At 03:44 PM 1/21/2007, Jean-Yves Avenard wrote:
On 1/22/07, Kurt D. Zeilenga Kurt@openldap.org wrote:
Given other clients seem to work well using ldaps://, it seems more likely that this particular client is not properly configured or is otherwise flawed.
Unfortunately, I have no play on how to configure this client as this is one major one !
You might ask on a list supporting the particular client you are using how to configure this client to secure LDAP with TLS (SSL).
Actually, two quite common do not work with OpenLDAP over SSL :( But they will work fine over a non encrypted link
I guess that the client is configured to use ldap://server:636 not ldaps://server:636.
That was my guess also. I there anything I can do on the server side to get over the flaw of broken clients ?
If the client doesn't support securing LDAP with TLS (SSL), either by using ldaps:// or by using ldap:// with Start TLS, there is nothing the server can do to change that. You can configure the server to support ldap:// on port 636 instead of ldaps:// if you want, but I don't recommend doing so.
Kurt
Hi
On 1/22/07, Kurt D. Zeilenga Kurt@openldap.org wrote:
You might ask on a list supporting the particular client you are using how to configure this client to secure LDAP with TLS (SSL).
You previous post actually help me identify the issue with this client, and I can get it to work now. The problem was (as you suggested) that even though it was using port 636, it would issue a Start TLS call, which on an SSL connection isn't going to work. I've raised a bug with the supplier on this matter.
If the client doesn't support securing LDAP with TLS (SSL), either by using ldaps:// or by using ldap:// with Start TLS, there is nothing the server can do to change that. You can configure the server to support ldap:// on port 636 instead of ldaps:// if you want, but I don't recommend doing so.
can you configure the server to accept both SSL and Start TLS on port 636? Now that would be a good alternative ... What problems will this create for you not recommending it ?
Jean-Yves
--On Monday, January 22, 2007 4:42 PM +1100 Jean-Yves Avenard jyavenard@gmail.com wrote:
Hi
On 1/22/07, Kurt D. Zeilenga Kurt@openldap.org wrote:
You might ask on a list supporting the particular client you are using how to configure this client to secure LDAP with TLS (SSL).
You previous post actually help me identify the issue with this client, and I can get it to work now. The problem was (as you suggested) that even though it was using port 636, it would issue a Start TLS call, which on an SSL connection isn't going to work. I've raised a bug with the supplier on this matter.
Using port 636 (SSL) was an LDAP V2 hack, and was never an officially supported operation. TLS over port 389 is part of the LDAP v3 specifications, and is supported. Vendors doing start TLS are actually being LDAP v3 compliant. Vendors doing SSL over 636 are using an old non-standardized way of doing SSL.
As noted by Kurt, you can force connections to use encryption, using the "security" statement. I'm not quite sure why you aren't figuring this out via the slapd.conf man page, it is pretty clear:
security <factors> Specify a set of security strength factors (separated by white space) to require (see sasl-secprops's minssf option for a description of security strength factors). The directive may be specified globally and/or per- database. ssf=<n> specifies the overall security strength factor. transport=<n> specifies the transport security strength factor. tls=<n> specifies the TLS security strength factor. sasl=<n> specifies the SASL security strength factor. update_ssf=<n> specifies the overall security strength factor to require for directory updates. update_transport=<n> specifies the transport security strength factor to require for directory updates. update_tls=<n> specifies the TLS security strength factor to require for directory updates. update_sasl=<n> specifies the SASL security strength factor to require for directory updates. simple_bind=<n> specifies the security strength factor required for simple username/password authentication. Note that the transport factor is measure of security provided by the underlying transport, e.g. ldapi:// (and eventually IPSEC). It is not normally used.
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
Hi
On 1/22/07, Quanah Gibson-Mount quanah@stanford.edu wrote:
Using port 636 (SSL) was an LDAP V2 hack, and was never an officially supported operation. TLS over port 389 is part of the LDAP v3 specifications, and is supported. Vendors doing start TLS are actually being LDAP v3 compliant. Vendors doing SSL over 636 are using an old non-standardized way of doing SSL.
The problem here is that that as soon as the SSL box is checked, it uses port 636, but will issue a StartTLS command. This is why it fails
As noted by Kurt, you can force connections to use encryption, using the "security" statement. I'm not quite sure why you aren't figuring this out via the slapd.conf man page, it is pretty clear:
May be very well clear for you, but for some reasons I couldn't find it. I did though as posted earlier. None of of the openldap web page actually describing TLS/SSL mention this security option and it is referred in another part of ldap, which has nothing to do with SSL :(
I wish I had talked to you earlier, you would have saved me several hours. Regards Jean-Yves
Hi, I am trying to do authentication with openldap using TLS. The flowing program works fine if the ldap_port is 389. But if i mention 636 it gives me the error can't contact the ldap server. I use slapd 2.3.19 and SLES. Does the openldap by default listen on 636? or do i need to pass the certificate must. (If in that case can you please point out some link). What i am missing here. Anybody please help me on this.
thanks for your all help.
