12:53 p.m.
Dieter Kluenter schrieb:
Hello Sebastian,
Sebastian Reinhardt <snr(a)lmv-hartmannsdorf.de> writes:
> Dieter Kluenter schrieb:
>
>> Sebastian Reinhardt <snr(a)lmv-hartmannsdorf.de> writes:
>>
>>
>>
>>> Hello,
>>>
>>> I have configured an openSUSE 11.0 (x86_64) with openldap- server. Also
>>> the TLS is activated. All clients are set to "TLS_REQCERT
demand"
>>> and is working.
>>> Then I created client certificates by using the servers Yast2 CA-
>>> management. I copied teh client certificates and also the servers
>>> "cacert" into the "/etc/openldap/" directory on client
computer. With
>>> "TLSVerifyClient allow" clients can login, but if I activate the
>>> "TLSVerifyClient demand" option in servers slapd.conf no user can
>>> perform an login and it causes errors in /var/log/messages:
>>>
>>>
>> [...]
>>
>>
>>
>>> What is wrong? The clients certificate "common name" is set to the
>>> clients hostname. Is this ok?
>>>
>>>
>> Clients don't read slapd.conf(5) but only ldap.conf(5), run slapd with
>> debug level 3 to analyse the tls session.
>>
>> -Dieter
>>
>>
>>
> Hello Dieter,
>
> Now I have set the loglevel to "3" and I get the following output if I
> try to login (still fails):
>
loglevel is != debug level, man slapd(8), run slapd -d3
>
-------------------/var/log/messages---------------------------------------------------------------------
>
[...]
> Feb 25 16:41:49 lmvserver kdm: :0[11544]: nss_ldap: could not search
> LDAP server - Server is unavailable
>
[...]
> Feb 25 16:41:49 lmvserver kdm: :0[11544]: pam_ldap: ldap_starttls_s:
> Connect error
>
-------------------/var/log/messages---------------------------------------------------------------------
>
> I am not sure, if this is an configuration or certificate error? Do You
> understand this output above?
>
The clients are nss_ldap and pam_ldap, check the clients
configuration for starttls parameters.
With debug level 3 you should see something like
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
tls_write: want=1931, written=1931
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL3 alert write:warning:close notify
-Dieter
Sorry. I had not configured the pam_ldap (/etc/ldap.conf) config file
properly. The certifikate entries were missing.
Here is my /etc/ldap.conf:
-------------------/etc/ldap.conf-------------------------------------------
host 127.0.0.1
base dc=lmv,dc=lmv
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
#ldap_version 3
#binddn cn=proxyuser,dc=example,dc=com
#bindpw secret
rootbinddn cn=ldaproot,dc=lmv,dc=lmv
port 389
scope sub
scope one
scope base
#timelimit 30
#bind_timelimit 30
bind_policy soft
#nss_connect_policy persist
#idle_timelimit 3600
#nss_paged_results yes
#pagesize 1000
#pam_filter objectclass=account
#pam_login_attribute uid
pam_lookup_policy yes
#pam_check_host_attr yes
#pam_check_service_attr yes
#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com
#pam_member_attribute uniquemember
#pam_min_uid 0
#pam_max_uid 0
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody
#pam_password clear
#pam_password crypt
#pam_password nds
#pam_password racf
#pam_password ad
pam_password crypt
#pam_password_prohibit_message Please visit http://internal to change
your password.
#nss_initgroups backlink
nss_initgroups_ignoreusers root,ldap
#nss_schema rfc2307bis
nss_schema nis
nss_base_passwd ou=users,dc=lmv,dc=lmv
nss_base_shadow ou=users,dc=lmv,dc=lmv
nss_base_group ou=groups,dc=lmv,dc=lmv
nss_base_hosts ou=hosts,dc=lmv,dc=lmv
#nss_base_services ou=Services,dc=example,dc=com?one
#nss_base_networks ou=Networks,dc=example,dc=com?one
#nss_base_protocols ou=Protocols,dc=example,dc=com?one
#nss_base_rpc ou=Rpc,dc=example,dc=com?one
#nss_base_ethers ou=Ethers,dc=example,dc=com?one
#nss_base_netmasks ou=Networks,dc=example,dc=com?ne
#nss_base_bootparams ou=Ethers,dc=example,dc=com?one
#nss_base_aliases ou=Aliases,dc=example,dc=com?one
#nss_base_netgroup ou=Netgroup,dc=example,dc=com?one
#nss_map_attribute rfc2307attribute mapped_attribute
#nss_map_objectclass rfc2307objectclass mapped_objectclass
nss_map_attribute uniqueMember member
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount User
#nss_map_attribute uid msSFU30Name
#nss_map_attribute uniqueMember msSFU30PosixMember
#nss_map_attribute userPassword msSFU30Password
#nss_map_attribute homeDirectory msSFU30HomeDirectory
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFU30Name
#pam_filter objectclass=User
#pam_password ad
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad
#nss_map_objectclass posixAccount user
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup group
#nss_map_attribute uniqueMember member
#pam_login_attribute sAMAccountName
#pam_filter objectclass=User
#pam_password ad
