-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello everybody, I am quite new to ldap and i am testing locally before setting up a new server. Unencrypted connections are all right but i have no success with TLS connections.
My box, a laptop, is a Debian Etch, the openldap version is 2.3.30 (the packages installed are ldap-utils, libldap-2.3-0, libldap2 and slapd).
If needed, i can give more details, but basically i followed these steps: 1) a. set up a local certification authority (CA) b. created a certificate for the ldap server, signed by my CA; I took care that the Common Name is the server FQDN. 2) a. In /etc/default/slapd, i wrote SLAPD_SERVICES="ldap://arwen.grenier.ambre:389/ ldaps://arwen.grenier.ambre:636/" (where arwen.grenier.ambre is my laptop FQDN) b. In /etc/ldap/slapd.conf, accordingly to where my files are, i wrote: TLSCACertificateFile /etc/ldap/certificates/cacert.pem TLSCertificateFile /etc/ldap/certificates/servercert.pem TLSCertificateKeyFile /etc/ldap/certificates/serverkey.pem TLSVerifyClient never c. In /etc/ldap/ldap.conf, i wrote: TLS_CACERT /etc/ldap/certificates/cacert.pem TLS_REQCERT never
I have read in openldap admin guide that the TLS_REQCERT default value is "demand" but it isn't compulsory is it ?
the request « ldapsearch -H ldap://arwen.grenier.ambre -x -D "cn=root,dc=irem,dc=univ-lille1,dc=fr" -w secret -ZZ » seems all right as it returns all the directory entries but in syslog (i put «loglevel 15» in slapd.conf) i have the following (i added some comments to easily spot the possible errors):
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor Apr 18 23:15:25 localhost slapd[6727]: >>> slap_listener(ldap://arwen.grenier.ambre:389/) Apr 18 23:15:25 localhost slapd[6727]: daemon: listen=6, new connection on 11 Apr 18 23:15:25 localhost slapd[6727]: daemon: added 11r (active) listener=(nil) Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on: Apr 18 23:15:25 localhost slapd[6727]: 11r Apr 18 23:15:25 localhost slapd[6727]: Apr 18 23:15:25 localhost slapd[6727]: daemon: read activity on 11 Apr 18 23:15:25 localhost slapd[6727]: connection_get(11) Apr 18 23:15:25 localhost slapd[6727]: connection_get(11): got connid=8 Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): checking for input on id=8 ### PROBLEM ??? Apr 18 23:15:25 localhost slapd[6727]: ber_get_next on fd 11 failed errno=11 (Resource temporarily unavailable) ### Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: do_extended Apr 18 23:15:25 localhost slapd[6727]: do_extended: oid=1.3.6.1.4.1.1466.20037 Apr 18 23:15:25 localhost slapd[6727]: send_ldap_extended: err=0 oid= len=0 Apr 18 23:15:25 localhost slapd[6727]: send_ldap_response: msgid=1 tag=120 err=0 Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on: Apr 18 23:15:25 localhost slapd[6727]: 11r Apr 18 23:15:25 localhost slapd[6727]: Apr 18 23:15:25 localhost slapd[6727]: daemon: read activity on 11 Apr 18 23:15:25 localhost slapd[6727]: connection_get(11) Apr 18 23:15:25 localhost slapd[6727]: connection_get(11): got connid=8 Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): checking for input on id=8 Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on: Apr 18 23:15:25 localhost slapd[6727]: 11r Apr 18 23:15:25 localhost slapd[6727]: Apr 18 23:15:25 localhost slapd[6727]: daemon: read activity on 11 Apr 18 23:15:25 localhost slapd[6727]: connection_get(11) Apr 18 23:15:25 localhost slapd[6727]: connection_get(11): got connid=8 Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): checking for input on id=8 ### PROBLEM ??? Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): unable to get TLS client DN, error=49 id=8 ### Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on: Apr 18 23:15:25 localhost slapd[6727]: 11r Apr 18 23:15:25 localhost slapd[6727]: Apr 18 23:15:25 localhost slapd[6727]: daemon: read activity on 11 Apr 18 23:15:25 localhost slapd[6727]: connection_get(11) Apr 18 23:15:25 localhost slapd[6727]: connection_get(11): got connid=8 Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): checking for input on id=8 Apr 18 23:15:25 localhost slapd[6727]: ber_get_next on fd 11 failed errno=11 (Resource temporarily unavailable) Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor Apr 18 23:15:25 localhost slapd[6727]: daemon: waked Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: do_bind Apr 18 23:15:25 localhost slapd[6727]: >>> dnPrettyNormal: <cn=root,dc=irem,dc=univ-lille1,dc=fr> Apr 18 23:15:25 localhost slapd[6727]: <<< dnPrettyNormal: <cn=root,dc=irem,dc=univ-lille1,dc=fr>, <cn=root,dc=irem,dc=univ-lille1,dc=fr> Apr 18 23:15:25 localhost slapd[6727]: do_bind: version=3 dn="cn=root,dc=irem,dc=univ-lille1,dc=fr" method=128 Apr 18 23:15:25 localhost slapd[6727]: ==> bdb_bind: dn: cn=root,dc=irem,dc=univ-lille1,dc=fr Apr 18 23:15:25 localhost slapd[6727]: do_bind: v3 bind: "cn=root,dc=irem,dc=univ-lille1,dc=fr" to "cn=root,dc=irem,dc=univ-lille1,dc=fr" Apr 18 23:15:25 localhost slapd[6727]: send_ldap_result: conn=8 op=1 p=3 Apr 18 23:15:25 localhost slapd[6727]: send_ldap_result: err=0 matched="" text="" Apr 18 23:15:25 localhost slapd[6727]: send_ldap_response: msgid=2 tag=97 err=0 Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on: Apr 18 23:15:25 localhost slapd[6727]: 11r Apr 18 23:15:25 localhost slapd[6727]: Apr 18 23:15:25 localhost slapd[6727]: daemon: read activity on 11 Apr 18 23:15:25 localhost slapd[6727]: connection_get(11) Apr 18 23:15:25 localhost slapd[6727]: connection_get(11): got connid=8 Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): checking for input on id=8 ### PROBLEM ??? Apr 18 23:15:25 localhost slapd[6727]: ber_get_next on fd 11 failed errno=11 (Resource temporarily unavailable) ### Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor Apr 18 23:15:25 localhost slapd[6727]: daemon: waked Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: do_search Apr 18 23:15:25 localhost slapd[6727]: >>> dnPrettyNormal: <dc=irem,dc=univ-lille1,dc=fr> Apr 18 23:15:25 localhost slapd[6727]: <<< dnPrettyNormal: <dc=irem,dc=univ-lille1,dc=fr>, <dc=irem,dc=univ-lille1,dc=fr> Apr 18 23:15:25 localhost slapd[6727]: SRCH "dc=irem,dc=univ-lille1,dc=fr" 2 0 Apr 18 23:15:25 localhost slapd[6727]: 0 0 0 Apr 18 23:15:25 localhost slapd[6727]: filter: (objectClass=*) Apr 18 23:15:25 localhost slapd[6727]: attrs: Apr 18 23:15:25 localhost slapd[6727]: Apr 18 23:15:25 localhost slapd[6727]: => bdb_search Apr 18 23:15:25 localhost slapd[6727]: bdb_dn2entry("dc=irem,dc=univ-lille1,dc=fr") Apr 18 23:15:25 localhost slapd[6727]: search_candidates: base="dc=irem,dc=univ-lille1,dc=fr" (0x00000056) scope=2 Apr 18 23:15:25 localhost slapd[6727]: => bdb_dn2idl("dc=irem,dc=univ-lille1,dc=fr") Apr 18 23:15:25 localhost slapd[6727]: => bdb_presence_candidates (objectClass) Apr 18 23:15:25 localhost slapd[6727]: bdb_search_candidates: id=-1 first=1 last=171 Apr 18 23:15:25 localhost slapd[6727]: entry_decode: "dc=nodomain" Apr 18 23:15:25 localhost slapd[6727]: <= entry_decode(dc=nodomain) Apr 18 23:15:25 localhost slapd[6727]: => bdb_dn2id("") Apr 18 23:15:25 localhost slapd[6727]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30990) Apr 18 23:15:25 localhost slapd[6727]: entry_decode: "cn=admin,dc=nodomain" Apr 18 23:15:25 localhost slapd[6727]: <= entry_decode(cn=admin,dc=nodomain) Apr 18 23:15:25 localhost slapd[6727]: => bdb_dn2id("domain") Apr 18 23:15:25 localhost slapd[6727]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30990) Apr 18 23:15:25 localhost slapd[6727]: => send_search_entry: conn 8 dn="dc=irem,dc=univ-lille1,dc=fr" Apr 18 23:15:25 localhost slapd[6727]: <= send_search_entry: conn 8 exit. [ ... more search results ... ] Apr 18 23:15:25 localhost slapd[6727]: => send_search_entry: conn 8 dn="uid=arlette.lengaigne,ou=personnes,dc=irem,dc=univ-lille1,dc=fr" Apr 18 23:15:25 localhost slapd[6727]: <= send_search_entry: conn 8 exit. Apr 18 23:15:25 localhost slapd[6727]: send_ldap_result: conn=8 op=2 p=3 Apr 18 23:15:25 localhost slapd[6727]: send_ldap_result: err=0 matched="" text="" Apr 18 23:15:25 localhost slapd[6727]: send_ldap_response: msgid=3 tag=101 err=0 Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on: Apr 18 23:15:25 localhost slapd[6727]: 11r Apr 18 23:15:25 localhost slapd[6727]: Apr 18 23:15:25 localhost slapd[6727]: daemon: read activity on 11 Apr 18 23:15:25 localhost slapd[6727]: connection_get(11) Apr 18 23:15:25 localhost slapd[6727]: connection_get(11): got connid=8 Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): checking for input on id=8 Apr 18 23:15:25 localhost slapd[6727]: ber_get_next on fd 11 failed errno=0 (Success) Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): input error=-2 id=8, closing. Apr 18 23:15:25 localhost slapd[6727]: connection_closing: readying conn=8 sd=11 for close Apr 18 23:15:25 localhost slapd[6727]: connection_close: deferring conn=8 sd=-1 Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor Apr 18 23:15:25 localhost slapd[6727]: daemon: waked Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7 active_threads=0 tvp=NULL Apr 18 23:15:25 localhost slapd[6727]: do_unbind Apr 18 23:15:25 localhost slapd[6727]: connection_resched: attempting closing conn=8 sd=11 Apr 18 23:15:25 localhost slapd[6727]: connection_close: conn=8 sd=-1 Apr 18 23:15:25 localhost slapd[6727]: daemon: removing 11
I am quite sure that my setup is not totally correct as, for instance, i successfully connect to the directory from phpLDAPadmin web interface without TLS, but can't connect with TLS (or ldaps).
And another question :-) What's the story with TLS_CIPHER_SUITE in ldap.conf, and TLSCipherSuite in slapd.conf ? Do they have to be set to some value ? When i read the admin guide, i don't understand if there is a default value or not, and there is nothing concerning these directives in the Faq-O-Matic TLS entry.
thanks for your help. - -- Fabrice Eudes -o) Clé PGP 88AC3A66 /\ Utilisateur Linux n°245401 __V