Re: Using Arbitrary X509 certificates for LDAPS authentication
Hi there,
I looked into this and I don't understand :( Would you please clarify
why a DN such as "/C=CA/O=Grid/CN=host/somehost.somedomain.ca" is
broken? You said "somehost.somedomain.ca" is not a valid RDN because
it just has a value and not a type, however the RDN is not just
"somehost.somedomain.ca" but "CN=host/somehost.somedomain.ca" which
has a type of "CN" and a value of "host/somehost.somedomain.ca" does
it not? If this RDN is in fact valid, I still don't understand why DNs
of the form
"/C=CA/O=Grid/CN=host/somehost.somedomain.ca" seem to not work with LDAP.
Thanks,
Stephen
On Wed, Sep 2, 2009 at 7:35 PM, Howard Chu <hyc(a)symas.com> wrote:
Stephen Cartwright wrote:
>
> Hi there,
>
> Are there any restrictions on the DN or other attributes of
> credentials used for LDAP authentication?
>
> We are using grid credentials (X509 format) with DNs like this:
>
> issuer= /C=CA/O=Grid/CN=Grid Canada Certificate Authority
> subject= /C=CA/O=Grid/CN=host/somehost.somedomain.ca
"somehost.somedomain.ca" is not a valid RDN. RDNs require both a type and a
value, but here you have only a value. Whatever CA software you're using is
broken if it's allowing you to create certificates like this.
>
> When I use some grid certs (X509 format) I see this message in the debug
> output from slapd:
>
> connection_read(10): unable to get TLS client DN error=49 id=3
>
> When I try to connect, I get this:
>
> ldap_initialize( ldaps://somehost.somedomain.ca )
> ldap_bind: Can't contact LDAP server
>
> The openssl command to create a connection works OK:
>
> CONNECTED(00000003)
> ---
> Certificate chain
> 0 s:/C=CA/O=Grid/CN=host/somehost.somedomain.ca
> i:/C=CA/O=Grid/CN=Grid Canada Certificate Authority
> 1 s:/C=CA/O=Grid/CN=Grid Canada Certificate Authority
> i:/C=CA/O=Grid/CN=Grid Canada Certificate Authority
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> ...
> -----END CERTIFICATE-----
> subject=/C=CA/O=Grid/CN=host/somehost.somedomain.ca
> issuer=/C=CA/O=Grid/CN=Grid Canada Certificate Authority
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 2083 bytes and written 320 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
> Server public key is 1024 bit
> SSL-Session:
> Protocol : TLSv1
> Cipher : DES-CBC3-SHA
> Session-ID:
> 43B46528E848663E7C8E9CAAEA4E6DB5E4A9675C05C3066DBD826CD1CF59A566
> Session-ID-ctx:
> Master-Key:
>
>
A8245A0731BA98F0D88821346432868C392FEE3F23EAFB9F356A34CB6BB663FC0892374118F280D6284C8E2ACAC3
> Key-Arg : None
> Start Time: 1251330160
> Timeout : 300 (sec)
> Verify return code: 0 (ok)
>
> When I use certs created by us with another DN format such as this:
>
> subject=
>
/C=CA/ST=Province/L=Town/O=Organization/OU=Unit/CN=somehost.somedomain.ca/emailAddress=email(a)somewhere.ca
> issuer= /C=CA/ST=Province/O=Organization/OU=Town/CN=Our
> CA/emailAddress=email(a)somewhere.ca
>
> And then make no other changes to the config other than pointing
> everything to the new commands I can make a connection.
>
> Any suggestions? Please advise.
>
> Steve
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/