I am a novice to linux administration. Recently I had to configure a system to authenticate using LDAP with TLS. I have read guides from several websites. But I still could configure it. There seem to be several reasons for the failure. I tried many suggestions, but with no success. I don’t have access to the LDAP server. So I have been just playing with config on the client. The LDAP server is sso.abcdef.edu http://sso.abcdef.edu/ My ldap.conf content is below
BASE dc=abcdef,dc=edu TLS_REQCERT allow TLS_CACERT /etc/openldap/cacerts/sso.abcdef.edu.crt uri ldap://sso.abcdef.edu ldap://sso.abcdef.edu TLS_CACERTDIR /etc/openldap/cacerts
I could issue a ldapsearch -x which returns several entries. However, when I couldn’t do using TLS. The following command shows some errors. Could you suggest me possible directions to resolve this. The directory /etc/openldap/cacerts/ contains the server certificate sso.abcdef.edu http://sso.abcdef.edu/.crt. I also made a copy of it with name sso.abcdef.edu http://sso.abcdef.edu/.pem. I am not sure whether this pem file should be that of the server or the client. Another question, should the client also have a ca (or self-signed ) certificate and it whether it should be uploaded onto the LDAP server? Could anyone please describe the basic essential steps in configuring LDAP client with TLS (without necessarily including the commands). (Several guides suggest changing configs at several places (like, pam_ldap.con, auth.conf) etc. But centOS documentation on LDAP describes configuration only for the ldap.conf (which I couldn’t follow completely).)
/etc/openldap/cacerts root@wserver[0.5]5019 > ldapsearch -ZZZ -h sso.abcdef.edu http://sso.abcdef.edu/ -d -1
ldap_create ldap_url_parse_ext(ldap://sso.abcdef.edu ldap://sso.abcdef.edu) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP sso.abcdef.edu http://sso.abcdef.edu/:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.71.31.15:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_dump: buf=0x15ea5b0 ptr=0x15ea5b0 end=0x15ea5cf len=31 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ber_scanf fmt ({) ber: ber_dump: buf=0x15ea5b0 ptr=0x15ea5b5 end=0x15ea5cf len=26 0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1. 0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037 ber_flush2: 31 bytes to sd 3 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_write: want=31, written=31 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_result ld 0x15e1090 msgid 1 wait4msg ld 0x15e1090 msgid 1 (infinite timeout) wait4msg continue ld 0x15e1090 msgid 1 all 1 ** ld 0x15e1090 Connections: * host: sso.abcdef.edu http://sso.abcdef.edu/ port: 389 (default) refcnt: 2 status: Connected last used: Tue Oct 20 20:50:52 2015
** ld 0x15e1090 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x15e1090 request count 1 (abandoned 0) ** ld 0x15e1090 Response Queue: Empty ld 0x15e1090 response count 0 ldap_chkResponseList ld 0x15e1090 msgid 1 all 1 ldap_chkResponseList returns ld 0x15e1090 NULL ldap_int_select read1msg: ld 0x15e1090 msgid 1 all 1 ber_get_next ldap_read: want=8, got=8 0000: 30 0c 02 01 01 78 07 0a 0....x.. ldap_read: want=6, got=6 0000: 01 00 04 00 04 00 ...... ber_get_next: tag 0x30 len 12 contents: ber_dump: buf=0x15eba20 ptr=0x15eba20 end=0x15eba2c len=12 0000: 02 01 01 78 07 0a 01 00 04 00 04 00 ...x........ read1msg: ld 0x15e1090 msgid 1 message type extended-result ber_scanf fmt ({eAA) ber: ber_dump: buf=0x15eba20 ptr=0x15eba23 end=0x15eba2c len=9 0000: 78 07 0a 01 00 04 00 04 00 x........ read1msg: ld 0x15e1090 0 new referrals read1msg: mark request completed, ld 0x15e1090 msgid 1 request done: ld 0x15e1090 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_extended_result ber_scanf fmt ({eAA) ber: ber_dump: buf=0x15eba20 ptr=0x15eba23 