Hello,
Info as follows:
OS: RH Enterprise Server 5.1 Server Certificates: Created using a Common Name of "S80.com" Client Certificate: Copied "cacert.pem" from the server and placed into "/etc/openldap/cacerts/"
Problem: When configuring TLS to work with LDAP I'm no longer able to login from a client via LDAP. LDAP works normal when TLS is not configured. Suspect possible configuration problem. I'd appreciate any additional information. Thanks.
CLIENT /ETC/LDAP.CONF
# The distinguished name of the search base. base dc=S80,dc=com timelimit 120 bind_timelimit 120 idle_timelimit 3600
# Just assume that there are no supplemental groups for these named users nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
bind_policy soft uri ldaps://192.168.10.1/ ssl start_tls TLS_CACERT /etc/openldap/cacerts/cacert.pem pam_password md5
CLIENT /ETC/OPENLDAP/LDAP.CONF
URI ldaps://192.168.10.1/ BASE dc=S80,dc=com TLS_CACERT /etc/openldap/cacerts/cacert.pem
SERVER /ETC/OPENLDAP/SLAPD.CONF
TLSCACertificateFile /var/certs/cacert.pem TLSCertificateFile /var/certs/servercrt.pem TLSCertificateKeyFile /var/certs/serverkey.pem
database ldbm suffix "dc=S80,dc=com" rootdn "cn=Administrator,dc=S80,dc=com"
USED THE FOLLOWING COMMANDS (Did not observe ldaps port 636 being opened. Not sure if it's necessary due to start_tls on port 389)
slapd -h "ldap:/// ldaps:///" nmap 192.168.10.1
PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind 389/tcp open ldap 617/tcp open sco-dtmgr 650/tcp open unknown 722/tcp open unknown 2049/tcp open nfs
AMPLIFYING DATA
No errors occur using "ldapsearch -x 'uid=jmathis' -H ldap://192.168.10.1"
Errors observed using:
ldapsearch -x 'uid=jmathis' -H ldaps://192.168.10.1 ldap_bind: Can't contact LDAP server (-1)
ldapsearch -x -b 'dc=S80,dc=com' -ZZ ldap_start_tls: Can't contact LDAP server (-1)
On Thursday 21 February 2008 00:07:28 Mathis, Jim wrote:
OS: RH Enterprise Server 5.1 Server Certificates: Created using a Common Name of "S80.com" Client Certificate: Copied "cacert.pem" from the server and placed into "/etc/openldap/cacerts/"
uri ldaps://192.168.10.1/
CLIENT /ETC/OPENLDAP/LDAP.CONF
URI ldaps://192.168.10.1/
[...]
ldapsearch -x 'uid=jmathis' -H ldaps://192.168.10.1 ldap_bind: Can't contact LDAP server (-1)
The basic rules for SSL validation include "host name you connect to must match subject CN", so, if 192.168.10.1 is S80.com, then -H ldaps://S80.com should work ... but I guess it isn't, so you need to generate a new cert with the name your clients connect to (hostname part of URI).]
Regards, Buchan
Buchan Milne wrote:
On Thursday 21 February 2008 00:07:28 Mathis, Jim wrote:
OS: RH Enterprise Server 5.1 Server Certificates: Created using a Common Name of "S80.com" Client Certificate: Copied "cacert.pem" from the server and placed into "/etc/openldap/cacerts/"
uri ldaps://192.168.10.1/
CLIENT /ETC/OPENLDAP/LDAP.CONF
URI ldaps://192.168.10.1/
[...]
ldapsearch -x 'uid=jmathis' -H ldaps://192.168.10.1 ldap_bind: Can't contact LDAP server (-1)
The basic rules for SSL validation include "host name you connect to must match subject CN", so, if 192.168.10.1 is S80.com, then -H ldaps://S80.com should work ... but I guess it isn't, so you need to generate a new cert with the name your clients connect to (hostname part of URI).]
Please remember to use the "-d" debug flag when investigating problems like this. There's a reason it's there.
openldap-technical@openldap.org