Try to connect to ldaps://localhost:636 Cn must be localhost if that's configured in the certs, but... Are you sure that localhost should be the fqdn?
Il gio 2 gen 2020, 17:39 Dunne, Kenneth kenneth.dunne@siemens.com ha scritto:
All
I am able to connect to my home-built OpenSSL installation (from Dec-19 sources) on CentOS-7 without the TLS bind.
I am now trying to use OpenTLS with OpenSSL, which is not currently working. From searching the internet I find this,
Which indicates that maybe RH-based-unixes have unique issues with OpenTLS/OpenLdap:
https://serverfault.com/questions/437546/centos-openldap-cert-trust-issues
My slapd.conf now holds (as differs from the default installed slapd.conf)
… snip…
############### TLS
# added per http://www.openldap.org/faq/data/cache/185.html
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /usr/local/etc/openldap/servercrt.pem
TLSCertificateKeyFile /usr/local/etc/openldap/serverkey.pem
TLSCipherSuite DES-CBC3-SHA
… snip…
And my ldap.conf holds:
… snip…
############### TLS
############### TLS
# added per http://www.openldap.org/faq/data/cache/185.html
TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt
### fails:
## TLS_CACERT /usr/local/etc/openldap/ cacert.pem
URI ldaps://localhost:636
############### TLS
… snip…
…. Having added the ‘cacert.pem’ into the file “ /etc/pki/tls/certs/ca-bundle.crt”
I get farther in the authentication than using “/usr/local/etc/openldap/ cacert.pem”:
[root@kdunne-dev openldap]# /usr/local/bin/ldapsearch -Z -D "cn=Manager,dc=my-domain,dc=com" -d -1
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ::1 636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect errno: 111
ldap_close_socket: 3
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before/connect initialization
tls_write: want=289, written=289
0000: 16 03 01 01 1c 01 00 01 18 03 03 51 03 78 81 fc ...........Q.x..
0010: 66 89 9c 91 10 b6 e9 3d f1 12 66 27 c7 f5 80 e4 f......=..f'....
0020: fb f6 5f 9d f8 bb 37 3b 84 cb 17 00 00 ac c0 30 .._...7;.......0
0030: c0 2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 .,.(.$..........
0040: 00 9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 ...k.j.i.h.9.8.7
0050: 00 36 00 88 00 87 00 86 00 85 c0 32 c0 2e c0 2a .6.........2...*
0060: c0 26 c0 0f c0 05 00 9d 00 3d 00 35 00 84 c0 2f .&.......=.5.../
0070: c0 2b c0 27 c0 23 c0 13 c0 09 00 a4 00 a2 00 a0 .+.'.#..........
0080: 00 9e 00 67 00 40 00 3f 00 3e 00 33 00 32 00 31 ...g.@.?.>.3.2.1
0090: 00 30 00 9a 00 99 00 98 00 97 00 45 00 44 00 43 .0.........E.D.C
00a0: 00 42 c0 31 c0 2d c0 29 c0 25 c0 0e c0 04 00 9c .B.1.-.).%......
00b0: 00 3c 00 2f 00 96 00 41 c0 12 c0 08 00 16 00 13 .<./...A........
00c0: 00 10 00 0d c0 0d c0 03 00 0a 00 07 c0 11 c0 07 ................
00d0: c0 0c c0 02 00 05 00 04 00 ff 01 00 00 43 00 0b .............C..
00e0: 00 04 03 00 01 02 00 0a 00 0a 00 08 00 17 00 19 ................
00f0: 00 18 00 16 00 23 00 00 00 0d 00 20 00 1e 06 01 .....#..... ....
0100: 06 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 ................
0110: 03 01 03 02 03 03 02 01 02 02 02 03 00 0f 00 01 ................
0120: 01 .
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=0
TLS: can't connect: .
ldap_err2string
ldap_start_tls: Can't contact LDAP server (-1)
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Additionally:
I am reading the FAQ http://www.openldap.org/faq/data/cache/185.html to generate the certs
but am wondering if I am correctly understanding the instruction “Remember that the Common Name for this cert should be the fully qualified domain name of the server:”
If I run my ldap server as:
/usr/local/libexec/slapd -F /usr/local/etc/openldap/slapd.d -h
'ldaps://127.0.0.1:636 ldap://127.0.0.1:389' -d -1
Then would the ‘common name’ for use in the certificate be:
cn=localhost:636
Any assistance is greatly appreciated.
Thanks!
Ken Dunne