/etc/ldap/ldap.conf file is ignored if i use SSL - openldap-software

16 Aug 2007


      Hello
I have installed a Debian etch server with OpenLDAP as ldap server.
# slapd -VV
@(#) $OpenLDAP: slapd 2.3.30 (Mar  9 2007 06:10:06) $
        buildd@excelsior:/build/buildd/openldap2.3-2.3.30/debian/build/servers/slapd
# ldapsearch -VV
ldapsearch: @(#) $OpenLDAP: ldapsearch 2.3.30 (Mar  9 2007 06:09:26) $
        buildd@excelsior:/build/buildd/openldap2.3-2.3.30/debian/build/clients/tools
        (LDAP library: OpenLDAP 20330)
I have config my ldap server and client as followed.
# ls -all /etc/default/slapd
-rw-r--r-- 1 root root 162 2007-08-16 10:27 /etc/default/slapd
# cat /etc/default/slapd
SLAPD_CONF=
SLAPD_USER="openldap"
SLAPD_GROUP="openldap"
SLAPD_PIDFILE=
SLURPD_START=auto
SLAPD_SERVICES="ldap://0.0.0.0:389/"
SLAPD_OPTIONS=""
SLURPD_OPTIONS=""
# ls -all /etc/ldap/slapd.conf
-rw------- 1 root root 1202 2007-08-16 10:41 /etc/ldap/slapd.conf
# cat /etc/ldap/slapd.conf
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel        256
modulepath      /usr/lib/ldap
moduleload      back_bdb
sizelimit 500
tool-threads 1
backend         bdb
checkpoint 512 30
database        bdb
suffix          "dc=riha,dc=home"
rootdn          "cn=Manager,dc=riha,dc=home"
directory       "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index           objectClass eq
lastmod         on
access to attrs=userPassword,shadowLastChange
        by dn="cn=Manager,dc=riha,dc=home" write
        by anonymous auth
        by self write
        by * none
access to dn.base="" by * read
access to *
        by dn="cn=Manager,dc=riha,dc=home" write
        by * read
access to attrs=userPassword,sambaNTPassword,sambaLMPassword
        by self write
        by anonymous auth
        by * none
rootpw  {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# ls -all ldap.conf
-rw-r--r-- 1 root root 65 2007-08-16 11:00 ldap.conf
# cat ldap.conf
BASE    dc=riha,dc=home
URI     ldap://0.0.0.0:389/
HOST    192.168.1.100
Everything work fine.
# ldapsearch -x "(&(objectClass=posixAccount)(uid=stefan))"
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (&(objectClass=posixAccount)(uid=stefan))
# requesting: ALL
#
# stefan, Users, riha.home
dn: uid=stefan,ou=Users,dc=riha,dc=home
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: stefan
sn: stefan
givenName: stefan
uid: stefan
uidNumber: 1001
gidNumber: 513
homeDirectory: /home/stefan
loginShell: /bin/bash
gecos: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: System User
sambaSID: S-1-5-21-1222799212-533558969-2148455424-3002
sambaPrimaryGroupSID: S-1-5-21-1222799212-533558969-2148455424-513
sambaLogonScript: logon.bat
sambaProfilePath: \samba\profiles\stefan
sambaHomePath: \samba\stefan
sambaHomeDrive: H:
sambaLMPassword: 618728E26F93449D613E9293942509F0
sambaAcctFlags: [U]
sambaNTPassword: 48503E58AB7D0FC63BB5256C90D4C94C
sambaPwdLastSet: 1186529591
sambaPwdMustChange: 1190417591
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Aug 16 11:16:44 pluto slapd[18138]: conn=0 fd=10 ACCEPT from
IP=192.168.1.100:60615 (IP=0.0.0.0:389)
Aug 16 11:16:44 pluto slapd[18138]: conn=0 op=0 BIND dn="" method=128
Aug 16 11:16:44 pluto slapd[18138]: conn=0 op=0 RESULT tag=97 err=0 text=
Aug 16 11:16:44 pluto slapd[18138]: conn=0 op=1 SRCH
base="dc=riha,dc=home" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=stefan))"
Aug 16 11:16:44 pluto slapd[18138]: <= bdb_equality_candidates: (uid)
index_param failed (18)
Aug 16 11:16:45 pluto slapd[18138]: conn=0 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text=
Aug 16 11:16:45 pluto slapd[18138]: conn=0 op=2 UNBIND
Aug 16 11:16:45 pluto slapd[18138]: conn=0 fd=10 closed
But now i want to use SSL to secure the connection.
First i create a ssl cert.
#openssl req -newkey rsa:2048 -x509 -nodes -out ldap-server.pem -keyout
ldap-server.pem -days 730
# ls -all /etc/ldap/ldap-server.pem
-rw-r----- 1 root openldap 3025 2007-08-11 21:59 /etc/ldap/ldap-server.pem
I have modified the config for my ldap server and client as followed.
