Judith, you are starting the LDAP server as LDAPS (port 636) which doesn't accept START_TLS connections. What is in your /etc/ldap.conf and/or /etc/openldap/ldap.conf files (you may want to run 'find /etc /usr -name ldap.conf -print' in case your system has the ldap.conf file(s) somewhere else. In one (or more) of those files, you most likely have 'ssl start_tls' and this should be just 'ssl on'. Tom Leach leach@coas.oregonstate.edu
On 04/12/2011 10:10 AM, Judith Flo Gaya wrote:
I'm posting all the information together in this e-mail, hope you can help me out, I'm quite desperate at this point.
Following your advise I tried to set TLS in my server and client. I generated the certificates for both client and server (self signed) and sent the cacert file from the server to the clients.
I started the server like this: /usr/local/libexec/slapd -u ldap -h ldaps://curri0.imppc.local:636 -f /usr/local/openldap-2.4.25/etc/openldap/slapd.conf -d 1
( I installed a newer version of openldap in my server as the RH6 uses an old one, I compiled it with tls and openssl)
From the client I do : ldapsearch -x -ZZ -d1 -h curri0.imppc.local:636 ldap_create ldap_url_parse_ext(ldap://curri0.imppc.local:636) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP curri0.imppc.local:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 172.19.5.13:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush2: 31 bytes to sd 3 ldap_result ld 0x1b4c170 msgid 1 wait4msg ld 0x1b4c170 msgid 1 (infinite timeout) wait4msg continue ld 0x1b4c170 msgid 1 all 1 ** ld 0x1b4c170 Connections:
- host: curri0.imppc.local port: 636 (default) refcnt: 2 status: Connected last used: Tue Apr 12 18:56:35 2011
** ld 0x1b4c170 Outstanding Requests:
- msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0
ld 0x1b4c170 request count 1 (abandoned 0) ** ld 0x1b4c170 Response Queue: Empty ld 0x1b4c170 response count 0 ldap_chkResponseList ld 0x1b4c170 msgid 1 all 1 ldap_chkResponseList returns ld 0x1b4c170 NULL ldap_int_select read1msg: ld 0x1b4c170 msgid 1 all 1 ber_get_next ldap_err2string ldap_start_tls: Can't contact LDAP server (-1)
And the server shows this:
slap_listener_activate(8):
slap_listener(ldaps://curri0.imppc.local:636)
connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:error in SSLv2/v3 read client hello A TLS: can't accept: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol. connection_read(12): TLS accept failure error=-1 id=1000, closing connection_close: conn=1000 sd=12
If I do this from the client or the server:
# openssl s_client -connect curri0.imppc.local:636 -showcerts CONNECTED(00000003) (...) verify return:1
Certificate chain 0 s:(...) -----BEGIN CERTIFICATE----- (...)
-----END CERTIFICATE-----
Server certificate subject=(...)
No client certificate CA names sent
SSL handshake has read 1254 bytes and written 439 bytes
New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: (...) Session-ID-ctx: Master-Key: (...) Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket: (...)
Compression: 1 (zlib compression) Start Time: 1302627455 Timeout : 300 (sec) Verify return code: 18 (self signed certificate)
I get this on server:
slap_listener_activate(8):
slap_listener(ldaps://curri0.imppc.local:636)
connection_get(12): got connid=1002 connection_read(12): checking for input on id=1002 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(12): got connid=1002 connection_read(12): checking for input on id=1002 TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write session ticket A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_read(12): unable to get TLS client DN, error=49 id=1002
I generated the certificates like this: # generate CA openssl genrsa 2048 > ca-key.pem # create certificate openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem > server-req.pem # self sign the cert openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
#For the client: # create cert openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem > client-req.pem # sign cert openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
Here is my slapd.conf tls related
TLSCACertificateFile /usr/local/openldap-2.4.25/etc/openldap/imppccerts/ca-cert.pem TLSCertificateFile /usr/local/openldap-2.4.25/etc/openldap/imppccerts/server-cert.pem TLSCertificateKeyFile /usr/local/openldap-2.4.25/etc/openldap/imppccerts/server-key.pem
Am I missing something?
Thanks a lot in advance for any help, it is very appreciated. j
On 04/11/2011 01:14 PM, harry.jede@arcor.de wrote:
Judith Flo Gaya wrote: ...
At least i could see that the password exop option in the pam_ldap.conf lets the server to apply the security to the password, so I think I can change it within the slapd.conf file.
Yes, and if you don't specify "password-hash" in slapd.conf, ssha is used. It is the default.
do you suggest to use salt?
ssha use salt.
Thanks a lot for your help, j
BTW have you read rfc-3062 ? http://www.faqs.org/rfcs/rfc3062.html
If you configure your clients to use "password exop" you should be sure that the clients use any kind of network protection, TLS or SSL.
TinyCA is a perl based GTK-GUI which may help you to generate certs and keys.
Until you are ready to use TLS/SSL I sugggest that you let the client encrypt the passwords local.