Hi.
Seems the previous mail didnt go through (sent 24 hours ago), if it did - sorry for dupe.
Im having a problem getting TLS over ldap to work on my setup. Normal LDAP operations work fine, ldaps works fine, but TLS over ldap does not. I've tried following various guides from debian-administration, gentoo wiki, openldap.org docs etc but I could never get this last bit to work.
On my last effort i followed this guide: http://www.bayour.com/LDAPv3-HOWTO.html and create my certificate with:
openssl req -new -x509 -nodes -out server.pem -keyout server.pem -days 365 (and yes, i did make sure the common name matches the host.network.com for the ldapserver)
and in slapd.conf:
TLSCertificateFile /etc/ldap/server.pem TLSCertificateKeyFile /etc/ldap/server.pem TLSCACertificateFile /etc/ldap/server.pem
and started the server with:
slapd -h 'ldap:// ldaps://' -g openldap -u openldap -d127
Now to test the encryption on the ldaps port with: openssl s_client -connect <ldaphost>:636 -showcerts -state -CAfile /etc/ldap/server.pem
which results in the following output:
CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=0 /C=NO/ST=Some-State/L=Oslo/O=company AS/CN=<ldaphost>/emailAddress=mail@company verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A --- Certificate chain . . -----BEGIN CERTIFICATE----- . . . FeTrw4B8 -----END CERTIFICATE----- --- Server certificate subject=/C=NO/ST=Some-State/<certificate info> issuer=/C=NO/ST=Some-State/<certificate info> --- No client certificate CA names sent --- SSL handshake has read 1080 bytes and written 316 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: CBE0DD206D44248AAC8766578CFEDCD5205ECAF2D466F87827432D870A2A6209 Session-ID-ctx: Master-Key: F4794B77D23C66E40CB80A25B3E270A7B474B4A6F3A1942C9184FFE3948135AA4449F9BC5DAE442ADA4FA9EAC6471D32 Key-Arg : None Start Time: 1211962435 Timeout : 300 (sec) Verify return code: 0 (ok) ---
BUT, when I try the same for the ldap port:
openssl s_client -connect <ldaphost>:389 -showcerts -state -CAfile /etc/ldap/server.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A 2135:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
According to the various guides I read i thought this should be working with my current setup. Maybe I am missing something?
regards ingard
--On Friday, May 30, 2008 9:20 AM +0200 Ingard Mevåg ingardm@startsiden.no wrote:
According to the various guides I read i thought this should be working with my current setup. Maybe I am missing something?
I think you missed reading the documentation that states that OpenSSL does not support StartTLS operations for LDAP. Therefore, you cannot use the openssl tools to do the test you are trying.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-software@openldap.org