Dieter Kluenter schrieb:
Hello Sebastian,
Sebastian Reinhardt snr@lmv-hartmannsdorf.de writes:
Dieter Kluenter schrieb:
Sebastian Reinhardt snr@lmv-hartmannsdorf.de writes:
Hello,
I have configured an openSUSE 11.0 (x86_64) with openldap- server. Also the TLS is activated. All clients are set to "TLS_REQCERT demand" and is working. Then I created client certificates by using the servers Yast2 CA- management. I copied teh client certificates and also the servers "cacert" into the "/etc/openldap/" directory on client computer. With "TLSVerifyClient allow" clients can login, but if I activate the "TLSVerifyClient demand" option in servers slapd.conf no user can perform an login and it causes errors in /var/log/messages:
[...]
What is wrong? The clients certificate "common name" is set to the clients hostname. Is this ok?
Clients don't read slapd.conf(5) but only ldap.conf(5), run slapd with debug level 3 to analyse the tls session.
-Dieter
Hello Dieter,
Now I have set the loglevel to "3" and I get the following output if I try to login (still fails):
loglevel is != debug level, man slapd(8), run slapd -d3
-------------------/var/log/messages---------------------------------------------------------------------
[...]
Feb 25 16:41:49 lmvserver kdm: :0[11544]: nss_ldap: could not search LDAP server - Server is unavailable
[...]
Feb 25 16:41:49 lmvserver kdm: :0[11544]: pam_ldap: ldap_starttls_s: Connect error -------------------/var/log/messages---------------------------------------------------------------------
I am not sure, if this is an configuration or certificate error? Do You understand this output above?
The clients are nss_ldap and pam_ldap, check the clients configuration for starttls parameters. With debug level 3 you should see something like
TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=11 TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write certificate request A tls_write: want=1931, written=1931 TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL3 alert write:warning:close notify
-Dieter
Sorry. I had not configured the pam_ldap (/etc/ldap.conf) config file properly. The certifikate entries were missing.
Here is my /etc/ldap.conf: -------------------/etc/ldap.conf------------------------------------------- host 127.0.0.1 base dc=lmv,dc=lmv #uri ldap://127.0.0.1/ #uri ldaps://127.0.0.1/ #uri ldapi://%2fvar%2frun%2fldapi_sock/ #ldap_version 3 #binddn cn=proxyuser,dc=example,dc=com #bindpw secret rootbinddn cn=ldaproot,dc=lmv,dc=lmv port 389 scope sub scope one scope base #timelimit 30 #bind_timelimit 30 bind_policy soft #nss_connect_policy persist #idle_timelimit 3600 #nss_paged_results yes #pagesize 1000 #pam_filter objectclass=account #pam_login_attribute uid pam_lookup_policy yes #pam_check_host_attr yes #pam_check_service_attr yes #pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com #pam_member_attribute uniquemember #pam_min_uid 0 #pam_max_uid 0 #pam_login_attribute userPrincipalName #pam_template_login_attribute uid #pam_template_login nobody #pam_password clear #pam_password crypt #pam_password nds #pam_password racf #pam_password ad pam_password crypt #pam_password_prohibit_message Please visit http://internal to change your password. #nss_initgroups backlink nss_initgroups_ignoreusers root,ldap #nss_schema rfc2307bis nss_schema nis nss_base_passwd ou=users,dc=lmv,dc=lmv nss_base_shadow ou=users,dc=lmv,dc=lmv nss_base_group ou=groups,dc=lmv,dc=lmv nss_base_hosts ou=hosts,dc=lmv,dc=lmv #nss_base_services ou=Services,dc=example,dc=com?one #nss_base_networks ou=Networks,dc=example,dc=com?one #nss_base_protocols ou=Protocols,dc=example,dc=com?one #nss_base_rpc ou=Rpc,dc=example,dc=com?one #nss_base_ethers