodes -out \ server.pem -keyout server.pem -days 3650
and I have created the client.pem by copying CERTIFICATE portion of the server.pem.
 
Old 09-18-2011, 10:03 PM   #3
sheelavantar
Member
 
Registered: Aug 2010
Posts: 69

Original Poster
Rep: Reputation: 1
Hi Glen Ogilvie, Thank you very much for your reply .

I followed the steps given in the below link for certificate creation and LDAP TLS/SSL configuration.
http://www.linuxhomenetworking.com/w...he_LDAP_Client

I have CA.sh file in /etc/pki/tls/misc. Please let me know how I can use this to create/sign the certificate.

Please let me know the steps for creating/signing a certificate, if there is any proper document for this please let me know.

Thanks and Regards,
Vijay S,

Last edited by sheelavantar; 09-18-2011 at 10:43 PM.
 
Old 09-19-2011, 12:45 AM   #4
GlenOgilvie
LQ Newbie
 
Registered: Dec 2010
Location: Auckland, New Zealand
Distribution: Mandriva
Posts: 3

Rep: Reputation: 0
Wink

Quote:
Originally Posted by sheelavantar View Post
I have CA.sh file in /etc/pki/tls/misc. Please let me know how I can use this to create/sign the certificate.

Please let me know the steps for creating/signing a certificate, if there is any proper document for this please let me know.
Hi Vijay S,

Try http://octaldream.com/~scottm/talks/ssl/opensslca.html for some documentation for CA.sh

Official doc: http://www.openssl.org/docs/apps/ca.html

CA.sh is a shell script you run, with specific options to create a CA and to sign certs.

Regards
Glen Ogilvie
 
Old 09-19-2011, 01:58 AM   #5
sheelavantar
Member
 
Registered: Aug 2010
Posts: 69

Original Poster
Rep: Reputation: 1
Hi Glen Ogilvie,
I have created the Server side certificate properly.
But I couldn't create the client side one. I am not able to understand the step for client side certification creation.

PHP Code:
Creating client-side certificates

openssl pkcs12 
-export -in certs.pem -inkey certs.key -out file.p12 -name "Client Certificate" 
Can I repeate the same steps which I performed on server side at the client side also to create the cient certificate??

or can I copy the certificate files created at server side to the client side??
 
Old 09-19-2011, 03:12 AM   #6
sheelavantar
Member
 
Registered: Aug 2010
Posts: 69

Original Poster
Rep: Reputation: 1
Thank you very much Glen Ogilvie.

Now my client is able to communicate with LDAP server using TLS/SSL. I followed the steps given in below link which you suggested and copied the server side created cacert.pem file to client and sepecified the path in ldap.conf.
http://octaldream.com/~scottm/talks/ssl/opensslca.html

one more thing step i was doing wrong. i.e I was giving the IP address in the URI.
I changed "uri ldaps://10.254.204.181/" to "uri ldaps://localhost.localdomain/"

and added the entry for localhost.localdomain in /etc/hosts at both server and client side as follows.

10.254.204.181 localhost.localdomain

Thank you very much.

Warm Regards,
Vijay S.
 
Old 09-19-2011, 03:59 AM   #7
sheelavantar
Member
 
Registered: Aug 2010
Posts: 69

Original Poster
Rep: Reputation: 1
Hi Glen Ogilvie,

At the server side if I use "TLSVerifyClient demand" then I am not able to authenticate with server.
I tried copying the server certificate to the client side also. But didn't work.

Kindly suggest me some solution.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] LDAP Server Bind Failed sheelavantar Linux - Server 2 08-26-2011 04:52 AM
LDAP SSL and Non-SSL port open? your_shadow03 Linux - Newbie 3 01-14-2010 06:57 PM
samba failed to bind with ldap emilsicad Linux - Newbie 1 11-26-2008 10:46 AM
Ldap replication using TLS/SSL jitender.rajpal Linux - Networking 0 10-18-2006 08:59 AM
qpopper TLS/SSL Handshake failed: -1 frerotjs Linux - Software 0 07-15-2003 08:09 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 05:30 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration