Hello everyone!
Wrote to openldap-software, but got "Technical details of permanent failure: Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 550 550 5.1.1 openldap-software@openldap.org... User unknown (state 14)."
So I'm here.
I'm trying to make openldap+TLS on freebsd 7.3.
I configured openldap, nss_ldap, ldap.conf, nsswitch.conf, can ldapsearch it, can make "id user" and etc.
So when I do "id test" I get uid=5555(test) gid=5555 groups=5555 All ok.
And now I want to add TLS to it.
So I add to slapd.conf
TLSCertificateFile /usr/local/etc/openldap/ssl/ldap.server.ru.crt.pem TLSCertificateKeyFile /usr/local/etc/openldap/ssl/ldap.server.ru.key.pem TLSCACertificateFile /usr/local/etc/openldap/ssl/rootcrt.pem
In nss_ldap and ldap.conf I add folowing:
ssl start_tls tls_cacertfile /usr/local/etc/openldap/ssl-client/rootcrt.pem
I start slapd with debugging:
/usr/local/libexec/slapd -u ldap -d 1 and making "id test" I get
"id: test: no such user"
And slapd debug:
slap_listener_activate(7):
slap_listener(ldap:///)
connection_get(11): got connid=1000 connection_read(11): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 29 contents: op tag 0x77, time 1284477158 ber_get_next conn=1000 op=0 do_extended ber_scanf fmt ({m) ber: send_ldap_extended: err=0 oid= len=0 send_ldap_response: msgid=1 tag=120 err=0 ber_flush2: 14 bytes to sd 11 connection_get(11): got connid=1000 connection_read(11): checking for input on id=1000 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(11): got connid=1000 connection_read(11): checking for input on id=1000 TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_read(11): unable to get TLS client DN, error=49 id=1000 connection_get(11): got connid=1000 connection_read(11): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 5 contents: op tag 0x42, time 1284477158 ber_get_next TLS trace: SSL3 alert read:warning:close notify ber_get_next on fd 11 failed errno=0 (Undefined error: 0) conn=1000 op=1 do_unbind connection_close: conn=1000 sd=11 TLS trace: SSL3 alert write:warning:close notify
That's all. What's wrong? Where should I look at? What other information should I post here? I do not like this string: "ber_get_next on fd 11 failed errno=0 (Undefined error: 0)" But I do not know what that mean.
Le 14/09/2010 22:43, c0re a écrit :
Hello everyone!
Wrote to openldap-software, but got "Technical details of permanent failure: Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 550 550 5.1.1 openldap-software@openldap.org... User unknown (state 14)."
The openldap-software list has been shut down since May this year, in favour of openldap-technical (this list). This is stated on it's web page: http://www.openldap.org/lists/mm/listinfo/openldap-software
The official announcement was sent out to all subscribers, see: http://www.openldap.org/lists/openldap-software/201005/msg00095.html
So I'm here.
This is the right place to be :)
Jonathan
c0re nr1c0re@gmail.com writes:
Hello everyone!
[...]
So I add to slapd.conf
TLSCertificateFile /usr/local/etc/openldap/ssl/ldap.server.ru.crt.pem TLSCertificateKeyFile /usr/local/etc/openldap/ssl/ldap.server.ru.key.pem TLSCACertificateFile /usr/local/etc/openldap/ssl/rootcrt.pem
In nss_ldap and ldap.conf I add folowing:
ssl start_tls tls_cacertfile /usr/local/etc/openldap/ssl-client/rootcrt.pem
I start slapd with debugging:
[...]
And slapd debug:
slap_listener_activate(7):
slap_listener(ldap:///)
[...]
TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(11): got connid=1000 connection_read(11): checking for input on id=1000 TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_read(11): unable to get TLS client DN, error=49 id=1000
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ You probably have configured slapd to require client verification, but the client doesn't provide a valid certificate.
[...]
