Hi everyone,
I configured my ldap server (debian lenny) to listen on port 636 (ldaps) but it doesn't seems to work when issuing a remote connexion. Perhaps i did a mistake when generating the certificates ?....
When i try to browse the ldap server from a remote server i get the following message : ---------- root@vmtest:~# ldapsearch -d 1 -Wx -H ldaps://ldapserver.domain.tld -D cn=admin,dc=domain,dc=tld ldap_url_parse_ext(ldaps://ldapserver.domain.tld) ldap_create ldap_url_parse_ext(ldaps://ldapserver.domain.tld:636/??base) Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldapserver.domain.tld:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.10.48.40:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: peer cert untrusted or revoked (0x42) ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) -----------
I generated the certificates with the following command : # openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650
-----------
Then i tried the connexion : openssl s_client -connect ldapserver.domain.tld:636 -showcerts CONNECTED(00000003) depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld verify error:num=18:self signed certificate verify return:1 depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld verify return:1 --- Certificate chain 0 s:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld i:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld -----BEGIN CERTIFICATE----- MIIDDTCCAnagAwIBAgIJAM7IwuTIzhwqMA0GCSqGSIb3DQEBBQUAMGMxCzAJBgNV BAYTAkZSMRMwEQYDVQQIEwpTb21lLVN0YXRlMQ4wDAYDVQQHEwVQYXJpczELMAkG A1UEChMCQlQxIjAgBgNVBAMTGWlwb2MwMS5pcG9jLmJ0c2VydmljZXMuZnIwHhcN MDkxMTI0MTUwMTUxWhcNMTkxMTIyMTUwMTUxWjBjMQswCQYDVQQGEwJGUjETMBEG A1UECBMKU29tZS1TdGF0ZTEOMAwGA1UEBxMFUGFyaXMxCzAJBgNVBAoTAkJUMSIw IAYDVQQDExlpcG9jMDEuaXBvYy5idHNlcnZpY2VzLmZyMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQCm5FrQ3dN1Jkxj2SZsPr+vkYDlwVnvqDCxnAs3O5NJ/1uY F9/mwsCVdAnp04Eywo3BCbvP6tlzsF3JbAlqMLTb85ZTHOqRQncXGfVZ7bMnR071 tQ70/b3vF/TuMYiOU7vXf2h863aRi11tT9xHD17wFfFaXBtRIIOioc3UpJWWPwID AQABo4HIMIHFMB0GA1UdDgQWBBREqX/HQEzU5TCDrBsbttUxa44fnDCBlQYDVR0j BIGNMIGKgBREqX/HQEzU5TCDrBsbttUxa44fnKFnpGUwYzELMAkGA1UEBhMCRlIx EzARBgNVBAgTClNvbWUtU3RhdGUxDjAMBgNVBAcTBVBhcmlzMQswCQYDVQQKEwJC VDEiMCAGA1UEAxMZaXBvYzAxLmlwb2MuYnRzZXJ2aWNlcy5mcoIJAM7IwuTIzhwq MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAd0Le1JyJF8zBs0RYvEn7 c1nhVbsdD8FDBTa4IaNvkbIt8al6G7bBpfyDxcMVtgFc8zHt/+sYfTxWuHh7m+b1 yjJtD9vMjIigbaZq4VJOz11JEWsQHc8wo3So+G+CelTz4HXPoGh5vqRtTkupjedz 0DDsA1jd9F4KpYSOkzxosdc= -----END CERTIFICATE----- --- Server certificate subject=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld issuer=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld --- No client certificate CA names sent --- SSL handshake has read 1107 bytes and written 316 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 9EF5F2D4FD72A0D1161C8334537F1ADF60C8B790A3F699B6DC52557E3C95D427 Session-ID-ctx: Master-Key: 015D50D6D93F502E37EDB577691F05D157E80A439A2B129B370EEA24E651E828A172E43B3F6D29174BF33B96193202F0 Key-Arg : None Start Time: 1259761586 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) ---
------------------
My ldap.conf ----------------- BASE dc=domain,dc=tld URI ldaps://ldapserver.domain.tld/ TLS_REQCERT allow
My slapd.conf : ---------------- ... TLSCACertificateFile /etc/ldap/ssl/server.pem TLSCertificateFile /etc/ldap/ssl/server.pem TLSCertificateKeyFile /etc/ldap/ssl/server.pem ...
------------------ My /etc/default/slapd.conf ... SLAPD_SERVICES="ldaps://ldapserver.domain.tld" ...
Could you please help me ?
smainklh@free.fr wrote:
Hi everyone,
I configured my ldap server (debian lenny) to listen on port 636 (ldaps) but it doesn't seems to work when issuing a remote connexion. Perhaps i did a mistake when generating the certificates ?....
When i try to browse the ldap server from a remote server i get the following message :
root@vmtest:~# ldapsearch -d 1 -Wx -H ldaps://ldapserver.domain.tld -D cn=admin,dc=domain,dc=tld ldap_url_parse_ext(ldaps://ldapserver.domain.tld) ldap_create ldap_url_parse_ext(ldaps://ldapserver.domain.tld:636/??base) Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldapserver.domain.tld:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.10.48.40:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: peer cert untrusted or revoked (0x42) ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
I generated the certificates with the following command : # openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650
Then i tried the connexion : openssl s_client -connect ldapserver.domain.tld:636 -showcerts CONNECTED(00000003) depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld verify error:num=18:self signed certificate verify return:1 depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld verify return:1
Certificate chain 0 s:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld i:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld -----BEGIN CERTIFICATE----- MIIDDTCCAnagAwIBAgIJAM7IwuTIzhwqMA0GCSqGSIb3DQEBBQUAMGMxCzAJBgNV BAYTAkZSMRMwEQYDVQQIEwpTb21lLVN0YXRlMQ4wDAYDVQQHEwVQYXJpczELMAkG A1UEChMCQlQxIjAgBgNVBAMTGWlwb2MwMS5pcG9jLmJ0c2VydmljZXMuZnIwHhcN MDkxMTI0MTUwMTUxWhcNMTkxMTIyMTUwMTUxWjBjMQswCQYDVQQGEwJGUjETMBEG A1UECBMKU29tZS1TdGF0ZTEOMAwGA1UEBxMFUGFyaXMxCzAJBgNVBAoTAkJUMSIw IAYDVQQDExlpcG9jMDEuaXBvYy5idHNlcnZpY2VzLmZyMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQCm5FrQ3dN1Jkxj2SZsPr+vkYDlwVnvqDCxnAs3O5NJ/1uY F9/mwsCVdAnp04Eywo3BCbvP6tlzsF3JbAlqMLTb85ZTHOqRQncXGfVZ7bMnR071 tQ70/b3vF/TuMYiOU7vXf2h863aRi11tT9xHD17wFfFaXBtRIIOioc3UpJWWPwID AQABo4HIMIHFMB0GA1UdDgQWBBREqX/HQEzU5TCDrBsbttUxa44fnDCBlQYDVR0j BIGNMIGKgBREqX/HQEzU5TCDrBsbttUxa44fnKFnpGUwYzELMAkGA1UEBhMCRlIx EzARBgNVBAgTClNvbWUtU3RhdGUxDjAMBgNVBAcTBVBhcmlzMQswCQYDVQQKEwJC VDEiMCAGA1UEAxMZaXBvYzAxLmlwb2MuYnRzZXJ2aWNlcy5mcoIJAM7IwuTIzhwq MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAd0Le1JyJF8zBs0RYvEn7 c1nhVbsdD8FDBTa4IaNvkbIt8al6G7bBpfyDxcMVtgFc8zHt/+sYfTxWuHh7m+b1 yjJtD9vMjIigbaZq4VJOz11JEWsQHc8wo3So+G+CelTz4HXPoGh5vqRtTkupjedz 0DDsA1jd9F4KpYSOkzxosdc=
-----END CERTIFICATE-----
Server certificate subject=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld issuer=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
No client certificate CA names sent
SSL handshake has read 1107 bytes and written 316 bytes
New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 9EF5F2D4FD72A0D1161C8334537F1ADF60C8B790A3F699B6DC52557E3C95D427 Session-ID-ctx: Master-Key: 015D50D6D93F502E37EDB577691F05D157E80A439A2B129B370EEA24E651E828A172E43B3F6D29174BF33B96193202F0 Key-Arg : None Start Time: 1259761586 Timeout : 300 (sec) Verify return code: 18 (self signed certificate)
My ldap.conf
BASE dc=domain,dc=tld URI ldaps://ldapserver.domain.tld/ TLS_REQCERT allow
My slapd.conf :
... TLSCACertificateFile /etc/ldap/ssl/server.pem TLSCertificateFile /etc/ldap/ssl/server.pem TLSCertificateKeyFile /etc/ldap/ssl/server.pem ...
