smainklh@free.fr wrote:
Hi everyone,
I configured my ldap server (debian lenny) to listen on port 636 (ldaps) but it doesn't seems to work when issuing a remote connexion. Perhaps i did a mistake when generating the certificates ?....
When i try to browse the ldap server from a remote server i get the following message :
root@vmtest:~# ldapsearch -d 1 -Wx -H ldaps://ldapserver.domain.tld -D cn=admin,dc=domain,dc=tld ldap_url_parse_ext(ldaps://ldapserver.domain.tld) ldap_create ldap_url_parse_ext(ldaps://ldapserver.domain.tld:636/??base) Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldapserver.domain.tld:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.10.48.40:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: peer cert untrusted or revoked (0x42) ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
I generated the certificates with the following command : # openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650
Then i tried the connexion : openssl s_client -connect ldapserver.domain.tld:636 -showcerts CONNECTED(00000003) depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld verify error:num=18:self signed certificate verify return:1 depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld verify return:1
Certificate chain 0 s:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld i:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld -----BEGIN CERTIFICATE----- MIIDDTCCAnagAwIBAgIJAM7IwuTIzhwqMA0GCSqGSIb3DQEBBQUAMGMxCzAJBgNV BAYTAkZSMRMwEQYDVQQIEwpTb21lLVN0YXRlMQ4wDAYDVQQHEwVQYXJpczELMAkG A1UEChMCQlQxIjAgBgNVBAMTGWlwb2MwMS5pcG9jLmJ0c2VydmljZXMuZnIwHhcN MDkxMTI0MTUwMTUxWhcNMTkxMTIyMTUwMTUxWjBjMQswCQYDVQQGEwJGUjETMBEG A1UECBMKU29tZS1TdGF0ZTEOMAwGA1UEBxMFUGFyaXMxCzAJBgNVBAoTAkJUMSIw IAYDVQQDExlpcG9jMDEuaXBvYy5idHNlcnZpY2VzLmZyMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQCm5FrQ3dN1Jkxj2SZsPr+vkYDlwVnvqDCxnAs3O5NJ/1uY F9/mwsCVdAnp04Eywo3BCbvP6tlzsF3JbAlqMLTb85ZTHOqRQncXGfVZ7bMnR071 tQ70/b3vF/TuMYiOU7vXf2h863aRi11tT9xHD17wFfFaXBtRIIOioc3UpJWWPwID AQABo4HIMIHFMB0GA1UdDgQWBBREqX/HQEzU5TCDrBsbttUxa44fnDCBlQYDVR0j BIGNMIGKgBREqX/HQEzU5TCDrBsbttUxa44fnKFnpGUwYzELMAkGA1UEBhMCRlIx EzARBgNVBAgTClNvbWUtU3RhdGUxDjAMBgNVBAcTBVBhcmlzMQswCQYDVQQKEwJC VDEiMCAGA1UEAxMZaXBvYzAxLmlwb2MuYnRzZXJ2aWNlcy5mcoIJAM7IwuTIzhwq MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAd0Le1JyJF8zBs0RYvEn7 c1nhVbsdD8FDBTa4IaNvkbIt8al6G7bBpfyDxcMVtgFc8zHt/+sYfTxWuHh7m+b1 yjJtD9vMjIigbaZq4VJOz11JEWsQHc8wo3So+G+CelTz4HXPoGh5vqRtTkupjedz 0DDsA1jd9F4KpYSOkzxosdc=
-----END CERTIFICATE-----
Server certificate subject=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld issuer=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
No client certificate CA names sent
SSL handshake has read 1107 bytes and written 316 bytes
New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 9EF5F2D4FD72A0D1161C8334537F1ADF60C8B790A3F699B6DC52557E3C95D427 Session-ID-ctx: Master-Key: 015D50D6D93F502E37EDB577691F05D157E80A439A2B129B370EEA24E651E828A172E43B3F6D29174BF33B96193202F0 Key-Arg : None Start Time: 1259761586 Timeout : 300 (sec) Verify return code: 18 (self signed certificate)
My ldap.conf
BASE dc=domain,dc=tld URI ldaps://ldapserver.domain.tld/ TLS_REQCERT allow
My slapd.conf :
... TLSCACertificateFile /etc/ldap/ssl/server.pem TLSCertificateFile /etc/ldap/ssl/server.pem TLSCertificateKeyFile /etc/ldap/ssl/server.pem ...
My /etc/default/slapd.conf ... SLAPD_SERVICES="ldaps://ldapserver.domain.tld" ...
Could you please help me ?
Hello,
are you sure the server is listetning at 636?
--- SNIP --- ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) ------------
It seems more like a network problem to me. Please, verify it by % netstat -nlp | grep 636; or eventually by % netstat -nlp | grep 389; at the server.
Regards, Zdenek