All

 

  I am able to connect to my home-built OpenSSL installation (from Dec-19 sources) on CentOS-7 without the TLS bind.

I am now trying to use OpenTLS with OpenSSL, which is not currently working.  From searching the internet I find this,

Which indicates that maybe RH-based-unixes have unique issues with OpenTLS/OpenLdap:

       https://serverfault.com/questions/437546/centos-openldap-cert-trust-issues

 

My slapd.conf now holds (as differs from the default installed slapd.conf)

               … snip…

############### TLS

# added per http://www.openldap.org/faq/data/cache/185.html

TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

TLSCertificateFile /usr/local/etc/openldap/servercrt.pem

TLSCertificateKeyFile /usr/local/etc/openldap/serverkey.pem

TLSCipherSuite DES-CBC3-SHA

               … snip…

 

And my ldap.conf holds:

               … snip…

############### TLS

############### TLS

# added per http://www.openldap.org/faq/data/cache/185.html

TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt

### fails:

## TLS_CACERT /usr/local/etc/openldap/ cacert.pem

 

URI ldaps://localhost:636

############### TLS

               … snip…

 

…. Having added the ‘cacert.pem’ into the file “ /etc/pki/tls/certs/ca-bundle.crt”

I get farther in the authentication than using “/usr/local/etc/openldap/ cacert.pem”:

 

[root@kdunne-dev openldap]# /usr/local/bin/ldapsearch -Z -D "cn=Manager,dc=my-domain,dc=com" -d -1

ldap_create

ldap_extended_operation_s

ldap_extended_operation

ldap_send_initial_request

ldap_new_connection 1 1 0

ldap_int_open_connection

ldap_connect_to_host: TCP localhost:636

ldap_new_socket: 3

ldap_prepare_socket: 3

ldap_connect_to_host: Trying ::1 636

ldap_pvt_connect: fd: 3 tm: -1 async: 0

attempting to connect:

connect errno: 111

ldap_close_socket: 3

ldap_new_socket: 3

ldap_prepare_socket: 3

ldap_connect_to_host: Trying 127.0.0.1:636

ldap_pvt_connect: fd: 3 tm: -1 async: 0

attempting to connect:

connect success

TLS trace: SSL_connect:before/connect initialization

tls_write: want=289, written=289

  0000:  16 03 01 01 1c 01 00 01  18 03 03 51 03 78 81 fc   ...........Q.x.. 

  0010:  66 89 9c 91 10 b6 e9 3d  f1 12 66 27 c7 f5 80 e4   f......=..f'.... 

  0020:  fb f6 5f 9d f8 bb 37 3b  84 cb 17 00 00 ac c0 30   .._...7;.......0 

  0030:  c0 2c c0 28 c0 24 c0 14  c0 0a 00 a5 00 a3 00 a1   .,.(.$.......... 

  0040:  00 9f 00 6b 00 6a 00 69  00 68 00 39 00 38 00 37   ...k.j.i.h.9.8.7 

  0050:  00 36 00 88 00 87 00 86  00 85 c0 32 c0 2e c0 2a   .6.........2...* 

  0060:  c0 26 c0 0f c0 05 00 9d  00 3d 00 35 00 84 c0 2f   .&.......=.5.../ 

  0070:  c0 2b c0 27 c0 23 c0 13  c0 09 00 a4 00 a2 00 a0   .+.'.#.......... 

  0080:  00 9e 00 67 00 40 00 3f  00 3e 00 33 00 32 00 31   ...g.@.?.>.3.2.1 

  0090:  00 30 00 9a 00 99 00 98  00 97 00 45 00 44 00 43   .0.........E.D.C 

  00a0:  00 42 c0 31 c0 2d c0 29  c0 25 c0 0e c0 04 00 9c   .B.1.-.).%...... 

  00b0:  00 3c 00 2f 00 96 00 41  c0 12 c0 08 00 16 00 13   .<./...A........ 

  00c0:  00 10 00 0d c0 0d c0 03  00 0a 00 07 c0 11 c0 07   ................ 

  00d0:  c0 0c c0 02 00 05 00 04  00 ff 01 00 00 43 00 0b   .............C.. 

  00e0:  00 04 03 00 01 02 00 0a  00 0a 00 08 00 17 00 19   ................ 

  00f0:  00 18 00 16 00 23 00 00  00 0d 00 20 00 1e 06 01   .....#..... .... 

  0100:  06 02 06 03 05 01 05 02  05 03 04 01 04 02 04 03   ................ 

  0110:  03 01 03 02 03 03 02 01  02 02 02 03 00 0f 00 01   ................ 

  0120:  01                                                 .                 

TLS trace: SSL_connect:SSLv2/v3 write client hello A

tls_read: want=7, got=0

 

TLS: can't connect: .

ldap_err2string

ldap_start_tls: Can't contact LDAP server (-1)

ldap_sasl_bind

ldap_send_initial_request

ldap_send_server_request

ldap_err2string

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

 

 

 

Additionally:

 

I am reading the FAQ http://www.openldap.org/faq/data/cache/185.html to generate the certs

but am wondering if I am correctly understanding the instruction “Remember that the Common Name for this cert should be the fully qualified domain name of the server:

If I run my ldap server as:

        /usr/local/libexec/slapd -F /usr/local/etc/openldap/slapd.d -h 'ldaps://127.0.0.1:636 ldap://127.0.0.1:389' -d -1

Then would the ‘common name’ for use in the certificate be:

        cn=localhost:636

 

Any assistance is greatly appreciated.

Thanks!

Ken Dunne