My /etc/default/slapd.conf ... SLAPD_SERVICES="ldaps://ldapserver.domain.tld" ...
Could you please help me ?
Hello,
are you sure the server is listetning at 636?
--- SNIP --- ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) ------------
It seems more like a network problem to me. Please, verify it by % netstat -nlp | grep 636; or eventually by % netstat -nlp | grep 389; at the server.
Regards, Zdenek
----- Mail Original ----- De: "Zdenek Styblik" stybla@turnovfree.net À: smainklh@free.fr Cc: openldap-technical@openldap.org Envoyé: Mercredi 2 Décembre 2009 16h37:01 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Re: Authentication failed with ldaps configuration
smainklh@free.fr wrote:
Hi everyone,
I configured my ldap server (debian lenny) to listen on port 636 (ldaps) but it doesn't seems to work when issuing a remote connexion. Perhaps i did a mistake when generating the certificates ?....
When i try to browse the ldap server from a remote server i get the following message :
root@vmtest:~# ldapsearch -d 1 -Wx -H ldaps://ldapserver.domain.tld -D cn=admin,dc=domain,dc=tld ldap_url_parse_ext(ldaps://ldapserver.domain.tld) ldap_create ldap_url_parse_ext(ldaps://ldapserver.domain.tld:636/??base) Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldapserver.domain.tld:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.10.48.40:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: peer cert untrusted or revoked (0x42) ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
I generated the certificates with the following command : # openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650
Then i tried the connexion : openssl s_client -connect ldapserver.domain.tld:636 -showcerts CONNECTED(00000003) depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld verify error:num=18:self signed certificate verify return:1 depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld verify return:1
Certificate chain 0 s:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld i:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld -----BEGIN CERTIFICATE----- MIIDDTCCAnagAwIBAgIJAM7IwuTIzhwqMA0GCSqGSIb3DQEBBQUAMGMxCzAJBgNV BAYTAkZSMRMwEQYDVQQIEwpTb21lLVN0YXRlMQ4wDAYDVQQHEwVQYXJpczELMAkG A1UEChMCQlQxIjAgBgNVBAMTGWlwb2MwMS5pcG9jLmJ0c2VydmljZXMuZnIwHhcN MDkxMTI0MTUwMTUxWhcNMTkxMTIyMTUwMTUxWjBjMQswCQYDVQQGEwJGUjETMBEG A1UECBMKU29tZS1TdGF0ZTEOMAwGA1UEBxMFUGFyaXMxCzAJBgNVBAoTAkJUMSIw IAYDVQQDExlpcG9jMDEuaXBvYy5idHNlcnZpY2VzLmZyMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQCm5FrQ3dN1Jkxj2SZsPr+vkYDlwVnvqDCxnAs3O5NJ/1uY F9/mwsCVdAnp04Eywo3BCbvP6tlzsF3JbAlqMLTb85ZTHOqRQncXGfVZ7bMnR071 tQ70/b3vF/TuMYiOU7vXf2h863aRi11tT9xHD17wFfFaXBtRIIOioc3UpJWWPwID AQABo4HIMIHFMB0GA1UdDgQWBBREqX/HQEzU5TCDrBsbttUxa44fnDCBlQYDVR0j BIGNMIGKgBREqX/HQEzU5TCDrBsbttUxa44fnKFnpGUwYzELMAkGA1UEBhMCRlIx EzARBgNVBAgTClNvbWUtU3RhdGUxDjAMBgNVBAcTBVBhcmlzMQswCQYDVQQKEwJC VDEiMCAGA1UEAxMZaXBvYzAxLmlwb2MuYnRzZXJ2aWNlcy5mcoIJAM7IwuTIzhwq MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAd0Le1JyJF8zBs0RYvEn7 c1nhVbsdD8FDBTa4IaNvkbIt8al6G7bBpfyDxcMVtgFc8zHt/+sYfTxWuHh7m+b1 yjJtD9vMjIigbaZq4VJOz11JEWsQHc8wo3So+G+CelTz4HXPoGh5vqRtTkupjedz 0DDsA1jd9F4KpYSOkzxosdc=
-----END CERTIFICATE-----
Server certificate subject=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld issuer=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
No client certificate CA names sent
SSL handshake has read 1107 bytes and written 316 bytes
New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 9EF5F2D4FD72A0D1161C8334537F1ADF60C8B790A3F699B6DC52557E3C95D427 Session-ID-ctx: Master-Key: 015D50D6D93F502E37EDB577691F05D157E80A439A2B129B370EEA24E651E828A172E43B3F6D29174BF33B96193202F0 Key-Arg : None Start Time: 1259761586 Timeout : 300 (sec) Verify return code: 18 (self signed certificate)
My ldap.conf
BASE dc=domain,dc=tld URI ldaps://ldapserver.domain.tld/ TLS_REQCERT allow
My slapd.conf :
... TLSCACertificateFile /etc/ldap/ssl/server.pem TLSCertificateFile /etc/ldap/ssl/server.pem TLSCertificateKeyFile /etc/ldap/ssl/server.pem ...
