LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 05-28-2008, 05:59 AM   #1
one71
LQ Newbie
 
Registered: May 2008
Posts: 6

Rep: Reputation: 0
ProFTP + LDAP + SSL (LDAPServer 1.2.3.4:636)


Hallo,

I have a problem configuring ProFTP to use LDAP over SSL (i.e. ldaps on port 636).

In short:
  • ProFTP without TLS (TLSEngine off) DOES authenticate with LDAP without SSL (LDAPServer 1.2.3.4:389)
  • ProFTP with TLS (TLSEngine on, path to the ftp-ssl certificates) DOES authenticate with LDAP without SSL (LDAPServer 1.2.3.4:389)
  • ProFTP with TLS (TLSEngine on, path to the ftp-ssl certificates) DOES NOT authenticate with LDAP with SSL (LDAPUseTLS on; LDAPServer 1.2.3.4:636)


If I look in the logs I see that the ProFTP Server connects to the LDAP server on the correct port, the LDAP server accepts the connection but the TLS fails!

In principle for me it is obvious because in the ProFTP configuration I do give the path to the FTP-SSL certificates and keys but I do not input any path for the LDAP-SSL certificates and keys i.e. im my opinion it can not work like this.

So my question is how to make it work? As I have said in my opinion the key point is to be able to set the path where the ProFTP server finds the certificates for the LDAP server.

I do not find any hint whatsoever in the net.


The steps I have done:

LDAP Server:
  • The LDAP Server IP (say) 1.2.3.4
  • The LDAP Server listens to port 636 (ldaps) and port (ldap).
  • I have created a certificate for the LDAP server (slapd.pem, slapd.key)
  • The LDAP server itself is fully functioning on both ldap and ldaps (for example ldaps with apache ok)


ProFTP Server:
  • The ProFTP Server IP (say) 5.6.7.8
  • I have created a certificate for the ProFTP server (ftp2.pem, ftp2.key)
  • I have copied locally the certificates of the LDAP server (slapd.pem, slapd.key)

This is the ProFTP configuration (mod_tls and mod_ldap parts)

Code:
<IfModule mod_tls.c>
TLSEngine                       on
TLSLog                          /ftp2/logs/tls.log
TLSProtocol                     SSLv23
TLSOptions                      NoCertRequest
TLSRSACertificateFile           /ftp2/conf/ssl_certs/ftp2.pem
TLSRSACertificateKeyFile        /ftp2/conf/ssl_certs/ftp2.key
TLSCACertificateFile            /ftp2/conf/ssl_certs/ftp2.pem
TLSVerifyClient                 off
TLSRequired                     on
TLSRenegotiate                  required off
</IfModule>

<IfModule mod_ldap.c>
#LDAPServer    1.2.3.4:389

LDAPUseTLS  on
LDAPServer    1.2.3.4:636

LDAPDoAuth     on "ou=bbb,dc=aaa,dc=de" "(&(uid=%v)(objectclass=posixAccount))"

LDAPDNInfo "uid=1234,dc=aaa,dc=de" root

## Require that an incoming user can successfully bind to the LDAPServer.
LDAPAuthBinds     on

LDAPDoUIDLookups   on "ou=bbb,dc=aaa,dc=de"

LDAPSearchScope subtree

</IfModule>
Both LDAP server and ProFTP (proftp-ldap) server are:
Code:
Linux version 2.6.18-6-amd64 (Debian 2.6.18.dfsg.1-18etch1) (waldi@debian.org) (gcc version 4.1.2 20061115 (prerelease) (Debian 4.1.1-21)) #1 SMP Sun Feb 10 17:50:19 UTC 2008
OpenLDAP server (slapd)
Code:
dpkg -l | grep slapd
ii  slapd                             2.3.30-5+etch1
I have used the ProFTP with precompiled LDAP (proftp-ldap)
Code:
dpkg -l | grep proftp
ii  proftpd                           1.3.0-19                             Versatile, virtual-hosting FTP daemon
ii  proftpd-ldap                      1.3.0-19                             Versatile, virtual-hosting FTP daemon
Error in /var/log/syslog from slapd

Code:
May 27 10:54:05 ftp1test slapd[7323]: daemon: activity on 1 descriptor
May 27 10:54:05 ftp1test slapd[7323]: daemon: listen=9, new connection on 19
May 27 10:54:05 ftp1test slapd[7323]: daemon: added 19r (active) listener=(nil)
May 27 10:54:05 ftp1test slapd[7323]: conn=106 fd=19 ACCEPT from IP=5.6.7.8:42564 (IP=0.0.0.0:636)
May 27 10:54:05 ftp1test slapd[7323]: daemon: select: listen=6 active_threads=0 tvp=NULL
May 27 10:54:05 ftp1test slapd[7323]: daemon: select: listen=7 active_threads=0 tvp=NULL
May 27 10:54:05 ftp1test slapd[7323]: daemon: select: listen=8 active_threads=0 tvp=NULL
May 27 10:54:05 ftp1test slapd[7323]: daemon: select: listen=9 active_threads=0 tvp=NULL
May 27 10:54:05 ftp1test slapd[7323]: daemon: activity on 1 descriptor
May 27 10:54:05 ftp1test slapd[7323]: daemon: activity on:
May 27 10:54:05 ftp1test slapd[7323]:  19r
May 27 10:54:05 ftp1test slapd[7323]:
May 27 10:54:05 ftp1test slapd[7323]: daemon: read activity on 19
May 27 10:54:05 ftp1test slapd[7323]: daemon: removing 19
May 27 10:54:05 ftp1test slapd[7323]: conn=106 fd=19 closed (TLS negotiation failure)
Please Help I need to close up a project and this is crucial.

