I'm in the process of setting up my slapd server to operate over LDAPS and having trouble when using a CA certificate (being my own certificate authority). I've been able to setup LDAPS when using a self-signed server certificate:
root@baneling:~# slapcat -H ldap:///cn=config??base dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: 0e827846-3926-1033-9f74-632898b715c9 creatorsName: cn=config createTimestamp: 20140306025210Z olcTLSCertificateFile: /etc/ssl/certs/ldap.harmonywave.com.crt olcTLSCertificateKeyFile: /etc/ssl/private/ldap.harmonywave.com.key olcTLSCipherSuite: SECURE256 olcTLSVerifyClient: never entryCSN: 20140308131751.026022Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20140308131751Z
This works fine and I'm able to authenticate clients. However if I use a CA certificate (again, being my own CA) to sign my server certificate and then change olcTLSVerifyClient to demand and add olcTLSCACertificateFile then I can no longer authenticate. I've installed my CA certificate on the client machine and pointed both ldap.conf and nslcd.conf to the CA certificate. However I get the following when debugging:
root@baneling:~# slapd -d conns -h ldaps:/// 531b1cef @(#) $OpenLDAP: slapd (Apr 23 2013 12:16:04) $ root@lupin:/tmp/buildd/openldap-2.4.31/debian/build/servers/slapd 531b1cf0 slapd starting 531b1cf0 daemon: added 3r listener=(nil) 531b1cf0 daemon: added 6r listener=0x7fe2d98326e0 531b1cf0 daemon: added 7r listener=0x7fe2d98327c0 531b1cf0 daemon: epoll: listen=6 active_threads=0 tvp=zero 531b1cf0 daemon: epoll: listen=7 active_threads=0 tvp=zero 531b1cf0 daemon: activity on 1 descriptor 531b1cf0 daemon: activity on:531b1cf0 531b1cf0 daemon: epoll: listen=6 active_threads=0 tvp=zero 531b1cf0 daemon: epoll: listen=7 active_threads=0 tvp=zero 531b1cf4 daemon: activity on 1 descriptor 531b1cf4 daemon: activity on:531b1cf4 531b1cf4 daemon: epoll: listen=6 busy 531b1cf4 daemon: epoll: listen=7 active_threads=0 tvp=zero 531b1cf4 daemon: activity on 1 descriptor 531b1cf4 daemon: activity on:531b1cf4 531b1cf4 daemon: epoll: listen=6 active_threads=0 tvp=zero 531b1cf4 daemon: epoll: listen=7 active_threads=0 tvp=zero 531b1cf4 daemon: listen=6, new connection on 12 531b1cf4 daemon: added 12r (active) listener=(nil) 531b1cf4 daemon: activity on 1 descriptor 531b1cf4 daemon: activity on:531b1cf4 12r531b1cf4 531b1cf4 daemon: read active on 12 531b1cf4 daemon: epoll: listen=6 active_threads=0 tvp=zero 531b1cf4 daemon: epoll: listen=7 active_threads=0 tvp=zero 531b1cf4 daemon: activity on 1 descriptor 531b1cf4 daemon: activity on:531b1cf4 531b1cf4 daemon: epoll: listen=6 active_threads=0 tvp=zero 531b1cf4 daemon: epoll: listen=7 active_threads=0 tvp=zero 531b1cf4 daemon: activity on 1 descriptor 531b1cf4 daemon: activity on:531b1cf4 531b1cf4 daemon: epoll: listen=6 active_threads=0 tvp=zero 531b1cf4 daemon: epoll: listen=7 active_threads=0 tvp=zero 531b1cf4 daemon: activity on 1 descriptor 531b1cf4 daemon: activity on:531b1cf4 12r531b1cf4 531b1cf4 daemon: read active on 12 531b1cf4 daemon: epoll: listen=6 active_threads=0 tvp=zero 531b1cf4 daemon: epoll: listen=7 active_threads=0 tvp=zero TLS: can't accept: The peer did not send any certificate.. 531b1cf4 connection_closing: readying conn=1000 sd=12 for close 531b1cf4 daemon: removing 12 531b1cf4 daemon: activity on 1 descriptor 531b1cf4 daemon: activity on:531b1cf4
Why would the client not send the certificate if I've pointed TLS_CACERT in ldap.confand tls_cacertfile to that cert? Maybe I'm misunderstanding the basic concepts here, I am pretty new to a lot of this. I'm using OpenLDAP 2.4.31, Debian 7, and GnuTLS. Yes, I'm aware of its recent critical security bug and the warnings against it from this group (http://www.openldap.org/lists/openldap-devel/200802/msg00072.html).