#include<ldap.h> #include<stdio.h>
int main() { static LDAP * ld = NULL; static char ldap_server[30] = "My.Ip.Add.ress", ldap_username[30] = "cn=admin,o=domain", ldap_password[30] = "pwd", ldap_base_dn[30] = "o=domain"; static int ldap_port = 636; int version,ret;
LDAPMessage * ldres, * hostres, * ent, * hostent; char hfilter[100] = "(&(objectClass=User)(cn=kalyan))"; char * hostdn;
if ((ld = ldap_init (ldap_server, ldap_port)) == NULL) { fprintf (stderr,"Error:Cannot init ldap session to %s\n", ldap_server); return -1; } version = LDAP_VERSION3; if ((ret = ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version)) != LDAP_OPT_SUCCESS) { fprintf(stderr,"Cannot set LDAP version to %d: %s", version, ldap_err2string (ret)); }
if((ret == ldap_start_tls_s(ld,NULL,NULL)) != LDAP_SUCCESS) { fprintf(stderr, "Cannot not start TLS, err value is %s\n",ldap_err2string(ret)); return 1; }
if(( ret = ldap_simple_bind_s(ld, ldap_username, ldap_password)) != LDAP_SUCCESS){ fprintf(stderr,"ERROR cant login to ldap server %s",ldap_err2string(ret)); return -1; }
if((ret = ldap_search_s(ld, ldap_base_dn, LDAP_SCOPE_SUBTREE,hfilter,NULL,0,&hostres)) != LDAP_SUCCESS) { fprintf(stderr,"Cannot find entry"); return -1; }
if((hostent = ldap_first_entry(ld, hostres))== NULL) { fprintf(stderr, "No matchinh entry found"); return -1; }
hostdn = ldap_get_dn(ld,hostent); printf("\n Result is out succssfully:%s\n",hostdn); return 1; }
-Kalyan
On Monday 22 January 2007 11:17, S Kalyanasundaram wrote:
Hi, I am trying to do authentication with openldap using TLS. The flowing program works fine if the ldap_port is 389. But if i mention 636 it gives me the error can't contact the ldap server. I use slapd 2.3.19 and SLES. Does the openldap by default listen on 636?
No. You need to tell it what interfaces/ports it should listen on. (Hint: the -h option of the slapd binary, see the slapd(8) man-page for details) Note: On SUSE you can also set OPENLDAP_START_LDAPS="yes" in the file /etc/sysconfig/openldap, then the init-script will start the server so that it listen for ldaps-Connections on port 636. For ldaps to work you need of course a server certificate in place and configured for details on how to do that you might want to look here: http://www.openldap.org/doc/admin23/tls.html and here: http://www.openldap.org/faq/data/cache/185.html
or do i need to pass the certificate must. (If in that case can you please point out some link). What i am missing here. Anybody please help me on this.
thanks for your all help.
#include<ldap.h> #include<stdio.h>
int main() { static LDAP * ld = NULL; static char ldap_server[30] = "My.Ip.Add.ress", ldap_username[30] = "cn=admin,o=domain", ldap_password[30] = "pwd", ldap_base_dn[30] = "o=domain"; static int ldap_port = 636; int version,ret;
LDAPMessage * ldres, * hostres, * ent, * hostent; char hfilter[100] = "(&(objectClass=User)(cn=kalyan))"; char * hostdn;
if ((ld = ldap_init (ldap_server, ldap_port)) == NULL) { fprintf (stderr,"Error:Cannot init ldap session to %s\n", ldap_server); return -1; } version = LDAP_VERSION3; if ((ret = ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version)) != LDAP_OPT_SUCCESS) { fprintf(stderr,"Cannot set LDAP version to %d: %s", version, ldap_err2string (ret)); }
if((ret == ldap_start_tls_s(ld,NULL,NULL)) != LDAP_SUCCESS) {
Note, you are trying to connect to port 636 with is normally used for ldaps connections. If your server is configured to listen for ldaps on port 636, then you should to call ldap_start_tls_s() for that connection as an SSL/TLS session is already established before the START_TLS operations is processed.
fprintf(stderr, "Cannot not start TLS, err value is%s\n",ldap_err2string(ret)); return 1; }
if(( ret = ldap_simple_bind_s(ld, ldap_username, ldap_password)) != LDAP_SUCCESS){ fprintf(stderr,"ERROR cant login to ldap server %s",ldap_err2string(ret)); return -1; }
if((ret = ldap_search_s(ld, ldap_base_dn, LDAP_SCOPE_SUBTREE,hfilter,NULL,0,&hostres)) != LDAP_SUCCESS) { fprintf(stderr,"Cannot find entry"); return -1; }
if((hostent = ldap_first_entry(ld, hostres))== NULL) { fprintf(stderr, "No matchinh entry found"); return -1; }
hostdn = ldap_get_dn(ld,hostent); printf("\n Result is out succssfully:%s\n",hostdn); return 1; }
-Kalyan
You might ask on a list supporting the particular client you are using how to configure this client to secure LDAP with TLS (SSL).
I am about to ask this one. I am googling for help to configure openldap with TLS. And my client program should use ldap_start_tls_s for connection but with no certificate. Any help is appreciated , Thanks a lot. kalyan
Hi
On 1/22/07, S Kalyanasundaram skalyanasundaram@novell.com wrote:
I am about to ask this one. I am googling for help to configure openldap with TLS. And my client program should use ldap_start_tls_s for connection but with no certificate. Any help is appreciated ,
From what I've been able to gather...
First, to establish a SSL/TLS connection, you must have a certificate, you can't do without one. Now you may very well not check the validity of the certificate. If you want your ldap client to no check the validity of the certificate, you use the following option in ldap.conf: TLS_REQCERT never the default is demand for the client The default for the openldap server is to NOT check the client certificate. You can change this behaviour with TLSVerifyClient in slapd.conf it's all explained there: http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html
To force a specific level of encryption you use the option in slapd.conf: security ssf=n update_ssf=n
Where n is the number of bits used in the encryption. ssf is for accessing the ldap (value of 0 is no protection at all), update_ssf is used for updating the database (add, delete, modify etc...) I found some explanation there: http://www.openldap.org/doc/admin23/security.html (stuff there needs to be checked , I found that many options aren't valid with my version of openldap 2.3.33
Jean-Yves
openldap-software@openldap.org
-
Jean-Yves Avenard -
Kurt D. Zeilenga -
Quanah Gibson-Mount -
Ralf Haferkamp -
S Kalyanasundaram