ou=Ethers,dc=example,dc=com?one #nss_base_netmasks ou=Networks,dc=example,dc=com?ne #nss_base_bootparams ou=Ethers,dc=example,dc=com?one #nss_base_aliases ou=Aliases,dc=example,dc=com?one #nss_base_netgroup ou=Netgroup,dc=example,dc=com?one #nss_map_attribute rfc2307attribute mapped_attribute #nss_map_objectclass rfc2307objectclass mapped_objectclass nss_map_attribute uniqueMember member #nss_map_objectclass posixAccount User #nss_map_objectclass shadowAccount User #nss_map_attribute uid msSFU30Name #nss_map_attribute uniqueMember msSFU30PosixMember #nss_map_attribute userPassword msSFU30Password #nss_map_attribute homeDirectory msSFU30HomeDirectory #nss_map_attribute homeDirectory msSFUHomeDirectory #nss_map_objectclass posixGroup Group #pam_login_attribute msSFU30Name #pam_filter objectclass=User #pam_password ad #nss_map_objectclass posixAccount User #nss_map_objectclass shadowAccount user #nss_map_attribute uid msSFUName #nss_map_attribute uniqueMember posixMember #nss_map_attribute userPassword msSFUPassword #nss_map_attribute homeDirectory msSFUHomeDirectory #nss_map_attribute shadowLastChange pwdLastSet #nss_map_objectclass posixGroup Group #nss_map_attribute cn msSFUName #pam_login_attribute msSFUName #pam_filter objectclass=User #pam_password ad #nss_map_objectclass posixAccount user #nss_map_objectclass shadowAccount user #nss_map_attribute uid sAMAccountName #nss_map_attribute homeDirectory unixHomeDirectory #nss_map_attribute shadowLastChange pwdLastSet #nss_map_objectclass posixGroup group #nss_map_attribute uniqueMember member #pam_login_attribute sAMAccountName #pam_filter objectclass=User #pam_password ad #nss_map_attribute userPassword authPassword #nss_map_objectclass posixAccount aixAccount #nss_base_passwd ou=aixaccount,?one #nss_map_attribute uid userName #nss_map_attribute gidNumber gid #nss_map_attribute uidNumber uid #nss_map_attribute userPassword passwordChar #nss_map_objectclass posixGroup aixAccessGroup #nss_base_group ou=aixgroup,?one #nss_map_attribute cn groupName #nss_map_attribute uniqueMember member #pam_login_attribute userName #pam_filter objectclass=aixAccount #pam_password clear #nss_map_objectclass automountMap nisMap #nss_map_attribute automountMapName nisMapName #nss_map_objectclass automount nisObject #nss_map_attribute automountKey cn #nss_map_attribute automountInformation nisMapEntry #ssl on sslpath /etc/openldap/ ssl start_tls ldap_version 3 pam_filter objectclass=posixAccount nss_base_passwd ou=users,dc=lmv,dc=lmv nss_base_shadow ou=users,dc=lmv,dc=lmv nss_base_group ou=groups,dc=lmv,dc=lmv tls_checkpeer yes #ssl on tls_cacertfile /etc/openldap/cacert.pem tls_cacertdir /etc/openldap/ #tls_randfile /var/run/egd-pool #tls_ciphers TLSv1 tls_cert /etc/openldap/clientcert_201.pem tls_key /etc/openldap/clientkey_201.pem #sasl_secprops maxssf=0 #krb5_ccname FILE:/etc/.ldapcache -------------------/etc/ldap.conf-------------------------------------------
And also my /etc/openldap/ldap.conf: -------------------/etc/openldap/ldap.conf----------------------------- TLS_CACERT /etc/openldap/cacert.pem TLS_CERT /etc/openldap/clientcert_201.pem TLS_KEY /etc/openldap/clientkey_201.pem TLS_REQCERT demand host 127.0.0.1 base dc=lmv,dc=lmv -------------------/etc/openldap/ldap.conf----------------------------- -------------------/etc/nsswitch.conf------------------------------------- passwd: compat group: files ldap hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files dns services: files ldap protocols: files rpc: files ethers: files netmasks: files netgroup: files ldap publickey: files bootparams: files automount: files nis aliases: files ldap passwd_compat: ldap -------------------/etc/nsswitch.conf-------------------------------------
