On 05/23/2011 08:39 AM, David Dumortier wrote:
Le sam. mai 21 2011 � 12:55:03 -0300, Reinaldo de Carvalho dit :
On Sat, May 21, 2011 at 12:04 PM, David Dumortierd.dumortier@free.fr wrote:
I suspect you are running ldap:// on port 636.
ldapsearch -W -H ldap://myip:636/ ldap_result: Can't contact LDAP server (-1)
No, -H ldaps://myip:636/ (to SSL/ldaps).
Tried it with same result :-(
You're really using a Certificate file (and not a CSR)?
Ldap client will validade the server certificate, you should especify TLS_CACERT /to/file or TLS_REQCERT never on /etc/ldap/ldap.conf
You are right, I modified TLS_REQCERT in slapd conf but not on /etc/ldap/ldap.conf.
I can not believe this. That's absolutely wrong. Why use certificates, when client is setup to ignore them? Correct solution is to add Your certificatin authority to trusted cert store. Since on debian, openldap is compiled with gnutls, this lines from manual apply: man ldap.conf:
TLS_CACERT <filename> Specifies the file that contains certificates for all of the Certificate Authorities the client will recognize. TLS_CACERTDIR <path> Specifies the path of a directory that contains Certifi‐ cate Authority certificates in separate individual files. The TLS_CACERT is always used before TLS_CACERTDIR. This parameter is ignored with GNUtls. On Debian openldap is linked against GNUtls.
So, just put Your authority cert to some file, point TLS_CACERT to it and it should work. One more thing, when using SSL/TLS it is necessary to use FQDN of the server, which must be same as CN of certificate. (or storing server's IP as CN, not too portable). so this is wrong: ldapsearch -W -H ldaps://192.168.0.1:636/ and this is correct: ldapsearch -W -H ldaps://myserver.mydomain.com:636/
I never tried using wildcard certs with LDAP, nor using SubjectAlternativeName field, but I have feeling that not all clients are capable of using it.
Setting TLS_REQCERT to never is only good for debugging, I discourage using it even for testing since You could end up with insecure installation. For production use TLS_REQCERT should be set to demand, otherwise there is no point in using certs - there is always MITM attack possibility (that is especially true, if password in clear text flows thru LDAP connections, which happens often when user changes his password).
Matej Zagiba
It works. Thank you everybody. I don't understand everything, especially the fact that gnutls-cli work so I'll try to reinstall all, and see if I'll find the same error.