-Dieter
I tried to set "disallow tls_authc" and/or "TLSVerifyClient never" in slapd.conf - no changes.
c0re nr1c0re@gmail.com writes:
I tried to set "disallow tls_authc" and/or "TLSVerifyClient never" in slapd.conf - no changes.
What do you mean by 'no changes' do you still see the line unable to get TLS client DN, error=49 Or is there an other error reported?
-Dieter
Yes, same output of debug as in my first post, nothing changed.
Also I tryed to use "ssl on" and connect to 636 port - same debug output...
2010/9/15 Dieter Kluenter dieter@dkluenter.de:
c0re nr1c0re@gmail.com writes:
I tried to set "disallow tls_authc" and/or "TLSVerifyClient never" in slapd.conf - no changes.
What do you mean by 'no changes' do you still see the line unable to get TLS client DN, error=49 Or is there an other error reported?
-Dieter
-- Dieter Klünter | Systemberatung sip: 7770535@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
c0re nr1c0re@gmail.com writes:
Yes, same output of debug as in my first post, nothing changed.
Also I tryed to use "ssl on" and connect to 636 port - same debug output...
2010/9/15 Dieter Kluenter dieter@dkluenter.de:
c0re nr1c0re@gmail.com writes:
I tried to set "disallow tls_authc" and/or "TLSVerifyClient never" in slapd.conf - no changes.
What do you mean by 'no changes' do you still see the line unable to get TLS client DN, error=49 Or is there an other error reported?
please start slapd as ldaps on port 636 and try openssl s_client -connect hostanme:636 -showcerts
-Dieter
Sorry, forgot to mention that I've tested that certificates are OK.
# starting slapd
/usr/local/libexec/slapd -u ldap -d 1 -h ldaps:///
# making test:
openssl s_client -connect 127.0.0.1:636 -CAfile /usr/local/etc/openldap/ssl-client/root.crt -showcerts
# output of test in openssl command:
CONNECTED(00000003) depth=1 /C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com verify return:1 depth=0 /C=RU/ST=MSK/L=MSK/O=ORG/OU=IT/CN=ldap.domain.com verify return:1 --- Certificate chain 0 s:/C=RU/ST=MSK/L=MSK/O=ORG/OU=IT/CN=ldap.domain.com i:/C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com -----BEGIN CERTIFICATE----- <certificate> ..... </certificate> -----END CERTIFICATE----- 1 s:/C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com i:/C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com -----BEGIN CERTIFICATE----- <certificate> ..... </certificate> -----END CERTIFICATE----- --- Server certificate subject=/C=RU/ST=MSK/L=MSK/O=ORG/OU=IT/CN=ldap.domain.com issuer=/C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com --- No client certificate CA names sent --- SSL handshake has read 1811 bytes and written 462 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: <SOMESESSIONID> Session-ID-ctx: Master-Key: <SOMEMASTERKEY> Key-Arg : None Start Time: 1284557075 Timeout : 300 (sec) Verify return code: 0 (ok) ---
# in slapd debug at that moment:
slap_listener_activate(7):
slap_listener(ldaps:///)
connection_get(11): got connid=1001 connection_read(11): checking for input on id=1001 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(11): got connid=1001 connection_read(11): checking for input on id=1001 TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_read(11): unable to get TLS client DN, error=49 id=1001
# in openssl I enter QUIT and reviece DONE # in slapd debug after I entered QUIT i recieve folowing debug:
connection_get(11): got connid=1001 connection_read(11): checking for input on id=1001 ber_get_next TLS trace: SSL3 alert read:warning:close notify ber_get_next on fd 11 failed errno=0 (Undefined error: 0) connection_close: conn=1001 sd=11 TLS trace: SSL3 alert write:warning:close notify
Without -CAfile /usr/local/etc/openldap/ssl-client/root.crt I get folowing:
# openssl s_client -connect 127.0.0.1:636 -showcerts CONNECTED(00000003) depth=1 /C=RU/ST=MSK/L=MSk/O=NRD/OU=IT/CN=ca.domain.com verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=RU/ST=MSK/L=MSK/O=NRD/OU=IT/CN=ldap.domain.com i:/C=RU/ST=MSK/L=MSk/O=NRD/OU=IT/CN=ca.domain.com -----BEGIN CERTIFICATE----- <certificate> ... </certificate> -----END CERTIFICATE----- 1 s:/C=RU/ST=MSK/L=MSk/O=NRD/OU=IT/CN=ca.domain.com i:/C=RU/ST=MSK/L=MSk/O=NRD/OU=IT/CN=ca.domain.com -----BEGIN CERTIFICATE----- <certificate> ... </certificate> -----END CERTIFICATE----- --- Server certificate subject=/C=RU/ST=MSK/L=MSK/O=NRD/OU=IT/CN=ldap.domain.com issuer=/C=RU/ST=MSK/L=MSk/O=NRD/OU=IT/CN=ca.domain.com --- No client certificate CA names sent --- SSL handshake has read 1811 bytes and written 462 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: <SOMESESSIONID> Session-ID-ctx: Master-Key: <SOMEMASTERKEY> Key-Arg : None Start Time: 1284557459 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) ---
# and slapd says folowing:
slap_listener_activate(7):
slap_listener(ldaps:///)
connection_get(11): got connid=1000 connection_read(11): checking for input on id=1000 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(11): got connid=1000 connection_read(11): checking for input on id=1000 TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_read(11): unable to get TLS client DN, error=49 id=1000
# after I eter quit slapd says this:
connection_get(11): got connid=1000 connection_read(11): checking for input on id=1000 ber_get_next TLS trace: SSL3 alert read:warning:close notify ber_get_next on fd 11 failed errno=0 (Undefined error: 0) connection_close: conn=1000 sd=11 TLS trace: SSL3 alert write:warning:close notify
And i've got ldap.domain.com record in /etc/hosts...
2010/9/15 Dieter Kluenter dieter@dkluenter.de:
c0re nr1c0re@gmail.com writes:
Yes, same output of debug as in my first post, nothing changed.
Also I tryed to use "ssl on" and connect to 636 port - same debug output...
2010/9/15 Dieter Kluenter dieter@dkluenter.de:
c0re nr1c0re@gmail.com writes:
I tried to set "disallow tls_authc" and/or "TLSVerifyClient never" in slapd.conf - no changes.
What do you mean by 'no changes' do you still see the line unable to get TLS client DN, error=49 Or is there an other error reported?
please start slapd as ldaps on port 636 and try openssl s_client -connect hostanme:636 -showcerts
-Dieter
-- Dieter Klünter | Systemberatung sip: 7770535@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
c0re nr1c0re@gmail.com writes:
Sorry, forgot to mention that I've tested that certificates are OK.
# starting slapd
/usr/local/libexec/slapd -u ldap -d 1 -h ldaps:///
# making test:
openssl s_client -connect 127.0.0.1:636 -CAfile /usr/local/etc/openldap/ssl-client/root.crt -showcerts
# output of test in openssl command:
[...]
Certificate chain 0 s:/C=RU/ST=MSK/L=MSK/O=ORG/OU=IT/CN=ldap.domain.com i:/C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com -----BEGIN CERTIFICATE-----
<certificate> ..... </certificate> -----END CERTIFICATE----- 1 s:/C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com i:/C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com -----BEGIN CERTIFICATE----- <certificate> ..... </certificate> -----END CERTIFICATE----- --- Server certificate subject=/C=RU/ST=MSK/L=MSK/O=ORG/OU=IT/CN=ldap.domain.com issuer=/C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com --- No client certificate CA names sent --- SSL handshake has read 1811 bytes and written 462 bytes ---
[...]
Verify return code: 0 (ok)
[...]
Ther are no errors in certificate chain and the server cert has been veryfied, so the certificate chain is OK. Please check all relevant configuration files that is /etc/openldap/ldap.conf, /etc/ldap.conf and probably ~/.ldaprc for any TLS configuration.