# cat /etc/default/slapd
SLAPD_CONF=
SLAPD_USER="openldap"
SLAPD_GROUP="openldap"
SLAPD_PIDFILE=
SLURPD_START=auto
SLAPD_SERVICES="ldaps://0.0.0.0:636/"
SLAPD_OPTIONS=""
SLURPD_OPTIONS=""
# cat /etc/ldap/slapd.conf
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel        256
modulepath      /usr/lib/ldap
moduleload      back_bdb
sizelimit 500
tool-threads 1
backend         bdb
checkpoint 512 30
database        bdb
suffix          "dc=riha,dc=home"
rootdn          "cn=Manager,dc=riha,dc=home"
directory       "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index           objectClass eq
lastmod         on
TLSCertificateFile      /etc/ldap/ldap-server.pem
TLSCertificateKeyFile   /etc/ldap/ldap-server.pem
TLSCACertificateFile    /etc/ldap/ldap-server.pem
TLSVerifyClient allow
access to attrs=userPassword,shadowLastChange
        by dn="cn=Manager,dc=riha,dc=home" write
        by anonymous auth
        by self write
        by * none
access to dn.base="" by * read
access to *
        by dn="cn=Manager,dc=riha,dc=home" write
        by * read
access to attrs=userPassword,sambaNTPassword,sambaLMPassword
        by self write
        by anonymous auth
        by * none
rootpw  {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# cat /etc/ldap/ldap.conf
BASE            dc=riha,dc=home
URI             ldaps://0.0.0.0:636/
HOST            192.168.1.100
TLS_CACERT      /etc/ldap/ldap-server.pem
TLS_CERT        /etc/ldap/ldap-server.pem
TLS_KEY         /etc/ldap/ldap-server.pem
TLS_REQCERT     allow
But now i have the following ploblem
# ldapsearch -x "(&(objectClass=posixAccount)(uid=stefan))" -H
ldaps://192.168.1.100:636/
ldap_bind: Can't contact LDAP server (-1)
        additional info: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure
Aug 16 13:43:45 pluto slapd[18235]: conn=0 fd=10 ACCEPT from
IP=192.168.1.100:49149 (IP=0.0.0.0:636)
Aug 16 13:43:45 pluto slapd[18235]: conn=0 fd=10 closed (TLS
negotiation failure)
The cert seems to be ok
# openssl s_client -connect 192.168.1.100:636 -CAfile
/etc/ldap/ldap-server.pem -cert /etc/ldap/ldap-server.pem -key
/etc/ldap/ldap-server.pem -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 /C=AT/ST=Austria/O=Home/CN=192.168.1.100
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/C=AT/ST=Austria/O=Home/CN=192.168.1.100
   i:/C=AT/ST=Austria/O=Home/CN=192.168.1.100
---
Server certificate
-----BEGIN CERTIFICATE-----
..............................................................
-----END CERTIFICATE-----
subject=/C=AT/ST=Austria/O=Home/CN=192.168.1.100
issuer=/C=AT/ST=Austria/O=Home/CN=192.168.1.100
---
Acceptable client certificate CA names
/C=AT/ST=Austria/O=Home/CN=192.168.1.100
---
SSL handshake has read 1202 bytes and written 1682 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 947C2BE5F94D1DFDF734C037404209BAB417252D2633A73A9F016A38A2DC09D8
    Session-ID-ctx:
    Master-Key: DDD638xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Key-Arg   : None
    Start Time: 1187257722
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
Aug 16 11:48:42 pluto slapd[18177]: conn=0 fd=10 ACCEPT from
IP=192.168.1.100:39847 (IP=0.0.0.0:636)
Aug 16 11:48:42 pluto slapd[18177]: conn=0 fd=10 TLS established
tls_ssf=256 ssf=256
Aug 16 11:49:00 pluto slapd[18177]: conn=0 fd=10 closed (connection lost)
My last idea was to copy the ldap client config file to the user ldap
client config file.
# cp /etc/ldap/ldap.conf ~/.ldaprc
# ls -all ~/.ldaprc
-rw-r--r-- 1 root root 192 2007-08-16 11:51 /root/.ldaprc
# ldapsearch -x "(&(objectClass=posixAccount)(uid=stefan))" -H
ldaps://192.168.1.100:636/
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (&(objectClass=posixAccount)(uid=stefan))
# requesting: ALL
#
# stefan, Users, riha.home
dn: uid=stefan,ou=Users,dc=riha,dc=home
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: stefan
sn: stefan
givenName: stefan
uid: stefan
uidNumber: 1001
gidNumber: 513
homeDirectory: /home/stefan
loginShell: /bin/bash
gecos: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: System User
sambaSID: S-1-5-21-1222799212-533558969-2148455424-3002
sambaPrimaryGroupSID: S-1-5-21-1222799212-533558969-2148455424-513
sambaLogonScript: logon.bat
sambaProfilePath: \samba\profiles\stefan
sambaHomePath: \samba\stefan
sambaHomeDrive: H:
sambaLMPassword: 618728E26F93449D613E9293942509F0
sambaAcctFlags: [U]
sambaNTPassword: 48503E58AB7D0FC63BB5256C90D4C94C
sambaPwdLastSet: 1186529591
sambaPwdMustChange: 1190417591
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Aug 16 13:44:34 pluto slapd[18247]: conn=0 fd=10 ACCEPT from
IP=192.168.1.100:49162 (IP=0.0.0.0:636)
Aug 16 13:44:34 pluto slapd[18247]: conn=0 fd=10 TLS established
tls_ssf=256 ssf=256
Aug 16 13:44:34 pluto slapd[18247]: conn=0 op=0 BIND dn="" method=128
Aug 16 13:44:34 pluto slapd[18247]: conn=0 op=0 RESULT tag=97 err=0 text=
Aug 16 13:44:34 pluto slapd[18247]: conn=0 op=1 SRCH
base="dc=riha,dc=home" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=stefan))"
Aug 16 13:44:34 pluto slapd[18247]: <= bdb_equality_candidates: (uid)
index_param failed (18)
Aug 16 13:44:34 pluto slapd[18247]: conn=0 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text=
Aug 16 13:44:34 pluto slapd[18247]: conn=0 op=2 UNBIND
Aug 16 13:44:34 pluto slapd[18247]: conn=0 fd=10 closed
Now it works but i have two questions:
1) Why is my ldap.conf ignored when i use SSL?
2) Why must i use the option "-H ldaps://192.168.1.100:636/" when using SSL?
Stefan Riha