end=0x15eba2c len=9 0000: 78 07 0a 01 00 04 00 04 00 x........ ldap_parse_result ber_scanf fmt ({iAA) ber: ber_dump: buf=0x15eba20 ptr=0x15eba23 end=0x15eba2c len=9 0000: 78 07 0a 01 00 04 00 04 00 x........ ber_scanf fmt (}) ber: ber_dump: buf=0x15eba20 ptr=0x15eba2c end=0x15eba2c len=0
ldap_msgfree TLS: loaded CA certificate file /etc/openldap/cacerts/sso.abcdef.edu.crt. TLS: error: the certificate '/etc/openldap/cacerts/sso.abcdef.edu.pem' could not be found in the database - error -12285:Unable to find the certificate or key necessary for authentication.. TLS: certificate '/etc/openldap/cacerts/sso.abcdef.edu.pem' successfully loaded from PEM file. TLS: could not add the private key '/etc/openldap/cacerts/sso.abcdef.edu.pem' - error -8018:Unknown PKCS #11 error.. TLS: error: could not initialize moznss security context - error -8018:Unknown PKCS #11 error. TLS: can't create ssl handle. ldap_err2string ldap_start_tls: Connect error (-11) ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 3 0000: 30 05 02 01 02 42 00 0....B. ldap_write: want=7, written=7 0000: 30 05 02 01 02 42 00 0....B. ldap_free_connection: actually freed
On 10/20/15 21:24 -0400, Sridhar Acharya Malkaram wrote:
I am a novice to linux administration. Recently I had to configure a system to authenticate using LDAP with TLS. I have read guides from several websites. But I still could configure it. There seem to be several reasons for the failure. I tried many suggestions, but with no success. I don’t have access to the LDAP server. So I have been just playing with config on the client.
The LDAP server is sso.abcdef.edu
My ldap.conf content is below
BASE dc=abcdef,dc=edu TLS_REQCERT allow TLS_CACERT /etc/openldap/cacerts/sso.abcdef.edu.crt uri ldap://sso.abcdef.edu TLS_CACERTDIR /etc/openldap/cacerts
You output below says your local ldap libraries are linked against moznss. See:
http://www.openldap.org/faq/data/cache/1514.html
and the ldap.conf manpage. More comments below.
I could issue a ldapsearch -x which returns several entries. However, when I couldn’t do using TLS. The following command shows some errors. Could you suggest me possible directions to resolve this. The directory /etc/openldap/cacerts/ contains the server certificate sso.abcdef.edu.crt. I also made a copy of it with name sso.abcdef.edu.pem. I am not sure whether this pem file should be that of the server or the client.
Another question, should the client also have a ca (or self-signed ) certificate and it whether it should be uploaded onto the LDAP server?
The depends on the security needs of your network.
If the server is configured to require client certificates, then you'll need to specify a TLS_CERT and TLS_KEY (again, see ldap.conf(5)).
/etc/openldap/cacerts root@wserver[0.5]5019 > ldapsearch -ZZZ -h sso.abcdef.edu -d -1
ldap_msgfree TLS: loaded CA certificate file /etc/openldap/cacerts/sso.abcdef.edu.crt. TLS: error: the certificate '/etc/openldap/cacerts/sso.abcdef.edu.pem' could not be found in the database - error -12285:Unable to find the certificate or key necessary for authentication.. TLS: certificate '/etc/openldap/cacerts/sso.abcdef.edu.pem' successfully loaded from PEM file. TLS: could not add the private key '/etc/openldap/cacerts/sso.abcdef.edu.pem' - error -8018:Unknown PKCS #11 error.. TLS: error: could not initialize moznss security context - error -8018:Unknown PKCS #11 error. TLS: can't create ssl handle. ldap_err2string ldap_start_tls: Connect error (-11)
Does /etc/openldap/cacerts/sso.abcdef.edu.pem exist? If so, moznss will attempt to open it as a database. It should not exist if you wish to use the collective cert files within /etc/openldap/cacerts/ as your cacerts. You should not specify TLS_CACERT in that case either.
openldap-technical@openldap.org