I'm running openldap-2.3.43-12.el5 on a RHEL 5.5 system:
I believe I have TLS encryption working but I'd like to be able to verify my client connections.
On my LDAP server I have the following in slapd.conf
TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3 TLSCertificateFile /etc/openldap/cacerts/slapdcert.pem TLSCertificateKeyFile /etc/openldap/cacerts/slapdkey.pem TLSCACertificateFile /etc/openldap/cacerts/slapdcert.pem
On the client I have the following in /etc/ldap.conf
uri ldaps://10.70.5.67/ ssl on tls_cacertfile /etc/openldap/cacerts/slapdcert.pem tls_checkpeer no
On the client /etc/openldap/ldap.conf
URI ldaps://10.70.5.67/ TLS_CACERT /etc/openldap/cacerts/slapdcert.pem TLS_REQCERT demand
These commands work both from the client and server.
openssl s_client -connect servername:636 -showcerts
ldapsearch -x -H ldaps://servername -b dc=domain,dc=domain -D cn=root,dc=domain,dc=domain -W
So my first question would be does this guarantee encrypted sessions? Second, if I change tls_checkpeer to yes then I can't contact the LDAP server. How can I verify my clients?
-Mike
On Tuesday, 8 February 2011 19:11:52 Michael Starling wrote:
I'm running openldap-2.3.43-12.el5 on a RHEL 5.5 system:
I believe I have TLS encryption working but I'd like to be able to verify my client connections.
On my LDAP server I have the following in slapd.conf
TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3 TLSCertificateFile /etc/openldap/cacerts/slapdcert.pem TLSCertificateKeyFile /etc/openldap/cacerts/slapdkey.pem TLSCACertificateFile /etc/openldap/cacerts/slapdcert.pem
So, a self-signed cert? You may want to reconsider this, if you will ever have more than one LDAP server, and depending on how many clients you have.
You may want to supply the output of: openssl x509 -noout -subject -in /etc/openldap/cacerts/slapdcert.pem
On the client I have the following in /etc/ldap.conf
uri ldaps://10.70.5.67/
So, the subject CN on the certificate is 10.70.5.67? You may instead want to have the subject CN on the cert be the hostname, and use *that* hostname, exactly, in the uri.
Please compare to HTTPS browser validation .. the certificate needs to match the server address you have specified you want to connect to, not some other arbitrary attribute of this server (e.g. the IP address).
(there are other options to allow IP addresses, but they require more work)
ssl on tls_cacertfile /etc/openldap/cacerts/slapdcert.pem tls_checkpeer no
On the client /etc/openldap/ldap.conf
URI ldaps://10.70.5.67/
Again, ensure the host portion of the URI matches the name on the cert.
TLS_CACERT /etc/openldap/cacerts/slapdcert.pem TLS_REQCERT demand
These commands work both from the client and server.
openssl s_client -connect servername:636 -showcerts
ldapsearch -x -H ldaps://servername -b dc=domain,dc=domain -D cn=root,dc=domain,dc=domain -W
So, here you use the hostname, but in *all* the other instances you use the IP? Why?
So my first question would be does this guarantee encrypted sessions?
Does *what* guarantee encrypted connections? Your client configurations ensure that the clients use encrypted connections, but your server configuration does not prevent unencrypted connections from working.
Second, if I change tls_checkpeer to yes then I can't contact the LDAP server. How can I verify my clients?
This is about the server certificate validation, which means server certificate validation rules need to be satisfied: -chain of trust from CA cert to server cert -date validity -matching of cert subject and host portion of URI
Regards, Buchan
openldap-technical@openldap.org