Thanks.
 
Old 05-29-2008, 06:00 PM   #2
pinniped
Senior Member
 
Registered: May 2008
Location: planet earth
Distribution: Debian
Posts: 1,732

Rep: Reputation: 50
You seem a bit confused about how certificates work. The simplest situation goes like this:

1. There must be a ROOT certificate - you can issue one yourself by setting up your own 'Certificate Authority' (CA). The client and server both need a copy of the 'root' certificate and this file should only contain the certificate. 'pem' files are the most convenient to use.

2. The client/server must have a certificate that was signed by the CA. These certificates should contain the Private Key and the signed certificate.

Usually the server requests the client to provide credentials (so the server can reject unauthorized requests), but on the internet we find things a bit backwards - the clients are requesting the server to provide credentials so the client can be reasonably confident that they aren't having information and money stolen from them. You can always set up so that both client and server ask eachother for credentials.


3. The client and server needs to know where to find the root certificate or the directory of root certificates (after all, there are quite a few 'trusted' public CAs)

4. The server needs to know where its server certificate is, and the client needs to know where its client certificate is.



And that's the simplest situation. You can complicate things via a 'certificate chain', but that is probably not your situation. So question #1: Why are you using LDAP +TLS? Is it so the client knows it can trust your server (the case of web browsers), so the server knows it can trust the client, or do you require 2-way credential checks?

2: did you create a CA and provide the client/server with (different) signed certificates as needed?
 
Old 06-02-2008, 04:08 AM   #3
one71
LQ Newbie
 
Registered: May 2008
Posts: 6

Original Poster
Rep: Reputation: 0
Hi,

I do not think I am confused about how certificate work.

I have a certificate chain as you said.
  • The client (filezilla for example) connects to the ProFTP Server via SSL: it needs to know the certificate of the ProFTP Server (the connection is manual i,.e. I can either copy once for ever the certificate of the ProFTP on the client or I can accept the certificate each ime manually)
  • The ProFTP Server needs to have for itself a certificate: this is the certificate the filezilla needs to know. At this point I have secured the connection client -> ProFTP.
  • The ProFTP server sends the credential for login (authentication,/authorisation), which it has received from the filezilla client to the LDAP Server via SSL: the credential are NOT on the ProFTP Serevr but on the LDAP Server. This means the ProFTP server needs to know (this time acting as "as client") the certificate of the LDAP Server, and since the connection is automatic in order for the ProFTP Server to use the LDAP Server certificate the only way is to
    • Copy the LDAP Serevr certificate on the ProFTP Server
    • Set in the ProFTP Server configuration the path to the LDAP Server certificate copied locally
  • At this point I have secured the connection ProFTP -> LDAP


As you see it is a 2 way SSL with 2 certificates:

filezilla (acting as client for ProFTP) ->SSL(cert_ftp)-> ProFTP (acting as server for filezilla, cert_ftp)
ProFTP (acting as client for LDAP) ->SSL(cert_LDAP)-> LDAP (acting as server for the ProFTP, cert_LDAP).

This is exactly what you do with apache (and it works):
  • Create a certificate for apache on the apache server
  • Create a certificate for LDAP on the LDAP server
  • Copy the LDAP server certificate locally on the apache server
  • configure in the following way the apache virtual host

Code:
SSLMutex default
SSLRandomSeed startup builtin
SSLSessionCache none

#LDAP
LDAPTrustedGlobalCert CA_BASE64 /apache/conf/ssl_certs/slapd.pem

NameVirtualHost 9.10.11.12:443
<VirtualHost 9.10.11.12:443>

        SSLEngine On
        SSLCertificateFile /apache/conf/ssl_certs/apache.pem
        SSLCertificateKeyFile /apache/conf/ssl_certs/apache.key

        ServerAdmin webmaster@localhost

        DocumentRoot /apache/home/
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /apache/home/eps-upload>
                Options Indexes FollowSymLinks MultiViews ExecCGI
                AllowOverride None
                Order allow,deny
                allow from all

      AuthLDAPURL ldaps://1.2.3.4:636/ou=bbb,dc=aaa,dc=de?uid?sub?(objectClass=*)


     AuthType basic
     AuthBasicProvider ldap
     AuthLDAPBindDN "uid=1234,dc=aaa,dc=de"
     AuthLDAPBindPassword "root"
     AuthzLDAPAuthoritative off
     AuthName "Restricted LDAPS Area: 1.2.3.4"
     require valid-user

        </Directory>

        ErrorLog /apache/logs/error.log
        LogLevel warn

        CustomLog /apache/logs/access.log combined
        ServerSignature Off

</VirtualHost>
As you see I give the apache cert path (in green), AND the LDAP cert path (red). I can set in the settings of the ProFTP server the equivalent as the green part, I do not find a way to set the equivalent of the red part.

Any idea?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Help Apache w/ LDAP and SSL GAVollink Linux - Software 7 05-31-2012 09:39 PM
Ldap replication using TLS/SSL jitender.rajpal Linux - Networking 0 10-18-2006 07:59 AM
ldap does not run with SSL mesh2005 Linux - Networking 2 11-27-2005 02:53 AM
SSL, LDAP, and Novell eDirectory Mordeth_0 Linux - Networking 0 06-16-2004 12:11 PM
Proftp and ssl howto? Darkangel90 Linux - Security 4 02-10-2004 03:07 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 07:57 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration