8:58 a.m.
Hi list,
When using TLS, I have information that I'm using a self-signed
certificate, as shown below:
# ldapsearch -x -d5 -b 'ou=Usuarios,dc=xx,dc=com,dc=br' -H
ldaps://121.1.1.97/ '(objectclass=*)'
ldap_url_parse_ext(ldaps://121.1.1.97/)
ldap_create
ldap_url_parse_ext(ldaps://121.1.1.97:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 121.1.1.97:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 121.1.1.97:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 18, subject:
/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=ldap.xx.com.br, issuer:
-State/O=Internet Widgits Pty Ltd/CN=ldap.xx.com.br
TLS certificate verification: Error, self signed certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self
signed certificate).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
My slapd.conf:
TLSRandFile /dev/random
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /usr/local/etc/openldap/ssl/cert.crt
TLSCertificateKeyFile /usr/local/etc/openldap/ssl/cert.key
TLSCACertificateFile /usr/local/etc/openldap/ssl/cert.crt
my ldap.conf
pam_login_attribute uid
base dc=xxxx,dc=com,dc=br
uri ldap://127.0.0.1/
PORT 636
HOST 127.0.0.1
TLS_REQCERT allow
TLS_CACERT /usr/local/etc/openldap/ssl/cert.crt
TLS_CACERTDIR /usr/local/etc/openldap/ssl
--
Márcio Luciano Donada <mdonada -at- auroraalimentos -dot- com -dot- br>
Aurora Alimentos - Cooperativa Central Oeste Catarinense
Departamento de T.I.
4:08 a.m.
Fri, Nov 19, 2010 at 02:58:30PM -0200, Márcio Luciano Donada wrote:
Hi list,
When using TLS, I have information that I'm using a self-signed
certificate, as shown below:
# ldapsearch -x -d5 -b 'ou=Usuarios,dc=xx,dc=com,dc=br' -H
ldaps://121.1.1.97/ '(objectclass=*)'
ldap_url_parse_ext(ldaps://121.1.1.97/)
ldap_create
ldap_url_parse_ext(ldaps://121.1.1.97:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 121.1.1.97:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 121.1.1.97:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 18, subject:
/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=ldap.xx.com.br, issuer:
-State/O=Internet Widgits Pty Ltd/CN=ldap.xx.com.br
TLS certificate verification: Error, self signed certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self
signed certificate).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
OpenLDAP is quite picky about correct certificate chains.
You really should create a full certificate chain, that is, a ca, a server certificate and
a server key.
-Dieter
--
Dieter Klünter | Systemberatung
sip: 7770535(a)sipgate.de
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
4:36 p.m.
Dieter Klünter wrote:
Fri, Nov 19, 2010 at 02:58:30PM -0200, Márcio Luciano Donada
wrote:
> Hi list,
> When using TLS, I have information that I'm using a self-signed
> certificate, as shown below:
>
> # ldapsearch -x -d5 -b 'ou=Usuarios,dc=xx,dc=com,dc=br' -H
> ldaps://121.1.1.97/ '(objectclass=*)'
> ldap_url_parse_ext(ldaps://121.1.1.97/)
> ldap_create
> ldap_url_parse_ext(ldaps://121.1.1.97:636/??base)
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP 121.1.1.97:636
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 121.1.1.97:636
> ldap_pvt_connect: fd: 3 tm: -1 async: 0
> TLS trace: SSL_connect:before/connect initialization
> TLS trace: SSL_connect:SSLv2/v3 write client hello A
> TLS trace: SSL_connect:SSLv3 read server hello A
> TLS certificate verification: depth: 0, err: 18, subject:
> /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=ldap.xx.com.br, issuer:
> -State/O=Internet Widgits Pty Ltd/CN=ldap.xx.com.br
> TLS certificate verification: Error, self signed certificate
> TLS trace: SSL3 alert write:fatal:unknown CA
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self
> signed certificate).
> ldap_err2string
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
OpenLDAP is quite picky about correct certificate chains.
No, the software will accept whatever you tell it to use, if you configure it
appropriately.
You really should create a full certificate chain, that is, a ca, a
server certificate and a server key.
But yes, the Project always recommends that you do the right thing.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
12:37 a.m.
Em 21/11/2010 22:36, Howard Chu escreveu:
No, the software will accept whatever you tell it to use, if you
configure it appropriately.
which is the way to own a set? What documentation should I follow?
--
Márcio Luciano Donada <mdonada -at- auroraalimentos -dot- com -dot- br>
Aurora Alimentos - Cooperativa Central Oeste Catarinense
Departamento de T.I.
1 a.m.
2010/11/22 Márcio Luciano Donada <mdonada(a)auroraalimentos.com.br>:
Em 21/11/2010 22:36, Howard Chu escreveu:
> No, the software will accept whatever you tell it to use, if you
> configure it appropriately.
>
which is the way to own a set? What documentation should I follow?
--
Márcio Luciano Donada <mdonada -at- auroraalimentos -dot- com -dot- br>
Aurora Alimentos - Cooperativa Central Oeste Catarinense
Departamento de T.I.
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html
http://www.openldap.org/faq/data/cache/185.html
9:33 a.m.
On 11/21/2010 07:36 PM, Howard Chu wrote:
Dieter Klünter wrote:
> Fri, Nov 19, 2010 at 02:58:30PM -0200, Márcio Luciano Donada wrote:
>> Hi list,
>> When using TLS, I have information that I'm using a self-signed
>> certificate, as shown below:
>>
>> # ldapsearch -x -d5 -b 'ou=Usuarios,dc=xx,dc=com,dc=br' -H
>> ldaps://121.1.1.97/ '(objectclass=*)'
>> ldap_url_parse_ext(ldaps://121.1.1.97/)
>> ldap_create
>> ldap_url_parse_ext(ldaps://121.1.1.97:636/??base)
>> ldap_sasl_bind
>> ldap_send_initial_request
>> ldap_new_connection 1 1 0
>> ldap_int_open_connection
>> ldap_connect_to_host: TCP 121.1.1.97:636
>> ldap_new_socket: 3
>> ldap_prepare_socket: 3
>> ldap_connect_to_host: Trying 121.1.1.97:636
>> ldap_pvt_connect: fd: 3 tm: -1 async: 0
>> TLS trace: SSL_connect:before/connect initialization
>> TLS trace: SSL_connect:SSLv2/v3 write client hello A
>> TLS trace: SSL_connect:SSLv3 read server hello A
>> TLS certificate verification: depth: 0, err: 18, subject:
>> /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=ldap.xx.com.br,
>> issuer:
>> -State/O=Internet Widgits Pty Ltd/CN=ldap.xx.com.br
>> TLS certificate verification: Error, self signed certificate
>> TLS trace: SSL3 alert write:fatal:unknown CA
>> TLS trace: SSL_connect:error in SSLv3 read server certificate B
>> TLS trace: SSL_connect:error in SSLv3 read server certificate B
>> TLS: can't connect: error:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self
>> signed certificate).
>> ldap_err2string
>> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>
> OpenLDAP is quite picky about correct certificate chains.
No, the software will accept whatever you tell it to use, if you
configure it appropriately.
Agreed. I had to put together a test setup to convince myself first,
but now it makes sense to me. =)
> You really should create a full certificate chain, that is, a ca,
a
> server certificate and a server key.
But yes, the Project always recommends that you do the right thing.
One thing I was wondering here is if his ldap is only accessible from
within one location (i.e. no subnets physically separated that need to
authenticate against this ldap server), self signed would not be a bad
idea.
Otherwise, there is always cacert.org. That said, using the later could
make it a bit simpler (at the expense of having to renew cert more
often) as the ca is available and easy to deploy to other machines.
4579
days inactive
4582
days old
openldap-technical@openldap.org
5 comments
5 participants
participants (5)
-
c0re -
Dieter Klünter -
Howard Chu -
Mauricio Tavares -
Márcio Luciano Donada