I would like to set up TLS on our server. Looking through the Administration guide, I am unsure if I need both server AND client certificates. As I understand it I am supposed to first see if I can use the command line tools to establish the TLS connection then attempt to set up a client. So I have created a server certificate. I would like to do this with a test system. The test server is running 2.0.27-22 and our actual server runs 2.2.13-6.4E.. How can I be sure that I am getting an encrypted connection. I am also unsure of how to use LDAP search since whenever I do use it I get errors but when I verify the contents of our directory with other software I can see the things I'm looking for. Again this is a question about LDAPsearch, not the other software. I have a user called tester in my dc=test,dc=com test server (Is it a problem that I use test.com when the machine is not on that domain?) what would be the command to get the LDAP information about tester?
Jon West
--On June 5, 2007 3:08:17 PM -0400 "West, Jon (NIH/NIMH) [C]" wjon@mail.nih.gov wrote:
I would like to set up TLS on our server. Looking through the Administration guide, I am unsure if I need both server AND client certificates. As I understand it I am supposed to first see if I can use the command line tools to establish the TLS connection then attempt to set up a client. So I have created a server certificate. I would like to do this with a test system. The test server is running 2.0.27-22 and our actual server runs 2.2.13-6.4E.. How can I be sure that I am getting an encrypted connection. I am also unsure of how to use LDAP search since whenever I do use it I get errors but when I verify the contents of our directory with other software I can see the things I’m looking for. Again this is a question about LDAPsearch, not the other software. I have a user called tester in my dc=test,dc=com test server (Is it a problem that I use test.com when the machine is not on that domain?) what would be the command to get the LDAP information about tester?
I think you need to seriously examine running modern, supported versions of OpenLDAP (2.3.35 is the current release). But no, you don't need a client cert to establish TLS. The client must have access to the CA that signed the server cert, however. Have you read the man page on ldapsearch? Do you have any example of how you are using ldapsearch?
--Quanah
-- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
ok so I've learned a little bit more about ldapsearch on the server running TLS I can use the -ZZ directive and connect then next thing I did was to try and connect from a different machine using -ZZ with this command ldapsearch -ZZ -x -h serveraddress -v -b 'uid=tester,ou=People,dc=test,dc=com' this results in the following output ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
ok fine, that is correct, it does not have the CA cert to use, I tried to copy the CAcert from the Ldap server but I still get the same error
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] Sent: Tue 6/5/2007 4:51 PM To: West, Jon (NIH/NIMH) [C]; openldap-software@openldap.org Subject: Re: TLS bare minimum
--On June 5, 2007 3:08:17 PM -0400 "West, Jon (NIH/NIMH) [C]" wjon@mail.nih.gov wrote:
I would like to set up TLS on our server. Looking through the Administration guide, I am unsure if I need both server AND client certificates. As I understand it I am supposed to first see if I can use the command line tools to establish the TLS connection then attempt to set up a client. So I have created a server certificate. I would like to do this with a test system. The test server is running 2.0.27-22 and our actual server runs 2.2.13-6.4E.. How can I be sure that I am getting an encrypted connection. I am also unsure of how to use LDAP search since whenever I do use it I get errors but when I verify the contents of our directory with other software I can see the things I'm looking for. Again this is a question about LDAPsearch, not the other software. I have a user called tester in my dc=test,dc=com test server (Is it a problem that I use test.com when the machine is not on that domain?) what would be the command to get the LDAP information about tester?
I think you need to seriously examine running modern, supported versions of OpenLDAP (2.3.35 is the current release). But no, you don't need a client cert to establish TLS. The client must have access to the CA that signed the server cert, however. Have you read the man page on ldapsearch? Do you have any example of how you are using ldapsearch?
--Quanah
-- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
--On June 5, 2007 6:02:21 PM -0400 "West, Jon (NIH/NIMH) [C]" wjon@mail.nih.gov wrote:
ok so I've learned a little bit more about ldapsearch on the server running TLS I can use the -ZZ directive and connect then next thing I did was to try and connect from a different machine using -ZZ with this command ldapsearch -ZZ -x -h serveraddress -v -b 'uid=tester,ou=People,dc=test,dc=com' this results in the following output ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
ok fine, that is correct, it does not have the CA cert to use, I tried to copy the CAcert from the Ldap server but I still get the same error
Did you tell ldapsearch where to find the CA cert? (hint: .ldaprc or ldap.conf)
--Quanah
-- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
You can use the "openssl s_client" command to test SSL/TLS and view the certificates. Once you know that's working, you can then use "tcpdump" to examine the packets on the wire to make sure your LDAP session is encrypted.
On Jun 5, 2007, at 12:08 PM, West, Jon (NIH/NIMH) [C] wrote:
I would like to set up TLS on our server. Looking through the Administration guide, I am unsure if I need both server AND client certificates. As I understand it I am supposed to first see if I can use the command line tools to establish the TLS connection then attempt to set up a client. So I have created a server certificate. I would like to do this with a test system. The test server is running 2.0.27-22 and our actual server runs 2.2.13-6.4E.. How can I be sure that I am getting an encrypted connection. I am also unsure of how to use LDAP search since whenever I do use it I get errors but when I verify the contents of our directory with other software I can see the things I’m looking for. Again this is a question about LDAPsearch, not the other software. I have a user called tester in my dc=test,dc=com test server (Is it a problem that I use test.com when the machine is not on that domain?) what would be the command to get the LDAP information about tester?
Jon West
openldap-software@openldap.org