/etc/ldap/ldap.conf file is ignored if i use SSL

Hello

I have installed a Debian etch server with OpenLDAP as ldap server.

# slapd -VV @(#) $OpenLDAP: slapd 2.3.30 (Mar 9 2007 06:10:06) $ buildd@excelsior:/build/buildd/openldap2.3-2.3.30/debian/build/servers/slapd

# ldapsearch -VV ldapsearch: @(#) $OpenLDAP: ldapsearch 2.3.30 (Mar 9 2007 06:09:26) $ buildd@excelsior:/build/buildd/openldap2.3-2.3.30/debian/build/clients/tools (LDAP library: OpenLDAP 20330)

I have config my ldap server and client as followed.

# ls -all /etc/default/slapd -rw-r--r-- 1 root root 162 2007-08-16 10:27 /etc/default/slapd

# cat /etc/default/slapd SLAPD_CONF= SLAPD_USER="openldap" SLAPD_GROUP="openldap" SLAPD_PIDFILE= SLURPD_START=auto SLAPD_SERVICES="ldap://0.0.0.0:389/" SLAPD_OPTIONS="" SLURPD_OPTIONS=""

# ls -all /etc/ldap/slapd.conf -rw------- 1 root root 1202 2007-08-16 10:41 /etc/ldap/slapd.conf

# cat /etc/ldap/slapd.conf include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 256 modulepath /usr/lib/ldap moduleload back_bdb sizelimit 500 tool-threads 1 backend bdb checkpoint 512 30 database bdb suffix "dc=riha,dc=home" rootdn "cn=Manager,dc=riha,dc=home" directory "/var/lib/ldap" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq lastmod on access to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=riha,dc=home" write by anonymous auth by self write by * none access to dn.base="" by * read access to * by dn="cn=Manager,dc=riha,dc=home" write by * read access to attrs=userPassword,sambaNTPassword,sambaLMPassword by self write by anonymous auth by * none rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# ls -all ldap.conf -rw-r--r-- 1 root root 65 2007-08-16 11:00 ldap.conf

# cat ldap.conf BASE dc=riha,dc=home URI ldap://0.0.0.0:389/ HOST 192.168.1.100

Everything work fine.

# ldapsearch -x "(&(objectClass=posixAccount)(uid=stefan))" # extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (&(objectClass=posixAccount)(uid=stefan)) # requesting: ALL #

# stefan, Users, riha.home dn: uid=stefan,ou=Users,dc=riha,dc=home objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount cn: stefan sn: stefan givenName: stefan uid: stefan uidNumber: 1001 gidNumber: 513 homeDirectory: /home/stefan loginShell: /bin/bash gecos: System User sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 displayName: System User sambaSID: S-1-5-21-1222799212-533558969-2148455424-3002 sambaPrimaryGroupSID: S-1-5-21-1222799212-533558969-2148455424-513 sambaLogonScript: logon.bat sambaProfilePath: \samba\profiles\stefan sambaHomePath: \samba\stefan sambaHomeDrive: H: sambaLMPassword: 618728E26F93449D613E9293942509F0 sambaAcctFlags: [U] sambaNTPassword: 48503E58AB7D0FC63BB5256C90D4C94C sambaPwdLastSet: 1186529591 sambaPwdMustChange: 1190417591

# search result search: 2 result: 0 Success

# numResponses: 2 # numEntries: 1

Aug 16 11:16:44 pluto slapd[18138]: conn=0 fd=10 ACCEPT from IP=192.168.1.100:60615 (IP=0.0.0.0:389) Aug 16 11:16:44 pluto slapd[18138]: conn=0 op=0 BIND dn="" method=128 Aug 16 11:16:44 pluto slapd[18138]: conn=0 op=0 RESULT tag=97 err=0 text= Aug 16 11:16:44 pluto slapd[18138]: conn=0 op=1 SRCH base="dc=riha,dc=home" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=stefan))" Aug 16 11:16:44 pluto slapd[18138]: <= bdb_equality_candidates: (uid) index_param failed (18) Aug 16 11:16:45 pluto slapd[18138]: conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 16 11:16:45 pluto slapd[18138]: conn=0 op=2 UNBIND Aug 16 11:16:45 pluto slapd[18138]: conn=0 fd=10 closed

But now i want to use SSL to secure the connection.

First i create a ssl cert.

#openssl req -newkey rsa:2048 -x509 -nodes -out ldap-server.pem -keyout ldap-server.pem -days 730

# ls -all /etc/ldap/ldap-server.pem -rw-r----- 1 root openldap 3025 2007-08-11 21:59 /etc/ldap/ldap-server.pem

I have modified the config for my ldap server and client as followed.

# cat /etc/default/slapd SLAPD_CONF= SLAPD_USER="openldap" SLAPD_GROUP="openldap" SLAPD_PIDFILE= SLURPD_START=auto SLAPD_SERVICES="ldaps://0.0.0.0:636/" SLAPD_OPTIONS="" SLURPD_OPTIONS=""

