OK... So I think I made some progress on this issue....
Here is my /etc/ldap.conf file:
cat /etc/ldap.conf #host 127.0.0.1 base cn=users,dc=testing,dc=com uri ldaps://localhost binddn cn=manager,dc=testing,dc=com bindpw password scope sub timelimit 120 bind_policy soft bind_timelimit 120 idle_timelimit 3600 ssl on tls_cacert /etc/openldap/cacerts/ca.key tls_cacertdir /etc/openldap/cacerts tls_checkpeer no tls_reqcert allow nss_base_group cn=groups,dc=testing,dc=com?sub pam_password md5
When I use "tcpdump" to actually view the packets, everything appears to be encrypted and I get the results I am looking for when I issue the "getent passwd" command... However, when I change "tls_checkpeer" to "yes" or comment it out from the config, I do not get the expected results from 'getent passwd'.... also, here is the output from the ldapsearch debug..
ldapsearch -d1 -x -H ldaps://localhost:636/ ldap_create ldap_url_parse_ext(ldaps://localhost:636/) ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 18, subject: /C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=mw-hosting-sysadmin@testing.com, issuer: /C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire, LLC/OU=Support/CN=testing.com/emailAddress=mw-hosting-sysadmin@testing.com TLS certificate verification: Error, self signed certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_bind: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
When I issue a search using just ldap://localhost it works, but the data is not encrypted, how does it encrypt the data, if it can't verify the certificate?
-Lynn
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Monday, April 12, 2010 2:09 PM To: Chris Jacobs Cc: 'lynn.york@mavenwire.com'; 'openldap-technical@openldap.org' Subject: Re: Problem with SSL/TLS
Chris Jacobs wrote:
/etc/ldap.conf is used by nss tools and the ilk.
/etc/openldap/ldap.conf would be used by openldap tools - like ldapsearch.
Actually it's used by libldap, which means everything that uses libldap (including nss_ldap). But of course the converse is not true, /etc/ldap.conf only affects nss_ldap and pam_ldap, not anything else.
I have the same setting there for tls_checkpeer - but in the latter ldap.conf (under openldap).
tls_checkpeer is not a valid OpenLDAP ldap.conf keyword.
FWIW: there's apparently no real different format for the two files; while one would only be setup on ldap servers, mine are identical and things work with a
If they are identical and things work, it's by sheer luck. Read the ldap.conf(5) manpage. Relying on anything not documented there would be a mistake.
To the original poster: use the ldapsearch debug flag. OpenSSL s_client is not a reliable indicator of anything.
mirror master, both setup behind a VIP (fail over, not load balanced) and a plethora of slaves in different subdomains.
- chris
PS: I'd forgotten to 'reply-to-all' earlier. :)
Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jacobs@apollogrp.edu
*From*: Lynn York *To*: Chris Jacobs *Sent*: Mon Apr 12 10:29:19 2010 *Subject*: RE: Problem with SSL/TLS
Here is my /etc/ldap.conf:
#host 127.0.0.1
base cn=users,dc=testing,dc=com
uri ldap://localhost:636
binddn cn=manager,dc=testing,dc=com
bindpw password
scope sub
timelimit 120
bind_policy soft
bind_timelimit 120
idle_timelimit 3600
ssl on
tls_cacert /etc/openldap/cacerts/servercrt.pem
tls_cacertdir /etc/openldap/cacerts
tls_checkpeer no
nss_base_group cn=groups,dc=testing,dc=com?sub
pam_password md5
I have tried it with and without “tls_checkpeer”…. I am sort of at a loss as to what it can be. I also tested it using openssl client.. and here is the output:
*From*: openldap-technical-bounces+chris.jacobs=apollogrp.edu http://apollogrp.edu@OpenLDAP.org *To*: openldap-technical@openldap.org mailto:openldap-technical@openldap.org *Sent*: Mon Apr 12 08:13:39 2010 *Subject*: Problem with SSL/TLS
I have created a cert. on the server and openldap starts without any issues, however when I attempt to connect via ldaps I keep getting the following error:
??
??
ldapsearch -x -H ldaps://localhost:636 -D "cn=Manager,dc=testing,dc=com" -W -b "dc=testing,dc=com" "(objectClass=top)"
Enter LDAP Password:
ldap_bind: Can't contact LDAP server (-1)
?????????????? additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
??
I can???t quite pin point what the problem might be.??