Thanks, Joshua
Hi Joshua,
You should look at TLS_CERT and TLS_KEY, which are specific for the client certificate. The TLS_CACERT is related to server certificate.
Regards, Italo.
On Sat, Mar 8, 2014 at 10:50 AM, Joshua Schaeffer jschaeffer0922@gmail.comwrote:
I'm in the process of setting up my slapd server to operate over LDAPS and having trouble when using a CA certificate (being my own certificate authority). I've been able to setup LDAPS when using a self-signed server certificate:
root@baneling:~# slapcat -H ldap:///cn=config??base dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: 0e827846-3926-1033-9f74-632898b715c9 creatorsName: cn=config createTimestamp: 20140306025210Z olcTLSCertificateFile: /etc/ssl/certs/ldap.harmonywave.com.crt olcTLSCertificateKeyFile: /etc/ssl/private/ldap.harmonywave.com.key olcTLSCipherSuite: SECURE256 olcTLSVerifyClient: never entryCSN: 20140308131751.026022Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20140308131751Z
This works fine and I'm able to authenticate clients. However if I use a CA certificate (again, being my own CA) to sign my server certificate and then change olcTLSVerifyClient to demand and add olcTLSCACertificateFile then I can no longer authenticate. I've installed my CA certificate on the client machine and pointed both ldap.conf and nslcd.conf to the CA certificate. However I get the following when debugging:
root@baneling:~# slapd -d conns -h ldaps:/// 531b1cef @(#) $OpenLDAP: slapd (Apr 23 2013 12:16:04) $ root@lupin:/tmp/buildd/openldap-2.4.31/debian/build/servers/slapd 531b1cf0 slapd starting 531b1cf0 daemon: added 3r listener=(nil) 531b1cf0 daemon: added 6r listener=0x7fe2d98326e0 531b1cf0 daemon: added 7r listener=0x7fe2d98327c0 531b1cf0 daemon: epoll: listen=6 active_threads=0 tvp=zero 531b1cf0 daemon: epoll: listen=7 active_threads=0 tvp=zero 531b1cf0 daemon: activity on 1 descriptor 531b1cf0 daemon: activity on:531b1cf0 531b1cf0 daemon: epoll: listen=6 active_threads=0 tvp=zero 531b1cf0 daemon: epoll: listen=7 active_threads=0 tvp=zero 531b1cf4 daemon: activity on 1 descriptor 531b1cf4 daemon: activity on:531b1cf4 531b1cf4 daemon: epoll: listen=6 busy 531b1cf4 daemon: epoll: listen=7 active_threads=0 tvp=zero 531b1cf4 daemon: activity on 1 descriptor 531b1cf4 daemon: activity on:531b1cf4 531b1cf4 daemon: epoll: listen=6 active_threads=0 tvp=zero 531b1cf4 daemon: epoll: listen=7 active_threads=0 tvp=zero 531b1cf4 daemon: listen=6, new connection on 12 531b1cf4 daemon: added 12r (active) listener=(nil) 531b1cf4 daemon: activity on 1 descriptor 531b1cf4 daemon: activity on:531b1cf4 12r531b1cf4 531b1cf4 daemon: read active on 12 531b1cf4 daemon: epoll: listen=6 active_threads=0 tvp=zero 531b1cf4 daemon: epoll: listen=7 active_threads=0 tvp=zero 531b1cf4 daemon: activity on 1 descriptor 531b1cf4 daemon: activity on:531b1cf4 531b1cf4 daemon: epoll: listen=6 active_threads=0 tvp=zero 531b1cf4 daemon: epoll: listen=7 active_threads=0 tvp=zero 531b1cf4 daemon: activity on 1 descriptor 531b1cf4 daemon: activity on:531b1cf4 531b1cf4 daemon: epoll: listen=6 active_threads=0 tvp=zero 531b1cf4 daemon: epoll: listen=7 active_threads=0 tvp=zero 531b1cf4 daemon: activity on 1 descriptor 531b1cf4 daemon: activity on:531b1cf4 12r531b1cf4 531b1cf4 daemon: read active on 12 531b1cf4 daemon: epoll: listen=6 active_threads=0 tvp=zero 531b1cf4 daemon: epoll: listen=7 active_threads=0 tvp=zero TLS: can't accept: The peer did not send any certificate.. 531b1cf4 connection_closing: readying conn=1000 sd=12 for close 531b1cf4 daemon: removing 12 531b1cf4 daemon: activity on 1 descriptor 531b1cf4 daemon: activity on:531b1cf4
Why would the client not send the certificate if I've pointed TLS_CACERT in ldap.conf and tls_cacertfile to that cert? Maybe I'm misunderstanding the basic concepts here, I am pretty new to a lot of this. I'm using OpenLDAP 2.4.31, Debian 7, and GnuTLS. Yes, I'm aware of its recent critical security bug and the warnings against it from this group ( http://www.openldap.org/lists/openldap-devel/200802/msg00072.html).