# cat /etc/ldap/slapd.conf include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 256 modulepath /usr/lib/ldap moduleload back_bdb sizelimit 500 tool-threads 1 backend bdb checkpoint 512 30 database bdb suffix "dc=riha,dc=home" rootdn "cn=Manager,dc=riha,dc=home" directory "/var/lib/ldap" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq lastmod on TLSCertificateFile /etc/ldap/ldap-server.pem TLSCertificateKeyFile /etc/ldap/ldap-server.pem TLSCACertificateFile /etc/ldap/ldap-server.pem TLSVerifyClient allow access to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=riha,dc=home" write by anonymous auth by self write by * none access to dn.base="" by * read access to * by dn="cn=Manager,dc=riha,dc=home" write by * read access to attrs=userPassword,sambaNTPassword,sambaLMPassword by self write by anonymous auth by * none rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# cat /etc/ldap/ldap.conf BASE dc=riha,dc=home URI ldaps://0.0.0.0:636/ HOST 192.168.1.100 TLS_CACERT /etc/ldap/ldap-server.pem TLS_CERT /etc/ldap/ldap-server.pem TLS_KEY /etc/ldap/ldap-server.pem TLS_REQCERT allow

But now i have the following ploblem

# ldapsearch -x "(&(objectClass=posixAccount)(uid=stefan))" -H ldaps://192.168.1.100:636/ ldap_bind: Can't contact LDAP server (-1) additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

Aug 16 13:43:45 pluto slapd[18235]: conn=0 fd=10 ACCEPT from IP=192.168.1.100:49149 (IP=0.0.0.0:636) Aug 16 13:43:45 pluto slapd[18235]: conn=0 fd=10 closed (TLS negotiation failure)

The cert seems to be ok

# openssl s_client -connect 192.168.1.100:636 -CAfile /etc/ldap/ldap-server.pem -cert /etc/ldap/ldap-server.pem -key /etc/ldap/ldap-server.pem -state CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=0 /C=AT/ST=Austria/O=Home/CN=192.168.1.100 verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write certificate verify A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=AT/ST=Austria/O=Home/CN=192.168.1.100 i:/C=AT/ST=Austria/O=Home/CN=192.168.1.100 --- Server certificate -----BEGIN CERTIFICATE----- .............................................................. -----END CERTIFICATE----- subject=/C=AT/ST=Austria/O=Home/CN=192.168.1.100 issuer=/C=AT/ST=Austria/O=Home/CN=192.168.1.100 --- Acceptable client certificate CA names /C=AT/ST=Austria/O=Home/CN=192.168.1.100 --- SSL handshake has read 1202 bytes and written 1682 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 947C2BE5F94D1DFDF734C037404209BAB417252D2633A73A9F016A38A2DC09D8 Session-ID-ctx: Master-Key: DDD638xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Key-Arg : None Start Time: 1187257722 Timeout : 300 (sec) Verify return code: 0 (ok) ---

Aug 16 11:48:42 pluto slapd[18177]: conn=0 fd=10 ACCEPT from IP=192.168.1.100:39847 (IP=0.0.0.0:636) Aug 16 11:48:42 pluto slapd[18177]: conn=0 fd=10 TLS established tls_ssf=256 ssf=256 Aug 16 11:49:00 pluto slapd[18177]: conn=0 fd=10 closed (connection lost)

My last idea was to copy the ldap client config file to the user ldap client config file.

# cp /etc/ldap/ldap.conf ~/.ldaprc

# ls -all ~/.ldaprc -rw-r--r-- 1 root root 192 2007-08-16 11:51 /root/.ldaprc

# ldapsearch -x "(&(objectClass=posixAccount)(uid=stefan))" -H ldaps://192.168.1.100:636/ # extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (&(objectClass=posixAccount)(uid=stefan)) # requesting: ALL #

# stefan, Users, riha.home dn: uid=stefan,ou=Users,dc=riha,dc=home objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount cn: stefan sn: stefan givenName: stefan uid: stefan uidNumber: 1001 gidNumber: 513 homeDirectory: /home/stefan loginShell: /bin/bash gecos: System User sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 displayName: System User sambaSID: S-1-5-21-1222799212-533558969-2148455424-3002 sambaPrimaryGroupSID: S-1-5-21-1222799212-533558969-2148455424-513 sambaLogonScript: logon.bat sambaProfilePath: \samba\profiles\stefan sambaHomePath: \samba\stefan sambaHomeDrive: H: sambaLMPassword: 618728E26F93449D613E9293942509F0 sambaAcctFlags: [U] sambaNTPassword: 48503E58AB7D0FC63BB5256C90D4C94C sambaPwdLastSet: 1186529591 sambaPwdMustChange: 1190417591

# search result search: 2 result: 0 Success

# numResponses: 2 # numEntries: 1

Aug 16 13:44:34 pluto slapd[18247]: conn=0 fd=10 ACCEPT from IP=192.168.1.100:49162 (IP=0.0.0.0:636) Aug 16 13:44:34 pluto slapd[18247]: conn=0 fd=10 TLS established tls_ssf=256 ssf=256 Aug 16 13:44:34 pluto slapd[18247]: conn=0 op=0 BIND dn="" method=128 Aug 16 13:44:34 pluto slapd[18247]: conn=0 op=0 RESULT tag=97 err=0 text= Aug 16 13:44:34 pluto slapd[18247]: conn=0 op=1 SRCH base="dc=riha,dc=home" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=stefan))" Aug 16 13:44:34 pluto slapd[18247]: <= bdb_equality_candidates: (uid) index_param failed (18) Aug 16 13:44:34 pluto slapd[18247]: conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 16 13:44:34 pluto slapd[18247]: conn=0 op=2 UNBIND Aug 16 13:44:34 pluto slapd[18247]: conn=0 fd=10 closed

Now it works but i have two questions: 1) Why is my ldap.conf ignored when i use SSL? 2) Why must i use the option "-H ldaps://192.168.1.100:636/" when using SSL?

Stefan Riha