For SSL, I'm trying to install a self-signed certificate to OpenLDAP (version 2.4.28 on Ubuntu 12.04). Followed the following steps: *1. Created server certificate using:* openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 365 *2. Added following entries to /usr/share/slapd/slapd.conf:* TLSCACertificateFile server.pem TLSCertificateFile server.pem TLSCertificateKeyFile server.pem *3. Restarted openldap:* sudo /etc/init.d/slapd restart *4. Tried to read the certs:* openssl s_client -connect localhost:636 -showcerts This causes the following error: *CONNECTED(00000003)* *140409289410208:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:* *---* *no peer certificate available* *---* *No client certificate CA names sent* *---* *SSL handshake has read 0 bytes and written 213 bytes* *---* *New, (NONE), Cipher is (NONE)* *Secure Renegotiation IS NOT supported* *Compression: NONE* *Expansion: NONE* *---*
Can someone help with what might be wrong in the setup?
Thanks
The Ubuntu server guide has a chapter on setting up OpenLDAP, including a section on configuring TLS. Have you followed it?
https://help.ubuntu.com/12.04/serverguide/openldap-server.html
On 07/09/14 02:20 PM, Vijay Ganesan wrote:
- Added following entries to /usr/share/slapd/slapd.conf:
Are you sure that's the right file? By default Ubuntu 12.04 uses LDAP-based configuration (cn=config) instead of a slapd.conf file; and even if it did, it would usually be found in /etc/ldap/slapd.conf and not in /usr/share.
Thanks Ryan for pointing me to the right link. I've configured TLS following those instructions. But I can't seem to connect using ldaps://localhost:636 using Apache Directory Studio client. I get a "Error while opening connection - Cannot connect on the server: Connection refused" error. I can connect fine using ldap://localhost:389. What diagnostics can be run to figure out if TLS is working correctly?
Thanks Vijay
On Sun, Sep 7, 2014 at 3:00 PM, Ryan Tandy ryan@nardis.ca wrote:
The Ubuntu server guide has a chapter on setting up OpenLDAP, including a section on configuring TLS. Have you followed it?
https://help.ubuntu.com/12.04/serverguide/openldap-server.html
On 07/09/14 02:20 PM, Vijay Ganesan wrote:
- Added following entries to /usr/share/slapd/slapd.conf:
Are you sure that's the right file? By default Ubuntu 12.04 uses LDAP-based configuration (cn=config) instead of a slapd.conf file; and even if it did, it would usually be found in /etc/ldap/slapd.conf and not in /usr/share.
ldaps has been deprecated in favour of keeping all communication open only at one port. try to use
ldap://host:389 port 0 enable tls Use above settings based on your client
I am using sssd client with following setting and it works on TLS.
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = default
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,ubuntu
[pam]
pam_verbosity = 3
[domain/default]
ldap_tls_reqcert = allow
auth_provider = ldap
ldap_schema = rfc2307bis
krb5_realm = EXAMPLE.COM
ldap_search_base =
ldap_group_member = uniquemember
id_provider = ldap
sudo_provider = ldap
ldap_sudo_search_base = ou=sudoers,dc=xxxx,dc=xxxx,dc=xxxx
netgroup_provider = ldap
ldap_netgroup_search_base = ou=Netgroup,dc=xxxx,dc=xxxx,dc=xxxx
ldap_id_use_start_tls = True
chpass_provider = ldap
ldap_uri = ldap://host1:389/,ldap://ldap2:389/,ldap://ldap3:389/
ldap_chpass_uri = ldap://host1:389/
cache_credentials = True
entry_cache_timeout = 600
ldap_network_timeout = 3 ldap_access_filter = (&(object)(object))
On Mon, Sep 8, 2014 at 10:58 AM, Vijay Ganesan vijay@thoughtspot.com wrote:
Thanks Ryan for pointing me to the right link. I've configured TLS following those instructions. But I can't seem to connect using ldaps://localhost:636 using Apache Directory Studio client. I get a "Error while opening connection - Cannot connect on the server: Connection refused" error. I can connect fine using ldap://localhost:389. What diagnostics can be run to figure out if TLS is working correctly?
Thanks Vijay
On Sun, Sep 7, 2014 at 3:00 PM, Ryan Tandy ryan@nardis.ca wrote:
The Ubuntu server guide has a chapter on setting up OpenLDAP, including a section on configuring TLS. Have you followed it?
https://help.ubuntu.com/12.04/serverguide/openldap-server.html
On 07/09/14 02:20 PM, Vijay Ganesan wrote:
- Added following entries to /usr/share/slapd/slapd.conf:
Are you sure that's the right file? By default Ubuntu 12.04 uses LDAP-based configuration (cn=config) instead of a slapd.conf file; and even if it did, it would usually be found in /etc/ldap/slapd.conf and not in /usr/share.