My /etc/default/slapd.conf ... SLAPD_SERVICES="ldaps://ldapserver.domain.tld" ...
Could you please help me ?
Hello,
are you sure the server is listetning at 636?
--- SNIP --- ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) ------------
It seems more like a network problem to me. Please, verify it by % netstat -nlp | grep 636; or eventually by % netstat -nlp | grep 389; at the server.
Regards, Zdenek
smainklh@free.fr wrote:
----- Mail Original ----- De: "Zdenek Styblik" stybla@turnovfree.net À: smainklh@free.fr Cc: openldap-technical@openldap.org Envoyé: Mercredi 2 Décembre 2009 16h37:01 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Re: Authentication failed with ldaps configuration
smainklh@free.fr wrote:
Hi everyone,
I configured my ldap server (debian lenny) to listen on port 636 (ldaps) but it doesn't seems to work when issuing a remote connexion. Perhaps i did a mistake when generating the certificates ?....
When i try to browse the ldap server from a remote server i get the following message :
root@vmtest:~# ldapsearch -d 1 -Wx -H ldaps://ldapserver.domain.tld -D cn=admin,dc=domain,dc=tld ldap_url_parse_ext(ldaps://ldapserver.domain.tld) ldap_create ldap_url_parse_ext(ldaps://ldapserver.domain.tld:636/??base) Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldapserver.domain.tld:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.10.48.40:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: peer cert untrusted or revoked (0x42) ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
I generated the certificates with the following command : # openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650
Then i tried the connexion : openssl s_client -connect ldapserver.domain.tld:636 -showcerts CONNECTED(00000003) depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld verify error:num=18:self signed certificate verify return:1 depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld verify return:1
Certificate chain 0 s:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld i:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld -----BEGIN CERTIFICATE----- MIIDDTCCAnagAwIBAgIJAM7IwuTIzhwqMA0GCSqGSIb3DQEBBQUAMGMxCzAJBgNV BAYTAkZSMRMwEQYDVQQIEwpTb21lLVN0YXRlMQ4wDAYDVQQHEwVQYXJpczELMAkG A1UEChMCQlQxIjAgBgNVBAMTGWlwb2MwMS5pcG9jLmJ0c2VydmljZXMuZnIwHhcN MDkxMTI0MTUwMTUxWhcNMTkxMTIyMTUwMTUxWjBjMQswCQYDVQQGEwJGUjETMBEG A1UECBMKU29tZS1TdGF0ZTEOMAwGA1UEBxMFUGFyaXMxCzAJBgNVBAoTAkJUMSIw IAYDVQQDExlpcG9jMDEuaXBvYy5idHNlcnZpY2VzLmZyMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQCm5FrQ3dN1Jkxj2SZsPr+vkYDlwVnvqDCxnAs3O5NJ/1uY F9/mwsCVdAnp04Eywo3BCbvP6tlzsF3JbAlqMLTb85ZTHOqRQncXGfVZ7bMnR071 tQ70/b3vF/TuMYiOU7vXf2h863aRi11tT9xHD17wFfFaXBtRIIOioc3UpJWWPwID AQABo4HIMIHFMB0GA1UdDgQWBBREqX/HQEzU5TCDrBsbttUxa44fnDCBlQYDVR0j BIGNMIGKgBREqX/HQEzU5TCDrBsbttUxa44fnKFnpGUwYzELMAkGA1UEBhMCRlIx EzARBgNVBAgTClNvbWUtU3RhdGUxDjAMBgNVBAcTBVBhcmlzMQswCQYDVQQKEwJC VDEiMCAGA1UEAxMZaXBvYzAxLmlwb2MuYnRzZXJ2aWNlcy5mcoIJAM7IwuTIzhwq MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAd0Le1JyJF8zBs0RYvEn7 c1nhVbsdD8FDBTa4IaNvkbIt8al6G7bBpfyDxcMVtgFc8zHt/+sYfTxWuHh7m+b1 yjJtD9vMjIigbaZq4VJOz11JEWsQHc8wo3So+G+CelTz4HXPoGh5vqRtTkupjedz 0DDsA1jd9F4KpYSOkzxosdc=
-----END CERTIFICATE-----
Server certificate subject=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld issuer=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld
No client certificate CA names sent
SSL handshake has read 1107 bytes and written 316 bytes
New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 9EF5F2D4FD72A0D1161C8334537F1ADF60C8B790A3F699B6DC52557E3C95D427 Session-ID-ctx: Master-Key: 015D50D6D93F502E37EDB577691F05D157E80A439A2B129B370EEA24E651E828A172E43B3F6D29174BF33B96193202F0 Key-Arg : None Start Time: 1259761586 Timeout : 300 (sec) Verify return code: 18 (self signed certificate)
My ldap.conf
BASE dc=domain,dc=tld URI ldaps://ldapserver.domain.tld/ TLS_REQCERT allow
My slapd.conf :
... TLSCACertificateFile /etc/ldap/ssl/server.pem TLSCertificateFile /etc/ldap/ssl/server.pem TLSCertificateKeyFile /etc/ldap/ssl/server.pem ...
My /etc/default/slapd.conf ... SLAPD_SERVICES="ldaps://ldapserver.domain.tld" ...
Could you please help me ?
Hello,
are you sure the server is listetning at 636?
--- SNIP --- ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
It seems more like a network problem to me. Please, verify it by % netstat -nlp | grep 636; or eventually by % netstat -nlp | grep 389; at the server.
Regards, Zdenek
Hi Zdenek,
Yes i'm.
netstat -nlp | grep 636 tcp 0 0 10.10.48.40:636 0.0.0.0:* LISTEN netstat -nlp | grep 389
Logs from the ldap server
Dec 3 10:10:04 ldapserver slapd[20754]: slap_listener_activate(8): Dec 3 10:10:04 ldapserver slapd[20754]: >>> slap_listener(ldaps://ldapserver.domain.tld) Dec 3 10:10:04 ldapserver slapd[20754]: connection_get(14): got connid=42 Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): checking for input on id=42 Dec 3 10:10:04 ldapserver slapd[20754]: connection_get(14): got connid=42 Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): checking for input on id=42 Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): unable to get TLS client DN, error=49 id=42 Dec 3 10:10:04 ldapserver slapd[20754]: connection_get(14): got connid=42 Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): checking for input on id=42 Dec 3 10:10:04 ldapserver slapd[20754]: ber_get_next on fd 14 failed errno=0 (Success) Dec 3 10:10:04 ldapserver slapd[20754]: connection_closing: readying conn=42 sd=14 for close Dec 3 10:10:04 ldapserver slapd[20754]: connection_close: conn=42 sd=14
It seems to be a certificate problem.