-Dieter
In ldap.conf
You must define
TLS_CACERT with the CA-Chain
and
TLS_CERT with your client cert
Harald
# making clientkey openssl genrsa -out client.key 2048 # making certificate request openssl req -new -key client.key -out client.csr # signing openssl x509 -req -days 1024 -CA ../ssl/rootcrt.pem -CAkey ../ssl/rootkey.pem -in client.csr -out client.crt -CAserial ../ssl/root.seq
# configuring on client TLS_CACERT /usr/local/etc/openldap/ssl-client/rootcrt.pem TLS_CERT /usr/local/etc/openldap/ssl-client/client.crt and TLS_KEY /usr/local/etc/openldap/ssl-client/client.key
Trying again with slapd debug and client calling "id test"
slap_listener_activate(7):
slap_listener(ldap:///)
connection_get(11): got connid=1000 connection_read(11): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 29 contents: op tag 0x77, time 1284616840 ber_get_next conn=1000 op=0 do_extended ber_scanf fmt ({m) ber: send_ldap_extended: err=0 oid= len=0 send_ldap_response: msgid=1 tag=120 err=0 ber_flush2: 14 bytes to sd 11 connection_get(11): got connid=1000 connection_read(11): checking for input on id=1000 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(11): got connid=1000 connection_read(11): checking for input on id=1000 TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_read(11): unable to get TLS client DN, error=49 id=1000 connection_get(11): got connid=1000 connection_read(11): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 5 contents: op tag 0x42, time 1284616840 ber_get_next TLS trace: SSL3 alert read:warning:close notify ber_get_next on fd 11 failed errno=0 (Undefined error: 0) conn=1000 op=1 do_unbind connection_close: conn=1000 sd=11 TLS trace: SSL3 alert write:warning:close notify
All the same.
Okay. Looking at /usr/local/etc/nss_ldap.conf and I see
# Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key
So client certificate is not required?
Looking at faq about TLS http://www.openldap.org/faq/data/cache/185.html I do not see any client certificate generation and configuring.
BTW, must say, that configuring TLS_CACERT in nss_ldap.conf make no sense. Configuring tls_cacertfile directive instead TLS_CACERT works OK.
openldap version is 2.4.23
2010/9/15 Wallus, Harald Dr. Harald.Wallus@eon.com:
In ldap.conf
You must define
TLS_CACERT with the CA-Chain
and
TLS_CERT with your client cert
Harald
c0re nr1c0re@gmail.com writes:
# making clientkey openssl genrsa -out client.key 2048 # making certificate request openssl req -new -key client.key -out client.csr # signing openssl x509 -req -days 1024 -CA ../ssl/rootcrt.pem -CAkey ../ssl/rootkey.pem -in client.csr -out client.crt -CAserial ../ssl/root.seq
# configuring on client TLS_CACERT /usr/local/etc/openldap/ssl-client/rootcrt.pem TLS_CERT /usr/local/etc/openldap/ssl-client/client.crt and TLS_KEY /usr/local/etc/openldap/ssl-client/client.key
Trying again with slapd debug and client calling "id test"
[...] As there are no obvious errors in the log you should get TLS properly working, prior to testing with pam. Just do a ldapsearch or a ldapwhoami either on uri ldaps:// or startTLS on ldap://
-Dieter
I tryed to test with ldapsearch, but it ignores ldap.conf somehow (where CA certificate defined) and I always recieve additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain) Tryed with ldapsearch -Z -d 1 -h ldap.domain.com
2010/9/16 Dieter Kluenter dieter@dkluenter.de:
c0re nr1c0re@gmail.com writes:
# making clientkey openssl genrsa -out client.key 2048 # making certificate request openssl req -new -key client.key -out client.csr # signing openssl x509 -req -days 1024 -CA ../ssl/rootcrt.pem -CAkey ../ssl/rootkey.pem -in client.csr -out client.crt -CAserial ../ssl/root.seq
# configuring on client TLS_CACERT /usr/local/etc/openldap/ssl-client/rootcrt.pem TLS_CERT /usr/local/etc/openldap/ssl-client/client.crt and TLS_KEY /usr/local/etc/openldap/ssl-client/client.key
Trying again with slapd debug and client calling "id test"
[...] As there are no obvious errors in the log you should get TLS properly working, prior to testing with pam. Just do a ldapsearch or a ldapwhoami either on uri ldaps:// or startTLS on ldap://
-Dieter
-- Dieter Klünter | Systemberatung sip: 7770535@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
c0re nr1c0re@gmail.com writes:
I tryed to test with ldapsearch, but it ignores ldap.conf somehow (where CA certificate defined) and I always recieve additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain) Tryed with ldapsearch -Z -d 1 -h ldap.domain.com
[...]
