LDAP clients fail to connect with SSL enabled
I am attempting to setup SSL/TLS support on my openLDAP 2.4 server on FreeBSD.
LBSD2# pkg_info | grep openldap openldap-sasl-client-2.4.23 Open source LDAP client implementation with SASL2 support openldap-sasl-server-2.4.23 Open source LDAP server implementation
I put my cert file, key file and CA certfile in a directory called /usr/local/etc/openldap/cacerts
Here's how it looks:
[root@LBSD2:/usr/local/etc/openldap/cacerts]#ls -l total 48 dr--r----- 2 root ldap 512 Nov 21 17:12 bak -r--r----- 1 root ldap 1960 Nov 21 07:05 bsd2.summitnjhome.com.crt -r--r----- 1 root ldap 4604 Nov 21 17:16 gd_bundle.crt -r--r----- 1 root ldap 4689 Nov 21 18:59 sf_bundle.crt -r--r----- 1 root ldap 1537 Nov 21 17:16 sf_issuing.crt -r--r----- 1 root ldap 1090 Nov 21 12:29 slapd.csr -r--r----- 1 root ldap 1743 Nov 21 12:26 slapd.key -r--r----- 1 root ldap 1675 Nov 21 17:25 slapd.pem
My cert flie is a GoDaddy turbo-ssl certfile named bsd2.summitnjhome.com.crt. slapd.key is the key file and slapd.pem is the same thing only with the password removed.
I'm a little unsure of which CA file to use but I think that sf_issuing.crt _should_ work as this is the CA file that I used to setup a similar SSL enabled LDAP server for a client recently. Although I have tried all three CA files in this directory: (gd_bundle.crt, sf_bundle.crt, and sf_issuing.crt).
I put the various cert/key files into my slapd.conf file like this:
LBSD2# cat slapd.conf | grep -i tls ## TLS options for slapd TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /usr/local/etc/openldap/cacerts/bsd2.summitnjhome.com.crt TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_issuing.crt
Slapd restarts cleanly!
LBSD2# /usr/local/etc/rc.d/slapd restart Stopping slapd. Waiting for PIDS: 81924. Starting slapd.
Then I attempt to setup a virtual instance of CentOS 5.5 on the client side and that's where things fall apart...I attempt to ssh to localhost as an LDAP account:
[root@VIRTCENT08:/etc/openldap/cacerts]#ssh bluethundr@localhost
[...tectonic plates drift, careers begin and end, babies learn to walk, talk and grow to adulthood..]
Connection closed by 127.0.0.1
[root@VIRTCENT08:/etc/openldap/cacerts]#getent passwd | grep ldapAccount [same interminable wait as above]
This is what my /etc/ldap.conf file looks like on the client:
[root@VIRTCENT08:/etc/openldap/cacerts]#cat /etc/ldap.conf # Your LDAP server. Must be resolvable without using LDAP. # Multiple hosts may be specified, each separated by a # space. How long nss_ldap takes to failover depends on # whether your LDAP client library supports configurable # network or connect timeouts (see bind_timelimit). #host 127.0.0.1 # The distinguished name of the search base. base dc=summitnjhome,dc=com # stored in /etc/ldap.secret (mode 600) #rootbinddn cn=manager,dc=example,dc=com # The port. # Optional: default is 389. #port 389 # Search timelimit #timelimit 30 timelimit 120 # Bind/connect timelimit #bind_timelimit 30 bind_timelimit 120 # Idle timelimit; client will close connections # (nss_ldap only) if the server has not been contacted # for the number of seconds specified below. #idle_timelimit 3600 idle_timelimit 3600 # Netscape SDK LDAPS #ssl on # Netscape SDK SSL options #sslpath /etc/ssl/certs # OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 #ssl start_tls #ssl on # OpenLDAP SSL options # Require and verify server certificate (yes/no) # Default is to use libldap's default behavior, which can be configured in # /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for # OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". #tls_checkpeer yes # CA certificates for server certificate verification # At least one of these are required if tls_checkpeer is "yes" #tls_cacertfile /etc/ssl/ca.cert #tls_cacertdir /etc/ssl/certs # SSL cipher suite # See man ciphers for syntax #tls_ciphers TLSv1 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key # SASL mechanism for PAM authentication - use is experimental # at present and does not support password policy control uri ldap://ldap.summitnjhome.com/ ssl start_tls tls_cacertdir /etc/openldap/cacerts pam_password crypt
