Hello
On Tue, 2008-07-08 at 10:04 +0200, Buchan Milne wrote:
On Tue, 2008-07-08 at 00:06 -0400, Sambuddho Chakravarty wrote:
Hello I have an openldap server running slapd on 636 (LDAPS) . When I connect from a ldap browser , I am able to successfully browse the database.
Can you be more specific about the software you are using? Not all graphical LDAP clients have SSL validation features (and if they do, in some cases they aren't enabled by default).
However when I try to connect from a linux client machine (Ubuntu Server 8.04) I am not able to connect to the ldaps. However regular ldap works fine.
So, assuming it is not a firewall problem, the most likely cause is certificate validation.
The /etc/ldap.conf looks like this
ssl start_tls ssl on
You shouldn't use both of these, only use 'ssl on' if you are using 'host', in the 'uri' case it won't really make a difference.
tls_checkpeer tes
"tes" ???
tls_cacertdir /etc/ldap/cacerts tls_cacertfile /etc/ldap/cacert/cacert.pem #server IP uri ldaps://30.0.0.2/
What is the subject CN on the certificate the server has?
The subject CN on the certificate is the IP address of the server (30.0.0.2); same as that in the HOST field.
pam_password md5 base dc=example,dc=com
The /etc/ldap/ldap.conf file is like this
URI ldaps://30.0.0.2/ TLS_CACERTDIR /etc/ldap/cacerts TLS_CACERT /etc/ldap/cacerts/cacert.pem HOST 30.0.0.2 BASE dc=example,dc=com
The same configuration (with approprirate changes - replacing ldaps with ldap and so on) works fine for regular ldap. But the problem is the ldaps.
So, what do you get if you try something like this:
$ openssl s_client -CAfile /etc/ldap/cacerts/cacert.pem -connect 30.0.0.2:636
Does the CN attribute in the server certificate you get back match the hostname in the URI?
The CN attribute is the server IP address.
When ldaps client is enabled and I do a getent passed , the /var/log/auth.log looks like this
Jul 7 23:57:46 host3 getent: nss_ldap: reconnecting to LDAP server... Jul 7 23:57:46 host3 getent: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)... Jul 7 23:57:47 host3 getent: nss_ldap: could not search LDAP server - Server is unavailable Jul 7 23:58:18 host3 getent: nss_ldap: reconnecting to LDAP server...
For now, using the OpenLDAP client utilities (ldapsearch) to do the same connection may be an easier way to debug, but once it is working, you need to put the equivalent configuration in /etc/ldap.conf. So, with your current configuration, this would be the way to test with ldapsearch:
$ ldapsearch -x -H ldaps://30.0.0.2 -s base -b dc=example,dc=com namingContexts
This results the following error : ldap_result: Can't contact LDAP server (-1)
However, and certificate-related aspects still need to be in the OpenLDAP library configuration file (/etc/ldap/ldap.conf, or ~/.ldaprc).
Please suggest where I could have gone wrong. Any suggestions would be really appreciated.
Hmm, if you were trying to get https working, you would be getting warnings from your browser, this really isn't rocket science, but nss_ldap can't show you warning dialogs, so you need to get the configuration right ...
Thanks Sambuddho
Regards, Buchan