TLS: peer cert untrusted or revoked
Do you have any idea ? Grifith
Evening Grifith,
I'm sorry I've missed that one. I'm no expert, but I can give you my config-files. I've used 'easy-rsa' to generate all certificates. It comes with OpenVPN, but it might be as standalone package in Debian. It's set of scripts for certificate manipulation, and it surely eases up things. One thing that came to my mind, certificate "has" to bear same FQDN as IP eg. if 192.168.1.1 -eq server1.mydomain.tld then certificate should be generated and contain server1.mydomain.tld. Another thing is .key files should have chmod 400.
--- client side --- cat /etc/openldap/ldap.conf
BASE dc=mydomain,dc=tld URI ldaps://server1.mydomain.tld port 636 ssl yes #ssl start_tls TLS_CACERT /etc/openldap/ssl/ca.mydomain.crt TLS_CERT /etc/ssl/certs/server2.mydomain.tld.crt TLS_KEY /etc/ssl/private/server2.mydomain.tld.key TLS_REQCERT never TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3 ------------------
--- server --- cat /etc/openldap/slapd.conf ... TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSCACertificateFile /etc/ssl/certs/ca.mydomain.crt TLSCertificateFile /etc/ssl/certs/server1.mydomain.tld.crt TLSCertificateKeyFile /etc/ssl/private/server1.mydomain.tld.key TLSVerifyClient never ... --------------
I hope it helps, at least a bit.
Have a nice evening, Zdenek
PS: Thunderbird refused to accept the rest of the text for some reason, I had to c&p it inside.
-------- Message initial -------- De: Zdenek Styblik stybla@turnovfree.net À: smainklh@free.fr Cc: openldap-technical@openldap.org Sujet: Re: Authentication failed with ldaps configuration Date: Thu, 03 Dec 2009 17:03:32 +0100
smainklh@free.fr wrote: > ----- Mail Original ----- > De: "Zdenek Styblik" stybla@turnovfree.net > À: smainklh@free.fr > Cc: openldap-technical@openldap.org > Envoyé: Mercredi 2 Décembre 2009 16h37:01 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne > Objet: Re: Authentication failed with ldaps configuration > > smainklh@free.fr wrote: >> Hi everyone, >> >> I configured my ldap server (debian lenny) to listen on port 636 (ldaps) but it doesn't seems to work when issuing a remote connexion. >> Perhaps i did a mistake when generating the certificates ?.... >> >> When i try to browse the ldap server from a remote server i get the following message : >> ---------- >> root@vmtest:~# ldapsearch -d 1 -Wx -H ldaps://ldapserver.domain.tld -D cn=admin,dc=domain,dc=tld >> ldap_url_parse_ext(ldaps://ldapserver.domain.tld) >> ldap_create >> ldap_url_parse_ext(ldaps://ldapserver.domain.tld:636/??base) >> Enter LDAP Password: >> ldap_sasl_bind >> ldap_send_initial_request >> ldap_new_connection 1 1 0 >> ldap_int_open_connection >> ldap_connect_to_host: TCP ldapserver.domain.tld:636 >> ldap_new_socket: 3 >> ldap_prepare_socket: 3 >> ldap_connect_to_host: Trying 10.10.48.40:636 >> ldap_pvt_connect: fd: 3 tm: -1 async: 0 >> TLS: peer cert untrusted or revoked (0x42) >> ldap_err2string >> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) >> ----------- >> >> I generated the certificates with the following command : >> # openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650 >> >> ----------- >> >> Then i tried the connexion : >> openssl s_client -connect ldapserver.domain.tld:636 -showcerts >> CONNECTED(00000003) >> depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld >> verify error:num=18:self signed certificate >> verify return:1 >> depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld >> verify return:1 >> --- >> Certificate chain >> 0 s:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld >> i:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld >> -----BEGIN CERTIFICATE----- >> MIIDDTCCAnagAwIBAgIJAM7IwuTIzhwqMA0GCSqGSIb3DQEBBQUAMGMxCzAJBgNV >> BAYTAkZSMRMwEQYDVQQIEwpTb21lLVN0YXRlMQ4wDAYDVQQHEwVQYXJpczELMAkG >> A1UEChMCQlQxIjAgBgNVBAMTGWlwb2MwMS5pcG9jLmJ0c2VydmljZXMuZnIwHhcN >> MDkxMTI0MTUwMTUxWhcNMTkxMTIyMTUwMTUxWjBjMQswCQYDVQQGEwJGUjETMBEG >> A1UECBMKU29tZS1TdGF0ZTEOMAwGA1UEBxMFUGFyaXMxCzAJBgNVBAoTAkJUMSIw >> IAYDVQQDExlpcG9jMDEuaXBvYy5idHNlcnZpY2VzLmZyMIGfMA0GCSqGSIb3DQEB >> AQUAA4GNADCBiQKBgQCm5FrQ3dN1Jkxj2SZsPr+vkYDlwVnvqDCxnAs3O5NJ/1uY >> F9/mwsCVdAnp04Eywo3BCbvP6tlzsF3JbAlqMLTb85ZTHOqRQncXGfVZ7bMnR071 >> tQ70/b3vF/TuMYiOU7vXf2h863aRi11tT9xHD17wFfFaXBtRIIOioc3UpJWWPwID >> AQABo4HIMIHFMB0GA1UdDgQWBBREqX/HQEzU5TCDrBsbttUxa44fnDCBlQYDVR0j >> BIGNMIGKgBREqX/HQEzU5TCDrBsbttUxa44fnKFnpGUwYzELMAkGA1UEBhMCRlIx >> EzARBgNVBAgTClNvbWUtU3RhdGUxDjAMBgNVBAcTBVBhcmlzMQswCQYDVQQKEwJC >> VDEiMCAGA1UEAxMZaXBvYzAxLmlwb2MuYnRzZXJ2aWNlcy5mcoIJAM7IwuTIzhwq >> MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAd0Le1JyJF8zBs0RYvEn7 >> c1nhVbsdD8FDBTa4IaNvkbIt8al6G7bBpfyDxcMVtgFc8zHt/+sYfTxWuHh7m+b1 >> yjJtD9vMjIigbaZq4VJOz11JEWsQHc8wo3So+G+CelTz4HXPoGh5vqRtTkupjedz >> 0DDsA1jd9F4KpYSOkzxosdc= >> -----END CERTIFICATE----- >> --- >> Server certificate >> subject=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld >> issuer=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld >> --- >> No client certificate CA names sent >> --- >> SSL handshake has read 1107 bytes and written 316 bytes >> --- >> New, TLSv1/SSLv3, Cipher is AES256-SHA >> Server public key is 1024 bit >> Compression: NONE >> Expansion: NONE >> SSL-Session: >> Protocol : TLSv1 >> Cipher : AES256-SHA >> Session-ID: 9EF5F2D4FD72A0D1161C8334537F1ADF60C8B790A3F699B6DC52557E3C95D427 >> Session-ID-ctx: >> Master-Key: 015D50D6D93F502E37EDB577691F05D157E80A439A2B129B370EEA24E651E828A172E43B3F6D29174BF33B96193202F0 >> Key-Arg : None >> Start Time: 1259761586 >> Timeout : 300 (sec) >> Verify return code: 18 (self signed certificate) >> --- >> >> ------------------ >> >> My ldap.conf >> ----------------- >> BASE dc=domain,dc=tld >> URI ldaps://ldapserver.domain.tld/ >> TLS_REQCERT allow >> >> >> My slapd.conf : >> ---------------- >> ... >> TLSCACertificateFile /etc/ldap/ssl/server.pem >> TLSCertificateFile /etc/ldap/ssl/server.pem >> TLSCertificateKeyFile /etc/ldap/ssl/server.pem >> ... >> >> ------------------ >> My /etc/default/slapd.conf >> ... >> SLAPD_SERVICES="ldaps://ldapserver.domain.tld" >> ... >> >> Could you please help me ? >> > > Hello, > > are you sure the server is listetning at 636? > > --- SNIP --- > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > ------------ > > It seems more like a network problem to me. > Please, verify it by % netstat -nlp | grep 636; or eventually by % > netstat -nlp | grep 389; at the server. > > Regards, > Zdenek > > Hi Zdenek, > > Yes i'm. > > netstat -nlp | grep 636 > tcp 0 0 10.10.48.40:636 0.0.0.0:* LISTEN > netstat -nlp | grep 389 > > Logs from the ldap server > ----------- > Dec 3 10:10:04 ldapserver slapd[20754]: slap_listener_activate(8): > Dec 3 10:10:04 ldapserver slapd[20754]: >>> slap_listener(ldaps://ldapserver.domain.tld) > Dec 3 10:10:04 ldapserver slapd[20754]: connection_get(14): got connid=42 > Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): checking for input on id=42 > Dec 3 10:10:04 ldapserver slapd[20754]: connection_get(14): got connid=42 > Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): checking for input on id=42 > Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): unable to get TLS client DN, error=49 id=42 > Dec 3 10:10:04 ldapserver slapd[20754]: connection_get(14): got connid=42 > Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): checking for input on id=42 > Dec 3 10:10:04 ldapserver slapd[20754]: ber_get_next on fd 14 failed errno=0 (Success) > Dec 3 10:10:04 ldapserver slapd[20754]: connection_closing: readying conn=42 sd=14 for close > Dec 3 10:10:04 ldapserver slapd[20754]: connection_close: conn=42 sd=14 > > It seems to be a certificate problem. > ----- > TLS: peer cert untrusted or revoked > ----- > > Do you have any idea ? > Grifith
Evening Grifith,
I'm sorry I've missed that one. I'm no expert, but I can give you my config-files. I've used 'easy-rsa' to generate all certificates. It comes with OpenVPN, but it might be as standalone package in Debian. It's set of scripts for certificate manipulation, and it surely eases up things. One thing that came to my mind, certificate "has" to bear same FQDN as IP eg. if 192.168.1.1 -eq server1.mydomain.tld then certificate should be generated and contain server1.mydomain.tld. Another thing is .key files should have chmod 400.
--- client side --- cat /etc/openldap/ldap.conf
BASE dc=mydomain,dc=tld URI ldaps://server1.mydomain.tld port 636 ssl yes #ssl start_tls TLS_CACERT /etc/openldap/ssl/ca.mydomain.crt TLS_CERT /etc/ssl/certs/server2.mydomain.tld.crt TLS_KEY /etc/ssl/private/server2.mydomain.tld.key TLS_REQCERT never TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3 ------------------
--- server --- cat /etc/openldap/slapd.conf ... TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSCACertificateFile /etc/ssl/certs/ca.mydomain.crt TLSCertificateFile /etc/ssl/certs/server1.mydomain.tld.crt TLSCertificateKeyFile /etc/ssl/private/server1.mydomain.tld.key TLSVerifyClient never ... --------------
I hope it helps, at least a bit.
Have a nice evening, Zdenek
PS: Thunderbird refused to accept the rest of the text for some reason, I had to c&p it inside. --------------------------------
Hi,
Thanks for your help Zdenek I made it work with the following configuration :
SERVER ------------- My slapd.conf : ---------------- ... TLSCACertificateFile /etc/ssl/certs/ldap-cert.pem TLSCertificateFile /etc/ssl/certs/ldap-cert.pem TLSCertificateKeyFile /etc/ldap/ssl/ldap-key.pem
I created the certificate with this command # openssl req -config /etc/ssl/openssl.cnf -new -x509 nodes -out /etc/ssl/certs/ldap-cert.pem -keyout /etc/ldap/ssl/ldap-key.pem -days 999999
My ldap.conf : ---------------- BASE dc=mydomain,dc=tld URI ldaps://ldapserver.mydomain.tld port 636 ssl on ssl start_tls TLS_CACERT /etc/ssl/certs/ldap-cert.pem TLS_REQCERT allow
CLIENT ------------
The ldap.conf is exactly the same as the server's.
And it works !