ldapsearch is not ignoring ldap.conf, it always looks for this file either in the built in path, or the environment variables LDAPRC and LDAPCONF. It seems, you have placed ldap.conf in a non appropriate directory.
-Dieter
using truss I see that ldapsearch looks for ldap.conf in right place
# truss ldapsearch -Z -h ldap.domain.com ................. open("/etc/hosts",O_RDONLY,0666) = 3 (0x3) fstat(3,{ mode=-rw-r--r-- ,inode=49352,size=274,blksize=4096 }) = 0 (0x0) read(3,"::1\t\t\tlocalhost localhost.dom"...,4096) = 274 (0x112) close(3) = 0 (0x0) open("/usr/local/etc/openldap/ldap.conf",O_RDONLY,0666) = 3 (0x3) <----------------------- here it is - this file has no variables defined fstat(3,{ mode=-rw-r--r-- ,inode=219345,size=245,blksize=4096 }) = 0 (0x0) read(3,"#\n# LDAP Defaults\n#\n\n# See l"...,4096) = 245 (0xf5) read(3,0x801325000,4096) = 0 (0x0) close(3) = 0 (0x0) geteuid(0x0,0x801300398,0x2,0x514c50,0x514c50,0x801300000) = 0 (0x0) getuid(0x0,0x801300398,0x2,0x80102a6ac,0xffffffff80b6a880,0x7fffffffe048) = 0 (0x0) open("/root/ldaprc",O_RDONLY,0666) ERR#2 'No such file or directory' open("/root/.ldaprc",O_RDONLY,0666) ERR#2 'No such file or directory' open("ldaprc",O_RDONLY,0666) ERR#2 'No such file or directory' open("/usr/local/etc/ldap.conf",O_RDONLY,0666) = 3 (0x3) <----------------------- here it is - this file has all configuration including certificates fstat(3,{ mode=-r--r--r-- ,inode=220275,size=9338,blksize=4096 }) = 0 (0x0) read(3,"# @(#)$Id: ldap.conf,v 1.38 2006"...,4096) = 4096 (0x1000) read(3,"change\n# extended operation to "...,4096) = 4096 (0x1000) read(3,"rver certificate verification\n#"...,4096) = 1146 (0x47a) read(3,0x801325000,4096) = 0 (0x0) close(3) = 0 (0x0) sigaction(SIGPIPE,{ SIG_IGN SA_RESTART ss_t },{ SIG_DFL 0x0 ss_t }) = 0 (0x0) stat("/etc/nsswitch.conf",{ mode=-rw-r--r-- ,inode=49395,size=350,blksize=4096 }) = 0 (0x0) open("/etc/hosts",O_RDONLY,0666) = 3 (0x3) fstat(3,{ mode=-rw-r--r-- ,inode=49352,size=274,blksize=4096 }) = 0 (0x0) read(3,"::1\t\t\tlocalhost localhost.dom"...,4096) = 274 (0x112) read(3,0x80133e000,4096) = 0 (0x0) close(3) = 0 (0x0) ........................
