Hi,
I want to establish secure ldap connection. I have tried following:
1. ldap_init 2. ldap_set_option( pLdapObj, LDAP_OPT_X_TLS_CACERTFILE, "/tmp/certficate.cert" 3. iRetCode = ldap_start_tls_s(pLdapObj, NULL, NULL);
Here 3. ldap_start_tls_s failed with error: "Can't contact LDAP server".
What is wrong here? Are there any more steps to make it work? Please help me.
Thanks, Digambar
Run your openldap server with debugging turned on (-d option) and check the output. Read the man slapd.conf for the different values of the -d flag and then see if you see why your connection is failing. Post those results here if you don't see the obvious root cause.
Sellers
On Jan 16, 2008, at 1:37 AM, Digambar Sawant wrote:
Hi,
I want to establish secure ldap connection. I have tried following:
- ldap_init
- ldap_set_option( pLdapObj, LDAP_OPT_X_TLS_CACERTFILE, "/tmp/
certficate.cert" 3. iRetCode = ldap_start_tls_s(pLdapObj, NULL, NULL);
Here 3. ldap_start_tls_s failed with error: "Can't contact LDAP server".
What is wrong here? Are there any more steps to make it work? Please help me.
Thanks, Digambar
______________________________________________ Chris G. Sellers | NITLE Technology 734.661.2318 | chris.sellers@nitle.org AIM: imthewherd | GTalk: cgseller@gmail.com
Problem Definition:
I have following sets of files on a linux host where my server is running.
Again, I am trying ldapsearch command on same linux machine.
*Certificate files on Server machine:*
ls -l /etc/openldap/CERTS/
-rwxrwxrwx 1 root root 1265 Jan 16 18:04 cacert.pem
-rwxrwxrwx 1 root root 3604 Jan 16 18:05 servercrt.pem
-rwxrwxrwx 1 root root 1664 Jan 16 18:05 serverkey.pem
--------------------------------------------------------------
* *
*cat ldap.conf: */etc/openldap/ldap.conf**
HOST 127.0.0.1
PORT 636
TLS_CACERTDIR /etc/openldap/CERTS/
TLS_CACERT /etc/openldap/CERTS/cacert.pem
TLS_REQCERT demand
BASE dc=example,dc=com
--------------------------------------------------------------
* *
*cat slapd.conf : */etc/openldap/slapd.conf**
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/redhat/rfc822-MailMember.schema
include /etc/openldap/schema/redhat/autofs.schema
include /etc/openldap/schema/redhat/kerberosobject.schema
access to *
by self write
by users read
by anonymous auth
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/openldap/CERTS/cacert.pem
TLSCertificateFile /etc/openldap/CERTS/servercrt.pem
TLSCertificateKeyFile /etc/openldap/CERTS/serverkey.pem
database ldbm
suffix "dc=my-domain,dc=com"
rootdn "cn=Manager,dc=my-domain,dc=com"
directory /var/lib/ldap
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial
--------------------------------------------------------------
*Started ldap server with:*
1. /usr/sbin/slapd -f /etc/openldap/slapd.conf -d 127 -h ldaps:/// &
2. netstat shows that server is listening on port 636
netstat -antp | grep slapd
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 14512/slapd
When I executed follwing command on same server machine (linux host):
ldapsearch -ZZ "CERTS/cacert.pem" -h 192.168.6.146 -p 636 -b "dc=my-domain,dc=com" -d 127
It gave error logs as below:
*#ldapsearch -ZZ "CERTS/cacert.pem" -h 192.168.6.146 -p 636 -b "dc=my-domain,dc=com" -d 127*
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: 192.168.6.146
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.6.146:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 31 bytes to sd 3
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ldap_write: want=31, written=31
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: 192.168.6.146 port: 636 (default)
refcnt: 2 status: Connected
last used: Wed Jan 16 22:11:12 2008
** Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
do_ldap_select
read1msg: msgid 1, all 1
ber_get_next
ldap_read: want=1, got=0
*ber_get_next failed.*
*ldap_perror*
*ldap_start_tls: Can't contact LDAP server*
*TRIAL 2*
*Start server with start_ssl*
1. /usr/sbin/slapd -f /etc/openldap/slapd.conf -d 127 *start_ssl* &
Here netstat shows that server is listening on 389 and not 636
# netstat -antp | grep slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 14529/slapd
When executed following command on same linux host (where server is running)
2. #ldapsearch -Z "CERTS/cacert.pem" -h 192.168.6.146 -p 389 -b "dc=my-domain,dc=com" -d 5
It gave
ldap_msgfree
*ldap_interactive_sasl_bind_s: server supports: GSSAPI PLAIN LOGIN*
*ldap_int_sasl_bind: GSSAPI PLAIN LOGIN*
*ldap_perror*
*ldap_sasl_interactive_bind_s: Local error*
*[root@tb01-03-dp02 openldap]# ldaps*
Thanks, Digambar On Jan 16, 2008 7:09 PM, Chris G. Sellers chris.sellers@nitle.org wrote:
Run your openldap server with debugging turned on (-d option) and check the output. Read the man slapd.conf for the different values of the -d flag and then see if you see why your connection is failing. Post those results here if you don't see the obvious root cause.