Thanks, Joshua
On Mar 8, 2014, at 08.50, Joshua Schaeffer jschaeffer0922@gmail.com wrote:
I'm in the process of setting up my slapd server to operate over LDAPS and having trouble when using a CA certificate (being my own certificate authority). I've been able to setup LDAPS when using a self-signed server certificate:
please use ldap+starttls, not ldaps.
This works fine and I'm able to authenticate clients. However if I use a CA certificate (again, being my own CA) to sign my server certificate and then change olcTLSVerifyClient to demand and add olcTLSCACertificateFile then I can no longer authenticate. I've installed my CA certificate on the client machine and pointed both ldap.conf and nslcd.conf to the CA certificate. However I get the following when debugging:
why are you setting olcTLSVerifyClient when changing from a self signed cert to a properly signed cert? did you read the description of this setting in man 5 slapd-config? it has nothing to do with use of a self-signed vs a regular cert. be methodical when doing an exercise like this. first switch from your self signed cert to your proper cert. test. then, modify olcTLSVerifyClient and see what happens.
Why would the client not send the certificate if I've pointed TLS_CACERT in ldap.conf and tls_cacertfile to that cert?
TLS_CACERT and tls_cacertfile point to the ca cert. why would this cert be sent anywhere by the client? the server already has this cert. those settings allow the client to establish a chain of trust to the certificate presented by the server. it’s a “bootstrapping” mechanism, so to speak. you tell the client [by way of those settings] to implicitly trust, no questions asked, certain ca certificates. then when the client is presented a certificate by a server, it can be deemed “trustworthy”, even though it had no prior knowledge of this particular cert.
-ben
did you read the description of this setting in man 5 slapd-config?
Well, yes and no. I read about TLS_REQCERT under man ldap.conf and incorrectly assumed that what was set here (allow, demand, etc) also needed to be set on cn=config. I've read over both man pages more carefully now and I see the difference, one is requesting the cert from the server and the other is requesting the cert from the client. I just removed olcTLSVerifyClient from cn=config and I was able to authenticate successfully.
Thanks for your help, your advise was very clear, Joshua
On 03/08/2014 11:27 AM, btb@bitrate.net wrote:
On Mar 8, 2014, at 08.50, Joshua Schaeffer jschaeffer0922@gmail.com wrote:
I'm in the process of setting up my slapd server to operate over LDAPS and having trouble when using a CA certificate (being my own certificate authority). I've been able to setup LDAPS when using a self-signed server certificate:
please use ldap+starttls, not ldaps.
This works fine and I'm able to authenticate clients. However if I use a CA certificate (again, being my own CA) to sign my server certificate and then change olcTLSVerifyClient to demand and add olcTLSCACertificateFile then I can no longer authenticate. I've installed my CA certificate on the client machine and pointed both ldap.conf and nslcd.conf to the CA certificate. However I get the following when debugging:
why are you setting olcTLSVerifyClient when changing from a self signed cert to a properly signed cert? did you read the description of this setting in man 5 slapd-config? it has nothing to do with use of a self-signed vs a regular cert. be methodical when doing an exercise like this. first switch from your self signed cert to your proper cert. test. then, modify olcTLSVerifyClient and see what happens.
Why would the client not send the certificate if I've pointed TLS_CACERT in ldap.conf and tls_cacertfile to that cert?
TLS_CACERT and tls_cacertfile point to the ca cert. why would this cert be sent anywhere by the client? the server already has this cert. those settings allow the client to establish a chain of trust to the certificate presented by the server. it’s a “bootstrapping” mechanism, so to speak. you tell the client [by way of those settings] to implicitly trust, no questions asked, certain ca certificates. then when the client is presented a certificate by a server, it can be deemed “trustworthy”, even though it had no prior knowledge of this particular cert.
-ben
openldap-technical@openldap.org
-
btb@bitrate.net -
Italo Valcy -
Joshua Schaeffer