2010/9/16 Dieter Kluenter dieter@dkluenter.de:
c0re nr1c0re@gmail.com writes:
I tryed to test with ldapsearch, but it ignores ldap.conf somehow (where CA certificate defined) and I always recieve additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain) Tryed with ldapsearch -Z -d 1 -h ldap.domain.com
[...]
ldapsearch is not ignoring ldap.conf, it always looks for this file either in the built in path, or the environment variables LDAPRC and LDAPCONF. It seems, you have placed ldap.conf in a non appropriate directory.
-Dieter
-- Dieter Klünter | Systemberatung sip: 7770535@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
no .ldaprc in any homedir no /etc/ldap.conf no /etc/openldap directory clean /usr/local/etc/openldap/ldap.conf (no variables defined there) only /usr/local/etc/ldap.conf (for pam_ldap) and /usr/local/etc/nss_ldap.conf (for nss with ldap)
2010/9/15 Dieter Kluenter dieter@dkluenter.de:
c0re nr1c0re@gmail.com writes:
Sorry, forgot to mention that I've tested that certificates are OK.
# starting slapd
/usr/local/libexec/slapd -u ldap -d 1 -h ldaps:///
# making test:
openssl s_client -connect 127.0.0.1:636 -CAfile /usr/local/etc/openldap/ssl-client/root.crt -showcerts
# output of test in openssl command:
[...]
Certificate chain 0 s:/C=RU/ST=MSK/L=MSK/O=ORG/OU=IT/CN=ldap.domain.com i:/C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com -----BEGIN CERTIFICATE-----
<certificate> ..... </certificate> -----END CERTIFICATE----- 1 s:/C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com i:/C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com -----BEGIN CERTIFICATE----- <certificate> ..... </certificate> -----END CERTIFICATE----- --- Server certificate subject=/C=RU/ST=MSK/L=MSK/O=ORG/OU=IT/CN=ldap.domain.com issuer=/C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com --- No client certificate CA names sent --- SSL handshake has read 1811 bytes and written 462 bytes ---
[...]
Verify return code: 0 (ok)
[...]
Ther are no errors in certificate chain and the server cert has been veryfied, so the certificate chain is OK. Please check all relevant configuration files that is /etc/openldap/ldap.conf, /etc/ldap.conf and probably ~/.ldaprc for any TLS configuration.
-Dieter
-- Dieter Klünter | Systemberatung sip: 7770535@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
At last I found solution!
I turned on debug 9 in /usr/local/etc/nss_ldap.conf and found that
...............
TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: /C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com, issuer: /C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com TLS certificate verification: depth: 0, err: 0, subject: /C=RU/ST=MSK/L=MSK/O=ORG/OU=IT/CN=ldap.domain.com, issuer: /C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A TLS: hostname (127.0.0.1) does not match common name in certificate (ldap.domain.com). ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I set host to ldap.domain.com in nss_ldap and ldap.conf and HURRAY! it work.
So problems, that I found due setting up openldap+tls: 1) CN of CA and ldap servers certificates MUST not be same. 2) variable "host" in nss_ldap.conf and ldap.conf must be exactly same as CN in server certificate. 3) Minimum coniguration of tls in slapd.conf, ldap.conf and nss_ldap.conf: slapd: TLSCertificateFile /usr/local/etc/openldap/ssl/ldap.domain.com.crt TLSCertificateKeyFile /usr/local/etc/openldap/ssl/ldap.domain.com.key TLSCACertificateFile /usr/local/etc/openldap/ssl/root.crt ldap.conf ssl start_tls tls_cacertfile /usr/local/etc/openldap/ssl-client/root.crt # TLS_CACERT not working at all nss_ldap.conf ssl start_tls tls_cacertfile /usr/local/etc/openldap/ssl-client/root.crt
That's all. Thanks to Dieter Klünter and Harald for pointing in reasonable directions!
openldap-technical@openldap.org
-
c0re -
Dieter Kluenter -
Jonathan CLARKE -
Wallus, Harald Dr.