Sellers
On Jan 16, 2008, at 1:37 AM, Digambar Sawant wrote:
Hi,
I want to establish secure ldap connection. I have tried following:
- ldap_init
- ldap_set_option( pLdapObj, LDAP_OPT_X_TLS_CACERTFILE, "/tmp/
certficate.cert" 3. iRetCode = ldap_start_tls_s(pLdapObj, NULL, NULL);
Here 3. ldap_start_tls_s failed with error: "Can't contact LDAP server".
What is wrong here? Are there any more steps to make it work? Please help me.
Thanks, Digambar
Chris G. Sellers | NITLE Technology 734.661.2318 | chris.sellers@nitle.org AIM: imthewherd | GTalk: cgseller@gmail.com
For your Trial 1, it looks like you are trying to start a TLS connection on port 636. I am not sure how that works, as it may expect the old SSL (someone help me here)
For your Trial 2 is a SASL error I think. What happens if you add - x to your ldapsearch and make your connection simple auth versus SASL ?
Sellers
On Jan 16, 2008, at 9:06 AM, Digambar Sawant wrote:
Problem Definition:
I have following sets of files on a linux host where my server is running. Again, I am trying ldapsearch command on same linux machine.
Certificate files on Server machine: ls -l /etc/openldap/CERTS/ -rwxrwxrwx 1 root root 1265 Jan 16 18:04 cacert.pem -rwxrwxrwx 1 root root 3604 Jan 16 18:05 servercrt.pem
-rwxrwxrwx 1 root root 1664 Jan 16 18:05 serverkey.pem
cat ldap.conf: /etc/openldap/ldap.conf HOST 127.0.0.1 PORT 636 TLS_CACERTDIR /etc/openldap/CERTS/ TLS_CACERT /etc/openldap/CERTS/cacert.pem TLS_REQCERT demand BASE dc=example,dc=com
cat slapd.conf : /etc/openldap/slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/redhat/rfc822-MailMember.schema include /etc/openldap/schema/redhat/autofs.schema include /etc/openldap/schema/redhat/kerberosobject.schema
access to * by self write by users read by anonymous auth
TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /etc/openldap/CERTS/cacert.pem TLSCertificateFile /etc/openldap/CERTS/servercrt.pem TLSCertificateKeyFile /etc/openldap/CERTS/serverkey.pem
database ldbm suffix "dc=my-domain,dc=com" rootdn "cn=Manager,dc=my-domain,dc=com" directory /var/lib/ldap index objectClass,uid,uidNumber,gidNumber,memberUid eq index cn,mail,surname,givenname eq,subinitial
Started ldap server with:
/usr/sbin/slapd -f /etc/openldap/slapd.conf -d 127 -h ldaps:/// &
netstat shows that server is listening on port 636
netstat -antp | grep slapd tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 14512/slapd
When I executed follwing command on same server machine (linux host): ldapsearch -ZZ "CERTS/cacert.pem" -h 192.168.6.146 -p 636 -b "dc=my- domain,dc=com" -d 127
It gave error logs as below:
#ldapsearch -ZZ "CERTS/cacert.pem" -h 192.168.6.146 -p 636 -b "dc=my- domain,dc=com" -d 127 ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection ldap_int_open_connection ldap_connect_to_host: 192.168.6.146 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.6.146:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_ndelay_on: 3 ldap_is_sock_ready: 3 ldap_ndelay_off: 3 ldap_open_defconn: successful ldap_send_server_request ber_flush: 31 bytes to sd 3 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 . 4.1.1466.20037 ldap_write: want=31, written=31 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 . 4.1.1466.20037 ldap_result msgid 1 ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL wait4msg (infinite timeout), msgid 1 wait4msg continue, msgid 1, all 1 ** Connections:
- host: 192.168.6.146 port: 636 (default) refcnt: 2 status: Connected last used: Wed Jan 16 22:11:12 2008
** Outstanding Requests:
- msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0
** Response Queue: Empty ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL do_ldap_select read1msg: msgid 1, all 1 ber_get_next ldap_read: want=1, got=0
ber_get_next failed. ldap_perror ldap_start_tls: Can't contact LDAP server
TRIAL 2 Start server with start_ssl
- /usr/sbin/slapd -f /etc/openldap/slapd.conf -d 127 start_ssl &
Here netstat shows that server is listening on 389 and not 636
# netstat -antp | grep slapd tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 14529/slapd
When executed following command on same linux host (where server is running)
- #ldapsearch -Z "CERTS/cacert.pem" -h 192.168.6.146 -p 389 -b
"dc=my-domain,dc=com" -d 5 It gave
ldap_msgfree ldap_interactive_sasl_bind_s: server supports: GSSAPI PLAIN LOGIN ldap_int_sasl_bind: GSSAPI PLAIN LOGIN ldap_perror ldap_sasl_interactive_bind_s: Local error [root@tb01-03-dp02 openldap]# ldaps
Thanks, Digambar On Jan 16, 2008 7:09 PM, Chris G. Sellers chris.sellers@nitle.org wrote: Run your openldap server with debugging turned on (-d option) and check the output. Read the man slapd.conf for the different values of the -d flag and then see if you see why your connection is failing. Post those results here if you don't see the obvious root cause.
Sellers
On Jan 16, 2008, at 1:37 AM, Digambar Sawant wrote:
Hi,
I want to establish secure ldap connection. I have tried following:
- ldap_init
- ldap_set_option( pLdapObj, LDAP_OPT_X_TLS_CACERTFILE, "/tmp/
certficate.cert" 3. iRetCode = ldap_start_tls_s(pLdapObj, NULL, NULL);
Here 3. ldap_start_tls_s failed with error: "Can't contact LDAP server".
What is wrong here? Are there any more steps to make it work? Please help me.
Thanks, Digambar
Chris G. Sellers | NITLE Technology 734.661.2318 | chris.sellers@nitle.org AIM: imthewherd | GTalk: cgseller@gmail.com
______________________________________________ Chris G. Sellers | NITLE Technology 734.661.2318 | chris.sellers@nitle.org AIM: imthewherd | GTalk: cgseller@gmail.com
On Wednesday 16 January 2008 16:06:38 Digambar Sawant wrote:
Problem Definition:
I have following sets of files on a linux host where my server is running. Again, I am trying ldapsearch command on same linux machine.
*Certificate files on Server machine:* ls -l /etc/openldap/CERTS/ -rwxrwxrwx 1 root root 1265 Jan 16 18:04 cacert.pem -rwxrwxrwx 1 root root 3604 Jan 16 18:05 servercrt.pem -rwxrwxrwx 1 root root 1664 Jan 16 18:05 serverkey.pem
*cat ldap.conf: */etc/openldap/ldap.conf** HOST 127.0.0.1
You can save typing by setting this, or URI, correctly.
PORT 636
This isn't going to do much for you ^^^. You may rather want to set URI. Please see the man page ('man ldap.conf').
TLS_CACERTDIR /etc/openldap/CERTS/ TLS_CACERT /etc/openldap/CERTS/cacert.pem
I would recommend you use only one of the above two options, to reduce confusion.
TLS_REQCERT demand BASE dc=example,dc=com
[...]
TLSCACertificateFile /etc/openldap/CERTS/cacert.pem TLSCertificateFile /etc/openldap/CERTS/servercrt.pem TLSCertificateKeyFile /etc/openldap/CERTS/serverkey.pem
[...]
database ldbm
Bad idea ^^^.
suffix "dc=my-domain,dc=com" rootdn "cn=Manager,dc=my-domain,dc=com" directory /var/lib/ldap index objectClass,uid,uidNumber,gidNumber,memberUid eq index cn,mail,surname,givenname eq,subinitial
[...]