#nss_map_attribute userPassword authPassword
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear
#nss_map_objectclass automountMap nisMap
#nss_map_attribute automountMapName nisMapName
#nss_map_objectclass automount nisObject
#nss_map_attribute automountKey cn
#nss_map_attribute automountInformation nisMapEntry
#ssl on
sslpath /etc/openldap/
ssl start_tls
ldap_version 3
pam_filter objectclass=posixAccount
nss_base_passwd ou=users,dc=lmv,dc=lmv
nss_base_shadow ou=users,dc=lmv,dc=lmv
nss_base_group ou=groups,dc=lmv,dc=lmv
tls_checkpeer yes
#ssl on
tls_cacertfile /etc/openldap/cacert.pem
tls_cacertdir /etc/openldap/
#tls_randfile /var/run/egd-pool
#tls_ciphers TLSv1
tls_cert /etc/openldap/clientcert_201.pem
tls_key /etc/openldap/clientkey_201.pem
#sasl_secprops maxssf=0
#krb5_ccname FILE:/etc/.ldapcache
-------------------/etc/ldap.conf-------------------------------------------
And also my /etc/openldap/ldap.conf:
-------------------/etc/openldap/ldap.conf-----------------------------
TLS_CACERT /etc/openldap/cacert.pem
TLS_CERT /etc/openldap/clientcert_201.pem
TLS_KEY /etc/openldap/clientkey_201.pem
TLS_REQCERT demand
host 127.0.0.1
base dc=lmv,dc=lmv
-------------------/etc/openldap/ldap.conf-----------------------------
-------------------/etc/nsswitch.conf-------------------------------------
passwd: compat
group: files ldap
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files dns
services: files ldap
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files ldap
publickey: files
bootparams: files
automount: files nis
aliases: files ldap
passwd_compat: ldap
-------------------/etc/nsswitch.conf-------------------------------------
Now I have started with "-d 3" and I get some output:
--------------------------------------------------------------------------------------------
slap_listener_activate(8):
>> slap_listener(ldap://)
connection_get(13): got
connid=32
connection_read(13): checking for input on id=32
ber_get_next
ldap_read: want=8, got=8
0000: 30 1d 02 01 01 77 18 80 0....w..
ldap_read: want=23, got=23
0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146
0010: 36 2e 32 30 30 33 37 6.20037
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
conn=32 op=0 do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush2: 14 bytes to sd 13
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
slap_listener_activate(8):
connection_get(13): got connid=32
connection_read(13): checking for input on id=32
>> slap_listener(ldap://)
TLS trace:
SSL_accept:before/accept initialization
tls_read: want=11, got=7
0000: 30 05 02 01 02 42 00 0....B.
tls_read: want=4, got=0
TLS: can't accept.
connection_read(13): TLS accept failure error=-1 id=32, closing
connection_closing: readying conn=32 sd=13 for close
connection_close: conn=32 sd=13
connection_get(14): got connid=33
connection_read(14): checking for input on id=33
ber_get_next
ldap_read: want=8, got=8
0000: 30 1d 02 01 01 77 18 80 0....w..
ldap_read: want=23, got=23
0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146
0010: 36 2e 32 30 30 33 37 6.20037
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
conn=33 op=0 do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush2: 14 bytes to sd 14
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
connection_get(14): got connid=33
connection_read(14): checking for input on id=33
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=7
0000: 30 05 02 01 02 42 00 0....B.
tls_read: want=4, got=0
TLS: can't accept.
connection_read(14): TLS accept failure error=-1 id=33, closing
connection_closing: readying conn=33 sd=14 for close
connection_close: conn=33 sd=14
slap_listener_activate(8):
>> slap_listener(ldap://)
connection_get(13): got
connid=34
connection_read(13): checking for input on id=34
ber_get_next
ldap_read: want=8, got=8
0000: 30 1d 02 01 01 77 18 80 0....w..
ldap_read: want=23, got=23
0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146
0010: 36 2e 32 30 30 33 37 6.20037
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
conn=34 op=0 do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush2: 14 bytes to sd 13
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
connection_get(13): got connid=34
connection_read(13): checking for input on id=34
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=7
0000: 30 05 02 01 02 42 00 0....B.
tls_read: want=4, got=0
TLS: can't accept.
connection_read(13): TLS accept failure error=-1 id=34, closing
connection_closing: readying conn=34 sd=13 for close
connection_close: conn=34 sd=13
--------------------------------------------------------------------------------------------
What is wrong? The certificate is not accepted? Is the certificae not ok?
--
Mit freundlichen Grüßen
Sebastian Reinhardt