Now I have started with "-d 3" and I get some output:
-------------------------------------------------------------------------------------------- slap_listener_activate(8):
slap_listener(ldap://)
connection_get(13): got connid=32 connection_read(13): checking for input on id=32 ber_get_next ldap_read: want=8, got=8 0000: 30 1d 02 01 01 77 18 80 0....w.. ldap_read: want=23, got=23 0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146 0010: 36 2e 32 30 30 33 37 6.20037 ber_get_next: tag 0x30 len 29 contents: ber_get_next ldap_read: want=8 error=Resource temporarily unavailable conn=32 op=0 do_extended ber_scanf fmt ({m) ber: send_ldap_extended: err=0 oid= len=0 send_ldap_response: msgid=1 tag=120 err=0 ber_flush2: 14 bytes to sd 13 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........ ldap_write: want=14, written=14 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........ slap_listener_activate(8): connection_get(13): got connid=32 connection_read(13): checking for input on id=32
slap_listener(ldap://)
TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=7 0000: 30 05 02 01 02 42 00 0....B. tls_read: want=4, got=0
TLS: can't accept. connection_read(13): TLS accept failure error=-1 id=32, closing connection_closing: readying conn=32 sd=13 for close connection_close: conn=32 sd=13 connection_get(14): got connid=33 connection_read(14): checking for input on id=33 ber_get_next ldap_read: want=8, got=8 0000: 30 1d 02 01 01 77 18 80 0....w.. ldap_read: want=23, got=23 0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146 0010: 36 2e 32 30 30 33 37 6.20037 ber_get_next: tag 0x30 len 29 contents: ber_get_next ldap_read: want=8 error=Resource temporarily unavailable conn=33 op=0 do_extended ber_scanf fmt ({m) ber: send_ldap_extended: err=0 oid= len=0 send_ldap_response: msgid=1 tag=120 err=0 ber_flush2: 14 bytes to sd 14 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........ ldap_write: want=14, written=14 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........ connection_get(14): got connid=33 connection_read(14): checking for input on id=33 TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=7 0000: 30 05 02 01 02 42 00 0....B. tls_read: want=4, got=0
TLS: can't accept. connection_read(14): TLS accept failure error=-1 id=33, closing connection_closing: readying conn=33 sd=14 for close connection_close: conn=33 sd=14 slap_listener_activate(8):
slap_listener(ldap://)
connection_get(13): got connid=34 connection_read(13): checking for input on id=34 ber_get_next ldap_read: want=8, got=8 0000: 30 1d 02 01 01 77 18 80 0....w.. ldap_read: want=23, got=23 0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146 0010: 36 2e 32 30 30 33 37 6.20037 ber_get_next: tag 0x30 len 29 contents: ber_get_next ldap_read: want=8 error=Resource temporarily unavailable conn=34 op=0 do_extended ber_scanf fmt ({m) ber: send_ldap_extended: err=0 oid= len=0 send_ldap_response: msgid=1 tag=120 err=0 ber_flush2: 14 bytes to sd 13 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........ ldap_write: want=14, written=14 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........ connection_get(13): got connid=34 connection_read(13): checking for input on id=34 TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=7 0000: 30 05 02 01 02 42 00 0....B. tls_read: want=4, got=0
TLS: can't accept. connection_read(13): TLS accept failure error=-1 id=34, closing connection_closing: readying conn=34 sd=13 for close connection_close: conn=34 sd=13 -------------------------------------------------------------------------------------------- What is wrong? The certificate is not accepted? Is the certificae not ok?