*Started ldap server with:*
- /usr/sbin/slapd -f /etc/openldap/slapd.conf -d 127 -h ldaps:/// &
- netstat shows that server is listening on port 636
netstat -antp | grep slapd tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 14512/slapd
When I executed follwing command on same server machine (linux host):
ldapsearch -ZZ "CERTS/cacert.pem" -h 192.168.6.146 -p 636 -b "dc=my-domain,dc=com" -d 127
1)Under your current configuration, this requires that the server has a certificate with the subject's CN=192.168.6.146, or that this IP is in the subjAltName extension on the certificate. If, instead, there is a hostname as the CN, then you should use the hostname wherever you want to specify a connection, and ensure your name resolution takes care of connecting to the correct IP address.
Please show the output from:
$ openssl x509 -noout -subject -in /etc/openldap/CERTS/servercrt.pem
It should match whatever you use after -h or -H ldaps://
2)You shouldn't use -Z (or -ZZ) on a port already running SSL/TLS. Instead use an ldaps URI (-H ldaps://name.on.cert).
3)"CERTS/cacert.pem" must be removed, you can't specify and certificate filenames via commandline options.
It gave error logs as below:
#ldapsearch -ZZ "CERTS/cacert.pem" -h 192.168.6.146 -p 636 -b "dc=my-domain,dc=com" -d 127* *ldap_start_tls: Can't contact LDAP server*
This is the correct behaviour ...
*TRIAL 2*
*Start server with start_ssl*
- /usr/sbin/slapd -f /etc/openldap/slapd.conf -d 127 *start_ssl* &
?????
There should be no *start_ssl* in your commandline. If slapd has been configured with SSL certificates correctly, starting it up without any specific options will enable START_TLS.
Here netstat shows that server is listening on 389 and not 636 # netstat -antp | grep slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 14529/slapd
You can have both in fact ... but listening on 389 does not confirm the START_TLS is configured correctly.
When executed following command on same linux host (where server is running)
- #ldapsearch -Z "CERTS/cacert.pem" -h 192.168.6.146 -p 389 -b
"dc=my-domain,dc=com" -d 5
1)Same issue as above with certificate's subjectDN and hostname etc. 2)Same issue regarding "CERTS/cacert.pem".
*ldap_interactive_sasl_bind_s: server supports: GSSAPI PLAIN LOGIN* *ldap_int_sasl_bind: GSSAPI PLAIN LOGIN* *ldap_perror* *ldap_sasl_interactive_bind_s: Local error* *[root@tb01-03-dp02 openldap]# ldaps*
You forgot -x.
Regards, Buchan
Dear Buchan,
Thanks for helping me.
Here is what I tried and it worked. During certificate creation, I used ip address instead of hostname. That is why output of following command shows Ip address i.e. 192.168.4.146 $ openssl x509 -noout -subject -in /etc/openldap/CERTS/servercrt.pem
Everything worked properly, when I tried following command: $ ldapsearch -x -H ldaps://192.168.4.146:636 -b "dc=my-domain, dc=com"
However, this is one option. I dont know why it is failing for other option i.e. 1. ldap_init 2. set ldap options 3. start_tls All this is done in C program. The error says Can't contact to Ldap server.
Thanks, Digambar
On 1/17/08, Buchan Milne bgmilne@staff.telkomsa.net wrote:
On Wednesday 16 January 2008 16:06:38 Digambar Sawant wrote:
Problem Definition:
I have following sets of files on a linux host where my server is
running.
Again, I am trying ldapsearch command on same linux machine.
*Certificate files on Server machine:* ls -l /etc/openldap/CERTS/ -rwxrwxrwx 1 root root 1265 Jan 16 18:04 cacert.pem -rwxrwxrwx 1 root root 3604 Jan 16 18:05 servercrt.pem -rwxrwxrwx 1 root root 1664 Jan 16 18:05 serverkey.pem
*cat ldap.conf: */etc/openldap/ldap.conf** HOST 127.0.0.1
You can save typing by setting this, or URI, correctly.
PORT 636
This isn't going to do much for you ^^^. You may rather want to set URI. Please see the man page ('man ldap.conf').