--
- Vijay
On 07/09/14 10:28 PM, Vijay Ganesan wrote:
But I can't seem to connect using ldaps://localhost:636 using Apache Directory Studio client. I get a "Error while opening connection - Cannot connect on the server: Connection refused" error. I can connect fine using ldap://localhost:389.
Like Udai wrote, ldaps is deprecated, and if possible you should use STARTTLS on the LDAP port (389) instead. But if you really need ldaps, then edit /etc/default/slapd, add ldaps:/// to the SLAPD_SERVICES line, and restart slapd.
What diagnostics can be run to figure out if TLS is working correctly?
LDAPTLS_CACERT=/path/to/ca.pem ldapwhoami -H ldap://server -x -ZZ
Add '-d1' to see some debugging information, including more detailed info from the TLS library.
Thanks Ryan and Udai. Don't really have to use ldaps. I understand now that the documentation https://help.ubuntu.com/12.04/serverguide/openldap-server.html#openldap-tls is for StartTLS an can use that.
LDAPTLS_CACERT=/etc/ssl/certs/vijay_slapd_cert.pem ldapwhoami -H ldap://localhost -x -ZZ gives: *ldap_start_tls: Connect error (-11)* * additional info: A TLS packet with unexpected length was received.*
with '-d1' I get the following which looks like it can connect but subsequent communication fails:
ldap_url_parse_ext(ldap://localhost) ldap_create ldap_url_parse_ext(ldap://localhost:389/??base) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush2: 31 bytes to sd 3 ldap_result ld 0x7f2c70eef160 msgid 1 wait4msg ld 0x7f2c70eef160 msgid 1 (infinite timeout) wait4msg continue ld 0x7f2c70eef160 msgid 1 all 1 ** ld 0x7f2c70eef160 Connections: * host: localhost port: 389 (default) refcnt: 2 status: Connected last used: Mon Sep 8 07:56:01 2014
** ld 0x7f2c70eef160 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x7f2c70eef160 request count 1 (abandoned 0) ** ld 0x7f2c70eef160 Response Queue: Empty ld 0x7f2c70eef160 response count 0 ldap_chkResponseList ld 0x7f2c70eef160 msgid 1 all 1 ldap_chkResponseList returns ld 0x7f2c70eef160 NULL ldap_int_select read1msg: ld 0x7f2c70eef160 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 12 contents: read1msg: ld 0x7f2c70eef160 msgid 1 message type extended-result ber_scanf fmt ({eAA) ber: read1msg: ld 0x7f2c70eef160 0 new referrals read1msg: mark request completed, ld 0x7f2c70eef160 msgid 1 request done: ld 0x7f2c70eef160 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_extended_result ber_scanf fmt ({eAA) ber: ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS: can't connect: A TLS packet with unexpected length was received.. ldap_err2string ldap_start_tls: Connect error (-11) additional info: A TLS packet with unexpected length was received. ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 3 ldap_free_connection: actually freed
On Mon, Sep 8, 2014 at 7:13 AM, Ryan Tandy ryan@nardis.ca wrote:
On 07/09/14 10:28 PM, Vijay Ganesan wrote:
But I can't seem to connect using ldaps://localhost:636 using Apache Directory Studio client. I get a "Error while opening connection - Cannot connect on the server: Connection refused" error. I can connect fine using ldap://localhost:389.
Like Udai wrote, ldaps is deprecated, and if possible you should use STARTTLS on the LDAP port (389) instead. But if you really need ldaps, then edit /etc/default/slapd, add ldaps:/// to the SLAPD_SERVICES line, and restart slapd.
What diagnostics can be run to figure out if TLS is working correctly?
LDAPTLS_CACERT=/path/to/ca.pem ldapwhoami -H ldap://server -x -ZZ
Add '-d1' to see some debugging information, including more detailed info from the TLS library.
On 08/09/14 08:02 AM, Vijay Ganesan wrote:
ldap_start_tls: Connect error (-11) additional info: A TLS packet with unexpected length was received.
Unfortunately GnuTLS does not make it easy to diagnose this kind of error. There might still be a misconfiguration somewhere, or there might be a problem with the certificate itself. If you search Google for that message you will find many results with different causes.
