SOrry I didn't attach the error that appears when the connection is made from another client: slap_listener_activate(7):
slap_listener(ldaps:///)
connection_get(12): got connid=1078 connection_read(12): checking for input on id=1078 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(12): got connid=1078 connection_read(12): checking for input on id=1078 TLS trace: SSL3 alert read:fatal:bad certificate TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate. connection_read(12): TLS accept failure error=-1 id=1078, closing connection_close: conn=1078 sd=12
the other one was when running an ldapsearch -x within the server itself.
Hope the information is good enough. Thanks, j
On 04/12/2011 05:33 PM, Judith Flo Gaya wrote:
Hello,
On 04/11/2011 01:14 PM, harry.jede@arcor.de wrote:
Judith Flo Gaya wrote: ...
At least i could see that the password exop option in the pam_ldap.conf lets the server to apply the security to the password, so I think I can change it within the slapd.conf file.
Yes, and if you don't specify "password-hash" in slapd.conf, ssha is used. It is the default.
do you suggest to use salt?
ssha use salt.
Thanks a lot for your help, j
BTW have you read rfc-3062 ? http://www.faqs.org/rfcs/rfc3062.html
If you configure your clients to use "password exop" you should be sure that the clients use any kind of network protection, TLS or SSL.
TinyCA is a perl based GTK-GUI which may help you to generate certs and keys.
Until you are ready to use TLS/SSL I sugggest that you let the client encrypt the passwords local.
As I didn't manage to make both client and server hash passwords in the same way, I start creating certificates for clients and servers, but for some reason they aren't able to comunicate. I test the certificate connection and the server answers properly (using openssl_client) both from client to server and from the server to the server. But when I do ldapsearch -x it says ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
In the logs of the server I can see this: slap_listener_activate(7):
slap_listener(ldaps:///)
connection_get(12): got connid=1077 connection_read(12): checking for input on id=1077 TLS trace: SSL_accept:before/accept initialization TLS: can't accept: (unknown). connection_read(12): TLS accept failure error=-1 id=1077, closing connection_close: conn=1077 sd=12
Any idea?
I created the certificates like this: # openssl genrsa 2048> ca-key.pem # openssl req -new -x509 -nodes -days 1000 -key ca-key.pem> ca-cert.pem # openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem
server-req.pem
# openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01> server-cert.pem
This on the server side, then I scp the ca-cert.pem file to the client (and to the /etc/openldap/cacerts in the same server). For the client I created the certificate like this: # openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem
client-req.pem
# openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01> client-cert.pem
And then copy those 3 files to the client.
I changed the slapd.conf to have the 3 tls variables with the generated files from the beginning and changed the configuration to connect to the ldaps://server and marked the tls option.
Any hint about the error?
Thanks in advance. j