TLS_CACERTDIR /etc/openldap/CERTS/ TLS_CACERT /etc/openldap/CERTS/cacert.pem
I would recommend you use only one of the above two options, to reduce confusion.
TLS_REQCERT demand BASE dc=example,dc=com
[...]
TLSCACertificateFile /etc/openldap/CERTS/cacert.pem TLSCertificateFile /etc/openldap/CERTS/servercrt.pem TLSCertificateKeyFile /etc/openldap/CERTS/serverkey.pem
[...]
database ldbm
Bad idea ^^^.
suffix "dc=my-domain,dc=com" rootdn "cn=Manager,dc=my-domain,dc=com" directory /var/lib/ldap index objectClass,uid,uidNumber,gidNumber,memberUid eq index cn,mail,surname,givenname eq,subinitial
[...]
*Started ldap server with:*
- /usr/sbin/slapd -f /etc/openldap/slapd.conf -d 127 -h ldaps:/// &
- netstat shows that server is listening on port 636
netstat -antp | grep slapd tcp 0 0 0.0.0.0:636 0.0.0.0:*
LISTEN
14512/slapd
When I executed follwing command on same server machine (linux host):
ldapsearch -ZZ "CERTS/cacert.pem" -h 192.168.6.146 -p 636 -b "dc=my-domain,dc=com" -d 127
1)Under your current configuration, this requires that the server has a certificate with the subject's CN=192.168.6.146, or that this IP is in the subjAltName extension on the certificate. If, instead, there is a hostname as the CN, then you should use the hostname wherever you want to specify a connection, and ensure your name resolution takes care of connecting to the correct IP address.
Please show the output from:
$ openssl x509 -noout -subject -in /etc/openldap/CERTS/servercrt.pem
It should match whatever you use after -h or -H ldaps://
2)You shouldn't use -Z (or -ZZ) on a port already running SSL/TLS. Instead use an ldaps URI (-H ldaps://name.on.cert).
3)"CERTS/cacert.pem" must be removed, you can't specify and certificate filenames via commandline options.
It gave error logs as below:
#ldapsearch -ZZ "CERTS/cacert.pem" -h 192.168.6.146 -p 636 -b "dc=my-domain,dc=com" -d 127* *ldap_start_tls: Can't contact LDAP server*
This is the correct behaviour ...
*TRIAL 2*
*Start server with start_ssl*
- /usr/sbin/slapd -f /etc/openldap/slapd.conf -d 127 *start_ssl* &
?????
There should be no *start_ssl* in your commandline. If slapd has been configured with SSL certificates correctly, starting it up without any specific options will enable START_TLS.
Here netstat shows that server is listening on 389 and not 636 # netstat -antp | grep slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:*
LISTEN
14529/slapd
You can have both in fact ... but listening on 389 does not confirm the START_TLS is configured correctly.
When executed following command on same linux host (where server is running)
- #ldapsearch -Z "CERTS/cacert.pem" -h 192.168.6.146 -p 389 -b
"dc=my-domain,dc=com" -d 5
1)Same issue as above with certificate's subjectDN and hostname etc. 2)Same issue regarding "CERTS/cacert.pem".
*ldap_interactive_sasl_bind_s: server supports: GSSAPI PLAIN LOGIN* *ldap_int_sasl_bind: GSSAPI PLAIN LOGIN* *ldap_perror* *ldap_sasl_interactive_bind_s: Local error* *[root@tb01-03-dp02 openldap]# ldaps*
You forgot -x.
Regards, Buchan
Digambar Sawant wrote:
Dear Buchan,
Thanks for helping me.
Here is what I tried and it worked. During certificate creation, I used ip address instead of hostname. That is why output of following command shows Ip address i.e. 192.168.4.146 http://192.168.4.146 $ openssl x509 -noout -subject -in /etc/openldap/CERTS/servercrt.pem
Everything worked properly, when I tried following command: $ ldapsearch -x -H ldaps://192.168.4.146:636 -b "dc=my-domain, dc=com"
However, this is one option. I dont know why it is failing for other option i.e.
- ldap_init
- set ldap options
- start_tls
All this is done in C program. The error says Can't contact to Ldap server.
Got any code to show us?
openldap-software@openldap.org
-
Buchan Milne -
Chris G. Sellers -
Chris G. Sellers
-
Digambar Sawant -
Gavin Henry