On Fri, 2009-12-04 at 14:27 +0100, Smaïne Kahlouch wrote:
-------- Message initial -------- De: Zdenek Styblik stybla@turnovfree.net À: smainklh@free.fr Cc: openldap-technical@openldap.org Sujet: Re: Authentication failed with ldaps configuration Date: Thu, 03 Dec 2009 17:03:32 +0100
smainklh@free.fr wrote: > ----- Mail Original ----- > De: "Zdenek Styblik" <stybla@turnovfree.net> > À: smainklh@free.fr > Cc: openldap-technical@openldap.org > Envoyé: Mercredi 2 Décembre 2009 16h37:01 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne > Objet: Re: Authentication failed with ldaps configuration > > smainklh@free.fr wrote: >> Hi everyone, >> >> I configured my ldap server (debian lenny) to listen on port 636 (ldaps) but it doesn't seems to work when issuing a remote connexion. >> Perhaps i did a mistake when generating the certificates ?.... >> >> When i try to browse the ldap server from a remote server i get the following message : >> ---------- >> root@vmtest:~# ldapsearch -d 1 -Wx -H ldaps://ldapserver.domain.tld -D cn=admin,dc=domain,dc=tld >> ldap_url_parse_ext(ldaps://ldapserver.domain.tld) >> ldap_create >> ldap_url_parse_ext(ldaps://ldapserver.domain.tld:636/??base) >> Enter LDAP Password: >> ldap_sasl_bind >> ldap_send_initial_request >> ldap_new_connection 1 1 0 >> ldap_int_open_connection >> ldap_connect_to_host: TCP ldapserver.domain.tld:636 >> ldap_new_socket: 3 >> ldap_prepare_socket: 3 >> ldap_connect_to_host: Trying 10.10.48.40:636 >> ldap_pvt_connect: fd: 3 tm: -1 async: 0 >> TLS: peer cert untrusted or revoked (0x42) >> ldap_err2string >> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) >> ----------- >> >> I generated the certificates with the following command : >> # openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650 >> >> ----------- >> >> Then i tried the connexion : >> openssl s_client -connect ldapserver.domain.tld:636 -showcerts >> CONNECTED(00000003) >> depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld >> verify error:num=18:self signed certificate >> verify return:1 >> depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld >> verify return:1 >> --- >> Certificate chain >> 0 s:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld >> i:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld >> -----BEGIN CERTIFICATE----- >> MIIDDTCCAnagAwIBAgIJAM7IwuTIzhwqMA0GCSqGSIb3DQEBBQUAMGMxCzAJBgNV >> BAYTAkZSMRMwEQYDVQQIEwpTb21lLVN0YXRlMQ4wDAYDVQQHEwVQYXJpczELMAkG >> A1UEChMCQlQxIjAgBgNVBAMTGWlwb2MwMS5pcG9jLmJ0c2VydmljZXMuZnIwHhcN >> MDkxMTI0MTUwMTUxWhcNMTkxMTIyMTUwMTUxWjBjMQswCQYDVQQGEwJGUjETMBEG >> A1UECBMKU29tZS1TdGF0ZTEOMAwGA1UEBxMFUGFyaXMxCzAJBgNVBAoTAkJUMSIw >> IAYDVQQDExlpcG9jMDEuaXBvYy5idHNlcnZpY2VzLmZyMIGfMA0GCSqGSIb3DQEB >> AQUAA4GNADCBiQKBgQCm5FrQ3dN1Jkxj2SZsPr+vkYDlwVnvqDCxnAs3O5NJ/1uY >> F9/mwsCVdAnp04Eywo3BCbvP6tlzsF3JbAlqMLTb85ZTHOqRQncXGfVZ7bMnR071 >> tQ70/b3vF/TuMYiOU7vXf2h863aRi11tT9xHD17wFfFaXBtRIIOioc3UpJWWPwID >> AQABo4HIMIHFMB0GA1UdDgQWBBREqX/HQEzU5TCDrBsbttUxa44fnDCBlQYDVR0j >> BIGNMIGKgBREqX/HQEzU5TCDrBsbttUxa44fnKFnpGUwYzELMAkGA1UEBhMCRlIx >> EzARBgNVBAgTClNvbWUtU3RhdGUxDjAMBgNVBAcTBVBhcmlzMQswCQYDVQQKEwJC >> VDEiMCAGA1UEAxMZaXBvYzAxLmlwb2MuYnRzZXJ2aWNlcy5mcoIJAM7IwuTIzhwq >> MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAd0Le1JyJF8zBs0RYvEn7 >> c1nhVbsdD8FDBTa4IaNvkbIt8al6G7bBpfyDxcMVtgFc8zHt/+sYfTxWuHh7m+b1 >> yjJtD9vMjIigbaZq4VJOz11JEWsQHc8wo3So+G+CelTz4HXPoGh5vqRtTkupjedz >> 0DDsA1jd9F4KpYSOkzxosdc= >> -----END CERTIFICATE----- >> --- >> Server certificate >> subject=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld >> issuer=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld >> --- >> No client certificate CA names sent >> --- >> SSL handshake has read 1107 bytes and written 316 bytes >> --- >> New, TLSv1/SSLv3, Cipher is AES256-SHA >> Server public key is 1024 bit >> Compression: NONE >> Expansion: NONE >> SSL-Session: >> Protocol : TLSv1 >> Cipher : AES256-SHA >> Session-ID: 9EF5F2D4FD72A0D1161C8334537F1ADF60C8B790A3F699B6DC52557E3C95D427 >> Session-ID-ctx: >> Master-Key: 015D50D6D93F502E37EDB577691F05D157E80A439A2B129B370EEA24E651E828A172E43B3F6D29174BF33B96193202F0 >> Key-Arg : None >> Start Time: 1259761586 >> Timeout : 300 (sec) >> Verify return code: 18 (self signed certificate) >> --- >> >> ------------------ >> >> My ldap.conf >> ----------------- >> BASE dc=domain,dc=tld >> URI ldaps://ldapserver.domain.tld/ >> TLS_REQCERT allow >> >> >> My slapd.conf : >> ---------------- >> ... >> TLSCACertificateFile /etc/ldap/ssl/server.pem >> TLSCertificateFile /etc/ldap/ssl/server.pem >> TLSCertificateKeyFile /etc/ldap/ssl/server.pem >> ... >> >> ------------------ >> My /etc/default/slapd.conf >> ... >> SLAPD_SERVICES="ldaps://ldapserver.domain.tld" >> ... >> >> Could you please help me ? >> > > Hello, > > are you sure the server is listetning at 636? > > --- SNIP --- > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > ------------ > > It seems more like a network problem to me. > Please, verify it by % netstat -nlp | grep 636; or eventually by % > netstat -nlp | grep 389; at the server. > > Regards, > Zdenek > > Hi Zdenek, > > Yes i'm. > > netstat -nlp | grep 636 > tcp 0 0 10.10.48.40:636 0.0.0.0:* LISTEN > netstat -nlp | grep 389 > > Logs from the ldap server > ----------- > Dec 3 10:10:04 ldapserver slapd[20754]: slap_listener_activate(8): > Dec 3 10:10:04 ldapserver slapd[20754]: >>> slap_listener(ldaps://ldapserver.domain.tld) > Dec 3 10:10:04 ldapserver slapd[20754]: connection_get(14): got connid=42 > Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): checking for input on id=42 > Dec 3 10:10:04 ldapserver slapd[20754]: connection_get(14): got connid=42 > Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): checking for input on id=42 > Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): unable to get TLS client DN, error=49 id=42 > Dec 3 10:10:04 ldapserver slapd[20754]: connection_get(14): got connid=42 > Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): checking for input on id=42 > Dec 3 10:10:04 ldapserver slapd[20754]: ber_get_next on fd 14 failed errno=0 (Success) > Dec 3 10:10:04 ldapserver slapd[20754]: connection_closing: readying conn=42 sd=14 for close > Dec 3 10:10:04 ldapserver slapd[20754]: connection_close: conn=42 sd=14 > > It seems to be a certificate problem. > ----- > TLS: peer cert untrusted or revoked > ----- > > Do you have any idea ? > Grifith Evening Grifith, I'm sorry I've missed that one. I'm no expert, but I can give you my config-files. I've used 'easy-rsa' to generate all certificates. It comes with OpenVPN, but it might be as standalone package in Debian. It's set of scripts for certificate manipulation, and it surely eases up things. One thing that came to my mind, certificate "has" to bear same FQDN as IP eg. if 192.168.1.1 -eq server1.mydomain.tld then certificate should be generated and contain server1.mydomain.tld. Another thing is .key files should have chmod 400. --- client side --- cat /etc/openldap/ldap.conf BASE dc=mydomain,dc=tld URI ldaps://server1.mydomain.tld port 636 ssl yes #ssl start_tls TLS_CACERT /etc/openldap/ssl/ca.mydomain.crt TLS_CERT /etc/ssl/certs/server2.mydomain.tld.crt TLS_KEY /etc/ssl/private/server2.mydomain.tld.key TLS_REQCERT never TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3 ------------------ --- server --- cat /etc/openldap/slapd.conf ... TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSCACertificateFile /etc/ssl/certs/ca.mydomain.crt TLSCertificateFile /etc/ssl/certs/server1.mydomain.tld.crt TLSCertificateKeyFile /etc/ssl/private/server1.mydomain.tld.key TLSVerifyClient never ... -------------- I hope it helps, at least a bit. Have a nice evening, Zdenek PS: Thunderbird refused to accept the rest of the text for some reason, I had to c&p it inside.