Some thoughts:
* Check /var/log/syslog for any info printed by slapd
* Check that GnuTLS is able to understand your certificate: install gnutls-bin and try
gnutls-serv --x509certfile /path/to/server.pem --x509keyfile /path/to/server.key
which will start a basic TLS server on port 5556, then
gnutls-cli --x509cafile /path/to/ca.pem --port 5556 localhost
If GnuTLS doesn't like your certificate for some reason, one of those commands will fail and hopefully provide more information.
* Similarly, enable ldaps:/// in /etc/default/slapd and then try
gnutls-cli --x509cafile /path/to/ca.pem --port 636 localhost
to investigate the certificate actually sent by slapd.
I would really recommend upgrading to Ubuntu 14.04. It has a significantly updated version of GnuTLS that fixes a lot of bugs and limitations compared to Ubuntu 12.04. Others on this list will recommend to ditch GnuTLS altogether and build your own OpenLDAP from source using OpenSSL instead of GnuTLS.
Good luck...
Ryan Tandy wrote:
On 07/09/14 10:28 PM, Vijay Ganesan wrote:
But I can't seem to connect using ldaps://localhost:636 using Apache Directory Studio client. I get a "Error while opening connection - Cannot connect on the server: Connection refused" error. I can connect fine using ldap://localhost:389.
Like Udai wrote, ldaps is deprecated, and if possible you should use STARTTLS on the LDAP port (389) instead.
LDAPS on separate port was not formally defined in a RFC. But there's nothing wrong using it.
Personally I even prefer LDAPS since you can then make sure that the client has to establish a TLS connection before sending any LDAP PDU.
But if you really need ldaps, then edit /etc/default/slapd, add ldaps:/// to the SLAPD_SERVICES line, and restart slapd.
Yes.
Ciao, Michael.
Note the in generating the self-signed certificate I use "localhost" as the common name.
On Sun, Sep 7, 2014 at 2:20 PM, Vijay Ganesan vijay@thoughtspot.com wrote:
For SSL, I'm trying to install a self-signed certificate to OpenLDAP (version 2.4.28 on Ubuntu 12.04). Followed the following steps: *1. Created server certificate using:* openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 365 *2. Added following entries to /usr/share/slapd/slapd.conf:* TLSCACertificateFile server.pem TLSCertificateFile server.pem TLSCertificateKeyFile server.pem *3. Restarted openldap:* sudo /etc/init.d/slapd restart *4. Tried to read the certs:* openssl s_client -connect localhost:636 -showcerts This causes the following error: *CONNECTED(00000003)* *140409289410208:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:* *---* *no peer certificate available* *---* *No client certificate CA names sent* *---* *SSL handshake has read 0 bytes and written 213 bytes* *---* *New, (NONE), Cipher is (NONE)* *Secure Renegotiation IS NOT supported* *Compression: NONE* *Expansion: NONE* *---*
Can someone help with what might be wrong in the setup?
Thanks
--
- Vijay
Vijay Ganesan vijay@thoughtspot.com schrieb am 08.09.2014 um 03:45 in
Nachricht CAB+CZKA5UqdD2DqEERwMfHxyaB9hVGLyFZiSxDmxj3NuYpw_xw@mail.gmail.com:
Note the in generating the self-signed certificate I use "localhost" as the common name.
Why do you need to proove the identity of localhost? Did you understand what PKI is all about?
On Sun, Sep 7, 2014 at 2:20 PM, Vijay Ganesan vijay@thoughtspot.com wrote:
For SSL, I'm trying to install a self-signed certificate to OpenLDAP (version 2.4.28 on Ubuntu 12.04). Followed the following steps: *1. Created server certificate using:* openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 365 *2. Added following entries to /usr/share/slapd/slapd.conf:* TLSCACertificateFile server.pem TLSCertificateFile server.pem TLSCertificateKeyFile server.pem *3. Restarted openldap:* sudo /etc/init.d/slapd restart *4. Tried to read the certs:* openssl s_client -connect localhost:636 -showcerts This causes the following error: *CONNECTED(00000003)* *140409289410208:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:* *---* *no peer certificate available* *---* *No client certificate CA names sent* *---* *SSL handshake has read 0 bytes and written 213 bytes* *---* *New, (NONE), Cipher is (NONE)* *Secure Renegotiation IS NOT supported* *Compression: NONE* *Expansion: NONE* *---*
Can someone help with what might be wrong in the setup?
Thanks
--
- Vijay
--
- Vijay
openldap-technical@openldap.org
-
Michael Ströder -
Ryan Tandy -
Udai Singh Mehra (Vizury) -
Ulrich Windl -
Vijay Ganesan