On 11-08-09 12:55 PM, Rich Megginson wrote:
On 08/09/2011 10:15 AM, Daniel Qian wrote:
On 11-08-09 11:21 AM, Rich Megginson wrote:
On 08/09/2011 09:07 AM, Daniel Qian wrote:
On 11-08-09 10:49 AM, Rich Megginson wrote:
On 08/09/2011 08:33 AM, Daniel Qian wrote:
Hi,
I have slapd 2.4.24 and everything works without TLS. but if I add a -Z option to the ldapsearch command I get this:
[root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D cn=admin,cn=config -wxxxxxxx -Z -H ldap://ldaprov1.prod cn=config ldap_start_tls: Connect error (-11) ldap_result: Can't contact LDAP server (-1)
slapd.log shows something like this : connection_read(16): TLS accept failure error=-1 id=1006, closing
Output from openssl debug:
[root@ldaprov1 cacerts]# openssl s_client -connect hostname:389 -showcerts -state -CAfile cacert.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A 140225133647680:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 113 bytes
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE
The configurations are as follow (same command as above but without the -Z option):
[root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D cn=admin,cn=config -wxxxxxx -H ldap://hostname cn=config dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: /etc/openldap/slapd.conf olcConfigDir: /etc/openldap/slapd.d olcAllows: bind_v2 olcArgsFile: /var/run/openldap/slapd.args olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcLocalSSF: 71 olcLogLevel: 9 olcPidFile: /var/run/openldap/slapd.pid olcReadOnly: FALSE olcReverseLookup: FALSE olcSaslSecProps: noplain,noanonymous olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 16 olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key olcTLSVerifyClient: never olcToolThreads: 1 olcWriteTimeout: 0
I verified the ldap user can read all the TLS files and they are setup fine
[root@ldaprov1 cacerts]# openssl verify -purpose sslserver -CAfile cacert.pem ldaprov1.crt ldaprov1.crt: OK
Anyone can tell me what I am missing here?
No, but we're missing
- platform
- tls implementation (openssl, moznss, gnutls)
- output of ldapsearch -x -d 1 -Z ...... rest of arguments .....
Its Fedora 15
ldd /usr/sbin/slapd linux-vdso.so.1 => (0x00007fff76fff000) libltdl.so.7 => /usr/lib64/libltdl.so.7 (0x00007f0f29fcd000) libdb-4.8.so => /lib64/libdb-4.8.so (0x00007f0f29c53000) libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f0f29a38000) libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f0f29801000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f0f295e6000) libssl3.so => /usr/lib64/libssl3.so (0x00007f0f293b0000) libsmime3.so => /usr/lib64/libsmime3.so (0x00007f0f29183000) libnss3.so => /usr/lib64/libnss3.so (0x00007f0f28e4b000) libnssutil3.so => /usr/lib64/libnssutil3.so (0x00007f0f28c2b000) libplds4.so => /lib64/libplds4.so (0x00007f0f28a28000) libplc4.so => /lib64/libplc4.so (0x00007f0f28824000) libnspr4.so => /lib64/libnspr4.so (0x00007f0f285e6000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f0f283cb000) libc.so.6 => /lib64/libc.so.6 (0x00007f0f28032000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f0f27e2d000) libfreebl3.so => /lib64/libfreebl3.so (0x00007f0f27bcc000) libz.so.1 => /lib64/libz.so.1 (0x00007f0f279b5000) /lib64/ld-linux-x86-64.so.2 (0x00007f0f2a66a000)
the ldapsearch -d 1 option tells me a lot more: ..... ldap_msgfree TLS: file ldaprov1.crt does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping. TLS: file cacert.pem does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping. TLS: file ldaprov1.key does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping. .....
I tell slapd to look for specific files but how come it is still checking in a directory?
I don't know. What does /etc/openldap/ldap.conf say? Do you have a ~/.ldaprc or ~/ldaprc for the user "ldap"?
So even for slapd the setting TLS_CACERTDIR in /etc/openldap/ldap.conf takes precedence over olcTLSCACertificateFile in cn=config? I set /etc/openldap/ldap.conf for client only and did not mean it for slapd.
I don't know. Can someone confirm that this is how it works when using openssl or gnutls for crypto? That is, I don't think this problem is specific to moznss.
Now after I removed it from /etc/openldap/ldap.conf, ldapsearch -d 1 is indicating the CA certificate not valid:
TLS: certificate [CA certificate details omitted here...] is not valid - error -8172:Unknown code ___f 20. error -8172:Unknown code ___f 20. tls_write: want=7, written=7 0000: 15 03 01 00 02 02 30 ......0 TLS: error: connect - force handshake failure: errno 21 - moznss error -8172 TLS: can't connect: TLS error -8172:Unknown code ___f 20. ldap_err2string ldap_start_tls: Connect error (-11) additional info: TLS error -8172:Unknown code ___f 20
Does this mean all the certificates I created on the same server with openssl can not be used by modnss in slapd? I never delt with modnss before
20 means SEC_ERROR_UNTRUSTED_ISSUER
Can you provide the entire log leading up to this point? you can paste it to fpaste.org if you don't want to spam the list with too much information.
Yes, openldap with moznss should work _exactly_ like openldap with openssl. If this is something that was working before this is a bug that needs to be fixed asap.
I ran the same ldapsearch command from a Centos box which has openssl and the error messages says this :
TLS certificate verification: Error, self signed certificate in certificate chain
which is not true. I have separate CA certificate and server certificate. The server certificate is signed by the CA certificate.
Seems the server certificate defined in olcTLSCertificateFile never gets recognized by the client.
Centos openssl output pasted - http://fpaste.org/7Hju/ Fedora moznss output pasted - http://fpaste.org/aE19/
Thanks for looking into the issue Daniel