Hi,
Thanks for your help Zdenek I made it work with the following configuration :
SERVER
My slapd.conf :
... TLSCACertificateFile /etc/ssl/certs/ldap-cert.pem TLSCertificateFile /etc/ssl/certs/ldap-cert.pem TLSCertificateKeyFile /etc/ldap/ssl/ldap-key.pem
I created the certificate with this command # openssl req -config /etc/ssl/openssl.cnf -new -x509 nodes -out /etc/ssl/certs/ldap-cert.pem -keyout /etc/ldap/ssl/ldap-key.pem -days 999999
My ldap.conf :
BASE dc=mydomain,dc=tld URI ldaps://ldapserver.mydomain.tld port 636 ssl on ssl start_tls TLS_CACERT /etc/ssl/certs/ldap-cert.pem TLS_REQCERT allow
CLIENT
The ldap.conf is exactly the same as the server's.
And it works !
Hi - I tried the exact same thing but ended up with no luck. I'm on Ubuntu 9.04 (slapd 2.4.15). Though I can see my ldapssl service gets started I cannot perform any ldap operations from the client machine. I think this is because of a SSL issue. When I tried to verify my cert using;
openssl s_client -connect my_ip:636 -showcerts , I'm getting the following error.
13761:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
Any help is appreciated.
Thanks, ~Chamith
On Fri, 2009-12-04 at 22:23 +0530, Chamith Kumarage wrote:
On Fri, 2009-12-04 at 14:27 +0100, Smaïne Kahlouch wrote:
-------- Message initial -------- De: Zdenek Styblik stybla@turnovfree.net À: smainklh@free.fr Cc: openldap-technical@openldap.org Sujet: Re: Authentication failed with ldaps configuration Date: Thu, 03 Dec 2009 17:03:32 +0100
smainklh@free.fr wrote: > ----- Mail Original ----- > De: "Zdenek Styblik" <stybla@turnovfree.net> > À: smainklh@free.fr > Cc: openldap-technical@openldap.org > Envoyé: Mercredi 2 Décembre 2009 16h37:01 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne > Objet: Re: Authentication failed with ldaps configuration > > smainklh@free.fr wrote: >> Hi everyone, >> >> I configured my ldap server (debian lenny) to listen on port 636 (ldaps) but it doesn't seems to work when issuing a remote connexion. >> Perhaps i did a mistake when generating the certificates ?.... >> >> When i try to browse the ldap server from a remote server i get the following message : >> ---------- >> root@vmtest:~# ldapsearch -d 1 -Wx -H ldaps://ldapserver.domain.tld -D cn=admin,dc=domain,dc=tld >> ldap_url_parse_ext(ldaps://ldapserver.domain.tld) >> ldap_create >> ldap_url_parse_ext(ldaps://ldapserver.domain.tld:636/??base) >> Enter LDAP Password: >> ldap_sasl_bind >> ldap_send_initial_request >> ldap_new_connection 1 1 0 >> ldap_int_open_connection >> ldap_connect_to_host: TCP ldapserver.domain.tld:636 >> ldap_new_socket: 3 >> ldap_prepare_socket: 3 >> ldap_connect_to_host: Trying 10.10.48.40:636 >> ldap_pvt_connect: fd: 3 tm: -1 async: 0 >> TLS: peer cert untrusted or revoked (0x42) >> ldap_err2string >> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) >> ----------- >> >> I generated the certificates with the following command : >> # openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650 >> >> ----------- >> >> Then i tried the connexion : >> openssl s_client -connect ldapserver.domain.tld:636 -showcerts >> CONNECTED(00000003) >> depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld >> verify error:num=18:self signed certificate >> verify return:1 >> depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld >> verify return:1 >> --- >> Certificate chain >> 0 s:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld >> i:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld >> -----BEGIN CERTIFICATE----- >> MIIDDTCCAnagAwIBAgIJAM7IwuTIzhwqMA0GCSqGSIb3DQEBBQUAMGMxCzAJBgNV >> BAYTAkZSMRMwEQYDVQQIEwpTb21lLVN0YXRlMQ4wDAYDVQQHEwVQYXJpczELMAkG >> A1UEChMCQlQxIjAgBgNVBAMTGWlwb2MwMS5pcG9jLmJ0c2VydmljZXMuZnIwHhcN >> MDkxMTI0MTUwMTUxWhcNMTkxMTIyMTUwMTUxWjBjMQswCQYDVQQGEwJGUjETMBEG >> A1UECBMKU29tZS1TdGF0ZTEOMAwGA1UEBxMFUGFyaXMxCzAJBgNVBAoTAkJUMSIw >> IAYDVQQDExlpcG9jMDEuaXBvYy5idHNlcnZpY2VzLmZyMIGfMA0GCSqGSIb3DQEB >> AQUAA4GNADCBiQKBgQCm5FrQ3dN1Jkxj2SZsPr+vkYDlwVnvqDCxnAs3O5NJ/1uY >> F9/mwsCVdAnp04Eywo3BCbvP6tlzsF3JbAlqMLTb85ZTHOqRQncXGfVZ7bMnR071 >> tQ70/b3vF/TuMYiOU7vXf2h863aRi11tT9xHD17wFfFaXBtRIIOioc3UpJWWPwID >> AQABo4HIMIHFMB0GA1UdDgQWBBREqX/HQEzU5TCDrBsbttUxa44fnDCBlQYDVR0j >> BIGNMIGKgBREqX/HQEzU5TCDrBsbttUxa44fnKFnpGUwYzELMAkGA1UEBhMCRlIx >> EzARBgNVBAgTClNvbWUtU3RhdGUxDjAMBgNVBAcTBVBhcmlzMQswCQYDVQQKEwJC >> VDEiMCAGA1UEAxMZaXBvYzAxLmlwb2MuYnRzZXJ2aWNlcy5mcoIJAM7IwuTIzhwq >> MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAd0Le1JyJF8zBs0RYvEn7 >> c1nhVbsdD8FDBTa4IaNvkbIt8al6G7bBpfyDxcMVtgFc8zHt/+sYfTxWuHh7m+b1 >> yjJtD9vMjIigbaZq4VJOz11JEWsQHc8wo3So+G+CelTz4HXPoGh5vqRtTkupjedz >> 0DDsA1jd9F4KpYSOkzxosdc= >> -----END CERTIFICATE----- >> --- >> Server certificate >> subject=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld >> issuer=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld >> --- >> No client certificate CA names sent >> --- >> SSL handshake has read 1107 bytes and written 316 bytes >> --- >> New, TLSv1/SSLv3, Cipher is AES256-SHA >> Server public key is 1024 bit >> Compression: NONE >> Expansion: NONE >> SSL-Session: >> Protocol : TLSv1 >> Cipher : AES256-SHA >> Session-ID: 9EF5F2D4FD72A0D1161C8334537F1ADF60C8B790A3F699B6DC52557E3C95D427 >> Session-ID-ctx: >> Master-Key: 015D50D6D93F502E37EDB577691F05D157E80A439A2B129B370EEA24E651E828A172E43B3F6D29174BF33B96193202F0 >> Key-Arg : None >> Start Time: 1259761586 >> Timeout : 300 (sec) >> Verify return code: 18 (self signed certificate) >> --- >> >> ------------------ >> >> My ldap.conf >> ----------------- >> BASE dc=domain,dc=tld >> URI ldaps://ldapserver.domain.tld/ >> TLS_REQCERT allow >> >> >> My slapd.conf : >> ---------------- >> ... >> TLSCACertificateFile /etc/ldap/ssl/server.pem >> TLSCertificateFile /etc/ldap/ssl/server.pem >> TLSCertificateKeyFile /etc/ldap/ssl/server.pem >> ... >> >> ------------------ >> My /etc/default/slapd.conf >> ... >> SLAPD_SERVICES="ldaps://ldapserver.domain.tld" >> ... >> >> Could you please help me ? >> > > Hello, > > are you sure the server is listetning at 636? > > --- SNIP --- > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > ------------ > > It seems more like a network problem to me. > Please, verify it by % netstat -nlp | grep 636; or eventually by % > netstat -nlp | grep 389; at the server. > > Regards, > Zdenek > > Hi Zdenek, > > Yes i'm. > > netstat -nlp | grep 636 > tcp 0 0 10.10.48.40:636 0.0.0.0:* LISTEN > netstat -nlp | grep 389 > > Logs from the ldap server > ----------- > Dec 3 10:10:04 ldapserver slapd[20754]: slap_listener_activate(8): > Dec 3 10:10:04 ldapserver slapd[20754]: >>> slap_listener(ldaps://ldapserver.domain.tld) > Dec 3 10:10:04 ldapserver slapd[20754]: connection_get(14): got connid=42 > Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): checking for input on id=42 > Dec 3 10:10:04 ldapserver slapd[20754]: connection_get(14): got connid=42 > Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): checking for input on id=42 > Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): unable to get TLS client DN, error=49 id=42 > Dec 3 10:10:04 ldapserver slapd[20754]: connection_get(14): got connid=42 > Dec 3 10:10:04 ldapserver slapd[20754]: connection_read(14): checking for input on id=42 > Dec 3 10:10:04 ldapserver slapd[20754]: ber_get_next on fd 14 failed errno=0 (Success) > Dec 3 10:10:04 ldapserver slapd[20754]: connection_closing: readying conn=42 sd=14 for close > Dec 3 10:10:04 ldapserver slapd[20754]: connection_close: conn=42 sd=14 > > It seems to be a certificate problem. > ----- > TLS: peer cert untrusted or revoked > ----- > > Do you have any idea ? > Grifith Evening Grifith, I'm sorry I've missed that one. I'm no expert, but I can give you my config-files. I've used 'easy-rsa' to generate all certificates. It comes with OpenVPN, but it might be as standalone package in Debian. It's set of scripts for certificate manipulation, and it surely eases up things. One thing that came to my mind, certificate "has" to bear same FQDN as IP eg. if 192.168.1.1 -eq server1.mydomain.tld then certificate should be generated and contain server1.mydomain.tld. Another thing is .key files should have chmod 400. --- client side --- cat /etc/openldap/ldap.conf BASE dc=mydomain,dc=tld URI ldaps://server1.mydomain.tld port 636 ssl yes #ssl start_tls TLS_CACERT /etc/openldap/ssl/ca.mydomain.crt TLS_CERT /etc/ssl/certs/server2.mydomain.tld.crt TLS_KEY /etc/ssl/private/server2.mydomain.tld.key TLS_REQCERT never TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3 ------------------ --- server --- cat /etc/openldap/slapd.conf ... TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSCACertificateFile /etc/ssl/certs/ca.mydomain.crt TLSCertificateFile /etc/ssl/certs/server1.mydomain.tld.crt TLSCertificateKeyFile /etc/ssl/private/server1.mydomain.tld.key TLSVerifyClient never ... -------------- I hope it helps, at least a bit. Have a nice evening, Zdenek PS: Thunderbird refused to accept the rest of the text for some reason, I had to c&p it inside.
Hi,
Thanks for your help Zdenek I made it work with the following configuration :
SERVER
My slapd.conf :
... TLSCACertificateFile /etc/ssl/certs/ldap-cert.pem TLSCertificateFile /etc/ssl/certs/ldap-cert.pem TLSCertificateKeyFile /etc/ldap/ssl/ldap-key.pem
I created the certificate with this command # openssl req -config /etc/ssl/openssl.cnf -new -x509 nodes -out /etc/ssl/certs/ldap-cert.pem -keyout /etc/ldap/ssl/ldap-key.pem -days 999999
My ldap.conf :
BASE dc=mydomain,dc=tld URI ldaps://ldapserver.mydomain.tld port 636 ssl on ssl start_tls TLS_CACERT /etc/ssl/certs/ldap-cert.pem TLS_REQCERT allow
CLIENT
The ldap.conf is exactly the same as the server's.
And it works !
Hi - I tried the exact same thing but ended up with no luck. I'm on Ubuntu 9.04 (slapd 2.4.15). Though I can see my ldapssl service gets started I cannot perform any ldap operations from the client machine. I think this is because of a SSL issue. When I tried to verify my cert using;
openssl s_client -connect my_ip:636 -showcerts , I'm getting the following error.
13761:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
Any help is appreciated.
Thanks, ~Chamith
FYI: Just tested the same setup with Ubuntu 8.04.2 and it works perfectly.
Gotta blog about this at saguide.wordpress.com :)
Thanks, ~Chamith
openldap-technical@openldap.org
-
Chamith Kumarage -
smainklh@free.fr -
Smaïne Kahlouch
-
Zdenek Styblik