Hello all,
On Ubuntu, I have set up an LDAP server and am authenticating to it over SSL for my LDAP queries. I had it working on previous Ubuntu releases, but something seems to have changed in the newest release (maybe this: http://www.debian-administration.org/users/dkg/weblog/ 42). I am having trouble figuring out exactly what is breaking.
Some background: I have set up my own CA and generated a certificate for it, which the LDAP server is using. Without specifying this CA, I get "self-signed certificate" errors when connecting:
root@host:# openssl s_client -connect my.ldap.server:636 -showcerts CONNECTED(00000003) <... trimmed certificate information ...> verify error:num=19:self signed certificate in certificate chain verify return:0 <... trimmed more certificate information ...>
If I specify the path to my internal CA file, I receive no errors:
root@host:# openssl s_client -connect my.ldap.server:636 -showcerts - CAfile /path/to/my/ca/file CONNECTED(00000003) <... trimmed certificate and internal CA information ...> verify return:1 <... trimmed more certificate information ...>
That being said, I manually specified the path to my internal CA file in /etc/ldap/ldap.conf:
BASE dc=my, dc=search, dc=base URI ldaps://my.ldap.server TLS_CACERT /path/to/my/ca/file TLS_REQCERT demand TIMEOUT 4 NETWORK_TIMEOUT 2
This still allows no secure ldap queries:
root@host:# ldapsearch -x -d1 ldap_create ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP my.ldap.server:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying my.ldap.server.ip:636 ldap_pvt_connect: fd: 3 tm: 2 async: 0 ldap_ndelay_on: 3 ldap_int_poll: fd: 3 tm: 2 ldap_is_sock_ready: 3 ldap_ndelay_off: 3 ldap_pvt_connect: 0 TLS: peer cert untrusted or revoked (0x102) TLS: can't connect: (unknown error code). ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Just to prove that the above configuration is the one being used, if I switch the above configuration to "TLS_REQCERT allow", the ldap queries bypass this issue:
root@myhost:# ldapsearch -x -d1 > /dev/null ldap_create ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP auth01.rdc.internal:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.1.41:636 ldap_pvt_connect: fd: 3 tm: 2 async: 0 ldap_ndelay_on: 3 ldap_int_poll: fd: 3 tm: 2 ldap_is_sock_ready: 3 ldap_ndelay_off: 3 ldap_pvt_connect: 0 TLS: peer cert untrusted or revoked (0x102) ldap_open_defconn: successful <... trimmed rest of results ...>
My openldap is version 2.4.15 on Ubuntu Jaunty. Interestingly, I had the same message about self-signed certificates on previous Ubuntu versions, but querying ldap with "TLS_REQCERT demand" works fine.
So what is the solution to this problem? Do I switch to "TLS_REQCERT allow"? Or perhaps there's some way to debug why openldap is not seeing the internal CA file even though I've told it where to look?
Thanks for any pointers...
-Kurt
Kurt Yoder wrote:
Hello all,
On Ubuntu, I have set up an LDAP server and am authenticating to it over SSL for my LDAP queries. I had it working on previous Ubuntu releases, but something seems to have changed in the newest release (maybe this: http://www.debian-administration.org/users/dkg/weblog/ 42). I am having trouble figuring out exactly what is breaking.
Some background: I have set up my own CA and generated a certificate for it, which the LDAP server is using. Without specifying this CA, I get "self-signed certificate" errors when connecting:
My openldap is version 2.4.15 on Ubuntu Jaunty. Interestingly, I had the same message about self-signed certificates on previous Ubuntu versions, but querying ldap with "TLS_REQCERT demand" works fine.
Always START by listing your software versions, don't bury them towards the bottom of your email.
The GnuTLS issues with X.509v1 certs were fixed in 2.4.16, so you need to upgrade.
Hi Kurt,
On Wed, Jun 17, 2009 at 7:26 PM, Kurt Yoderktyopenldap@yoderhome.com wrote:
Some background: I have set up my own CA and generated a certificate for it, which the LDAP server is using. Without specifying this CA, I get "self-signed certificate" errors when connecting:
root@host:# openssl s_client -connect my.ldap.server:636 -showcerts CONNECTED(00000003) <... trimmed certificate information ...> verify error:num=19:self signed certificate in certificate chain
[...]
My openldap is version 2.4.15 on Ubuntu Jaunty. Interestingly, I had the same message about self-signed certificates on previous Ubuntu versions, but querying ldap with "TLS_REQCERT demand" works fine.
As Howard mentioned this should have been fixed in 2.4.16. However could you try to put both the CA certificate *and* the server certificate in the cert.file used by the slapd server - (that way the whole CA chain is sent to the client by gnutls) ?
-- Mathias Gug Ubuntu Developer http://www.ubuntu.com
openldap-technical@openldap.org
-
Howard Chu -
Kurt Yoder -
Mathias Gug