-------- Message initial -------- De: Zdenek Styblik stybla@turnovfree.net À: smainklh@free.fr Cc: openldap-technical@openldap.org Sujet: Re: Authentication failed with ldaps configuration Date: Thu, 03 Dec 2009 17:03:32 +0100
smainklh@free.fr wrote: > ----- Mail Original ----- > De: "Zdenek Styblik" stybla@turnovfree.net > À: smainklh@free.fr > Cc: openldap-technical@openldap.org > Envoyé: Mercredi 2 Décembre 2009 16h37:01 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne > Objet: Re: Authentication failed with ldaps configuration > > smainklh@free.fr wrote: >> Hi everyone, >> >> I configured my ldap server (debian lenny) to listen on port 636 (ldaps) but it doesn't seems to work when issuing a remote connexion. >> Perhaps i did a mistake when generating the certificates ?.... >> >> When i try to browse the ldap server from a remote server i get the following message : >> ---------- >> root@vmtest:~# ldapsearch -d 1 -Wx -H ldaps://ldapserver.domain.tld -D cn=admin,dc=domain,dc=tld >> ldap_url_parse_ext(ldaps://ldapserver.domain.tld) >> ldap_create >> ldap_url_parse_ext(ldaps://ldapserver.domain.tld:636/??base) >> Enter LDAP Password: >> ldap_sasl_bind >> ldap_send_initial_request >> ldap_new_connection 1 1 0 >> ldap_int_open_connection >> ldap_connect_to_host: TCP ldapserver.domain.tld:636 >> ldap_new_socket: 3 >> ldap_prepare_socket: 3 >> ldap_connect_to_host: Trying 10.10.48.40:636 >> ldap_pvt_connect: fd: 3 tm: -1 async: 0 >> TLS: peer cert untrusted or revoked (0x42) >> ldap_err2string >> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) >> ----------- >> >> I generated the certificates with the following command : >> # openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650 >> >> ----------- >> >> Then i tried the connexion : >> openssl s_client -connect ldapserver.domain.tld:636 -showcerts >> CONNECTED(00000003) >> depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld >> verify error:num=18:self signed certificate >> verify return:1 >> depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld >> verify return:1 >> --- >> Certificate chain >> 0 s:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld >> i:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld >> -----BEGIN CERTIFICATE----- >> MIIDDTCCAnagAwIBAgIJAM7IwuTIzhwqMA0GCSqGSIb3DQEBBQUAMGMxCzAJBgNV >> BAYTAkZSMRMwEQYDVQQIEwpTb21lLVN0YXRlMQ4wDAYDVQQHEwVQYXJpczELMAkG >> A1UEChMCQlQxIjAgBgNVBAMTGWlwb2MwMS5pcG9jLmJ0c2VydmljZXMuZnIwHhcN >> MDkxMTI0MTUwMTUxWhcNMTkxMTIyMTUwMTUxWjBjMQswCQYDVQQGEwJGUjETMBEG >> A1UECBMKU29tZS1TdGF0ZTEOMAwGA1UEBxMFUGFyaXMxCzAJBgNVBAoTAkJUMSIw >> IAYDVQQDExlpcG9jMDEuaXBvYy5idHNlcnZpY2VzLmZyMIGfMA0GCSqGSIb3DQEB >> AQUAA4GNADCBiQKBgQCm5FrQ3dN1Jkxj2SZsPr+vkYDlwVnvqDCxnAs3O5NJ/1uY >> F9/mwsCVdAnp04Eywo3BCbvP6tlzsF3JbAlqMLTb85ZTHOqRQncXGfVZ7bMnR071 >> tQ70/b3vF/TuMYiOU7vXf2h863aRi11tT9xHD17wFfFaXBtRIIOioc3UpJWWPwID >> AQABo4HIMIHFMB0GA1UdDgQWBBREqX/HQEzU5TCDrBsbttUxa44fnDCBlQYDVR0j >> BIGNMIGKgBREqX/HQEzU5TCDrBsbttUxa44fnKFnpGUwYzELMAkGA1UEBhMCRlIx >> EzARBgNVBAgTClNvbWUtU3RhdGUxDjAMBgNVBAcTBVBhcmlzMQswCQYDVQQKEwJC >> VDEiMCAGA1UEAxMZaXBvYzAxLmlwb2MuYnRzZXJ2aWNlcy5mcoIJAM7IwuTIzhwq >> MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAd0Le1JyJF8zBs0RYvEn7 >> c1nhVbsdD8FDBTa4IaNvkbIt8al6G7bBpfyDxcMVtgFc8zHt/+sYfTxWuHh7m+b1 >> yjJtD9vMjIigbaZq4VJOz11JEWsQHc8wo3So+G+CelTz4HXPoGh5vqRtTkupjedz >> 0DDsA1jd9F4KpYSOkzxosdc= >> -----END CERTIFICATE----- >> --- >> Server certificate >> subject=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld >> issuer=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld >> --- >> No client certificate CA names sent >> --- >> SSL handshake has read 1107 bytes and written 316 bytes >> --- >> New, TLSv1/SSLv3, Cipher is AES256-SHA >> Server public key is 1024 bit >> Compression: NONE >> Expansion: NONE >> SSL-Session: >> Protocol : TLSv1 >> Cipher : AES256-SHA >> Session-ID: 9EF5F2D4FD72A0D1161C8334537F1ADF60C8B790A3F699B6DC52557E3C95D427 >> Session-ID-ctx: >> Master-Key: 015D50D6D93F502E37EDB577691F05D157E80A439A2B129B370EEA24E651E828A172E43B3F6D29174BF33B96193202F0 >> Key-Arg : None >> Start Time: 1259761586 >> Timeout : 300 (sec) >> Verify return code: 18 (self signed certificate) >> --- >> >> ------------------ >> >> My ldap.conf >> ----------------- >> BASE dc=domain,dc=tld >> URI ldaps://ldapserver.domain.tld/ >> TLS_REQCERT allow >> >> >> My slapd.conf : >> ---------------- >> ... >> TLSCACertificateFile /etc/ldap/ssl/server.pem >> TLSCertificateFile /etc/ldap/ssl/server.pem >> TLSCertificateKeyFile /etc/ldap/ssl/server.pem >> ... >> >> ------------------ >> My /etc/default/slapd.conf >> ... >> SLAPD_SERVICES="ldaps://ldapserver.domain.tld" >> ... >> >> Could you please help me ? >> > > Hello, > > are you sure the server is listetning at 636? > > --- SNIP --- > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > ------------ > > It seems more like a network problem to me. > Please, verify it by % netstat -nlp | grep 636; or eventually by % > netstat -nlp | grep 389; at the server. > > Regards, > Zdenek > > Hi Zdenek, > > Yes i'm. > > netstat -nlp | grep 636 > tcp 0 0 10.10.48.40:636 0.0.0.0:* LISTEN > netstat -nlp | grep 389 > > Logs from the ldap server > ----------- > Dec 3 10:10:04 ldapserver slapd[20754]: slap_listener_activate(8): > Dec 3 10:10:04 ldapserver slapd[20754]: >>> slap_listener(ldaps://ldapserver.domain.tld) > Dec 3 10:10:04 ldapserver slapd[20754]: connection_get(14): got connid=42 > Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): checking for input on id=42 > Dec 3 10:10:04 ldapserver slapd[20754]: connection_get(14): got connid=42 > Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): checking for input on id=42 > Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): unable to get TLS client DN, error=49 id=42 > Dec 3 10:10:04 ldapserver slapd[20754]: connection_get(14): got connid=42 > Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): checking for input on id=42 > Dec 3 10:10:04 ldapserver slapd[20754]: ber_get_next on fd 14 failed errno=0 (Success) > Dec 3 10:10:04 ldapserver slapd[20754]: connection_closing: readying conn=42 sd=14 for close > Dec 3 10:10:04 ldapserver slapd[20754]: connection_close: conn=42 sd=14 > > It seems to be a certificate problem. > ----- > TLS: peer cert untrusted or revoked > ----- > > Do you have any idea ? > Grifith
Evening Grifith,
I'm sorry I've missed that one. I'm no expert, but I can give you my config-files. I've used 'easy-rsa' to generate all certificates. It comes with OpenVPN, but it might be as standalone package in Debian. It's set of scripts for certificate manipulation, and it surely eases up things. One thing that came to my mind, certificate "has" to bear same FQDN as IP eg. if 192.168.1.1 -eq server1.mydomain.tld then certificate should be generated and contain server1.mydomain.tld. Another thing is .key files should have chmod 400.
--- client side --- cat /etc/openldap/ldap.conf
BASE dc=mydomain,dc=tld URI ldaps://server1.mydomain.tld port 636 ssl yes #ssl start_tls TLS_CACERT /etc/openldap/ssl/ca.mydomain.crt TLS_CERT /etc/ssl/certs/server2.mydomain.tld.crt TLS_KEY /etc/ssl/private/server2.mydomain.tld.key TLS_REQCERT never TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3 ------------------
--- server --- cat /etc/openldap/slapd.conf ... TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSCACertificateFile /etc/ssl/certs/ca.mydomain.crt TLSCertificateFile /etc/ssl/certs/server1.mydomain.tld.crt TLSCertificateKeyFile /etc/ssl/private/server1.mydomain.tld.key TLSVerifyClient never ... --------------
I hope it helps, at least a bit.
Have a nice evening, Zdenek
PS: Thunderbird refused to accept the rest of the text for some reason, I had to c&p it inside. --------------------------------
Hi,
Thanks for your help Zdenek I made it work with the following configuration :
SERVER ------------- My slapd.conf : ---------------- ... TLSCACertificateFile /etc/ssl/certs/ldap-cert.pem TLSCertificateFile /etc/ssl/certs/ldap-cert.pem TLSCertificateKeyFile /etc/ldap/ssl/ldap-key.pem
I created the certificate with this command # openssl req -config /etc/ssl/openssl.cnf -new -x509 nodes -out /etc/ssl/certs/ldap-cert.pem -keyout /etc/ldap/ssl/ldap-key.pem -days 999999
My ldap.conf : ---------------- BASE dc=mydomain,dc=tld URI ldaps://ldapserver.mydomain.tld port 636 ssl on ssl start_tls TLS_CACERT /etc/ssl/certs/ldap-cert.pem TLS_REQCERT allow
CLIENT ------------
The ldap.conf is exactly the same as the server's.
And it works !