This is how my nsswitch on the client side is setup:
passwd: files ldap shadow: files ldap group: files ldap
And here is the cert dir on my CentOS client:
[root@VIRTCENT08:/etc/openldap/cacerts]#ls -l total 72 lrwxrwxrwx 1 root root 13 Nov 21 09:44 97552d04.0 -> gd_bundle.crt lrwxrwxrwx 1 root root 14 Nov 21 09:44 b737b221.0 -> sf_issuing.crt dr--r--r-- 2 root root 4096 Nov 21 2010 bak -r--r--r-- 1 root root 1960 Nov 21 07:05 bsd2.summitnjhome.com.crt lrwxrwxrwx 1 root root 25 Nov 21 09:44 c75be861.0 -> bsd2.summitnjhome.com.crt -r--r--r-- 1 root root 4604 Nov 21 2010 gd_bundle.crt -r--r--r-- 1 root root 1537 Nov 21 2010 sf_issuing.crt -r--r--r-- 1 root root 1090 Nov 21 12:29 slapd.csr -r--r--r-- 1 root root 1743 Nov 21 12:26 slapd.key -r--r--r-- 1 root root 1675 Nov 21 2010 slapd.pem
Back on the server side there is a lot of activity in the ldap logs (here is an excerpt)
Nov 21 20:21:38 LBSD2 slapd[81972]: daemon: read activity on 11 Nov 21 20:21:38 LBSD2 slapd[81972]: daemon: select: listen=6 active_threads=0 tvp=NULL Nov 21 20:21:38 LBSD2 slapd[81972]: daemon: select: listen=7 active_threads=0 tvp=NULL Nov 21 20:21:38 LBSD2 slapd[81972]: connection_read(11): input error=-2 id=1017, closing. Nov 21 20:21:38 LBSD2 slapd[81972]: connection_closing: readying conn=1017 sd=11 for close Nov 21 20:21:38 LBSD2 slapd[81972]: daemon: activity on 1 descriptor
I've encloses a more complete log file as an attachment.
I then try to show the CA files with an openssl command.
First with sf_issuing.crt -
slapd.conf:
TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_issuing.crt
On the client:
[root@VIRTCENT08:/etc/openldap/cacerts]#openssl s_client -connect ldap.summitnjhome.com:389 -showcerts -CAfile sf_issuing.crt CONNECTED(00000003) 3143:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188
Next with sf_bundle.crt -
slapd.conf:
TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_bundle.crt
[root@VIRTCENT08:/etc/openldap/cacerts]#openssl s_client -connect ldap.summitnjhome.com:389 -showcerts -CAfile sf_bundle.crt 3149:error:02001002:system library:fopen:No such file or directory:bss_file.c:122:fopen('sf_bundle.crt','r') 3149:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125: 3149:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:279: CONNECTED(00000003) 3149:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
Next with gd_bundle.crt -
TLSCACertificateFile /usr/local/etc/openldap/cacerts/gd_bundle.crt
[root@VIRTCENT08:/etc/openldap/cacerts]#openssl s_client -connect ldap.summitnjhome.com:389 -showcerts -CAfile gd_bundle.crt CONNECTED(00000003) 3156:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
Disabling TLS on the client side authentication works again!
[root@VIRTCENT08:/etc/openldap/cacerts]#ssh bluethundr@localhost bluethundr@localhost's password: Last login: Sun Nov 21 09:41:34 2010 from 192.168.1.50 ######################################################### # SUMMITNJHOME.COM # # TITLE: VIRTCENT08 BOX # # LOCATION: SUMMIT BASEMENT # # # #########################################################
Any thought on how to resolve the current situation would be most appreciated! ;)