Two things I notice from below:
olcTLSCACertificateFile: /etc/openldap/certs/ca_cert.pem
-rw-r--r--. 1 root root 1696 Sep 22 14:18 ca-cert.pem
Underscore in the first, dash in the second.
Per netstat you're running ldaps on 636 so you can start your TLS diagnostics with
openssl and work your way down to ldapsearch.
openssl s_client -CApath /etc/openldap/certs -connect
(if I recall correctly)
ldapsearch -H ldaps://host:636 -x -D binddn -W filter=what
(or something)
On Fri, Sep 22, 2017 at 04:16:43PM -0400, Robert Heller wrote:
What is the *correct* way to set up Openldap to use SSL/TLS? The
documentation is somewhat confusing.
My cn=config.ldif file looks like this:
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCACertificateFile: /etc/openldap/certs/ca_cert.pem
olcTLSCertificateFile: /etc/openldap/certs/c764guest.cert
olcTLSCertificateKeyFile: /etc/openldap/certs/privkey.pem
structuralObjectClass: olcGlobal
entryUUID: 7e6a3298-30da-1037-9c4f-458bcc6c0ce0
creatorsName: cn=config
createTimestamp: 20170918163057Z
entryCSN: 20170918163057.597791Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20170918163057Z
in /etc/openldap/certs are these files:
[root@c764guest heller]# ls -l /etc/openldap/certs
total 104
-rw-r--r--. 1 root root 5137 Sep 22 14:42 c764guest.cert
-rw-r--r--. 1 root root 1074 Sep 22 14:37 c764guest.csr
-rw-r--r--. 1 root root 1696 Sep 22 14:18 ca-cert.pem
-rw-r--r--. 1 root root 65536 Sep 18 12:30 cert8.db
-rw-r--r--. 1 root root 16384 Sep 18 12:30 key3.db
-r--r-----. 1 root ldap 45 Jan 10 2016 password
-rw-r--r--. 1 root root 1834 Sep 22 14:37 privkey.pem
-rw-r--r--. 1 root root 16384 Jan 10 2016 secmod.db
/etc/sysconfig/slapd contains:
# OpenLDAP server configuration
# see 'man slapd' for additional information
# Where the server will run (-h option)
# - ldapi:/// is required for on-the-fly configuration using client tools
# (use SASL with EXTERNAL mechanism for authentication)
# - default: ldapi:/// ldap:///
# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:///
SLAPD_URLS="ldapi:/// ldap://127.0.0.1/ ldap://192.168.250.98/ ldaps:///"
# Any custom options
#SLAPD_OPTIONS="-s 128"
# Keytab location for GSSAPI Kerberos authentication
#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
/etc/openldap/ldap.conf contains:
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=deepsoft,dc=com
URI ldaps://192.168.250.98/
TLS_CACERT /etc/openldap/certs/ca-cert.pem
TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT demand
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERTDIR /etc/openldap/cacerts
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
But now when I try to do a ldapsearch I get:
[heller@c764guest ~]$ ldapsearch -x
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
even though:
[root@c764guest heller]# netstat -a|grep ldap
tcp 0 0 0.0.0.0:ldaps 0.0.0.0:* LISTEN
tcp 0 0 c764guest.deepsoft:ldap 0.0.0.0:* LISTEN
tcp 0 0 localhost:ldap 0.0.0.0:* LISTEN
tcp 0 0 c764guest.deepsof:33302 c764guest.deepsoft:ldap ESTABLISHED
tcp 0 0 c764guest.deepsoft:ldap c764guest.deepsof:33302 ESTABLISHED
tcp6 0 0 [::]:ldaps [::]:* LISTEN
Is this correct? I am not sure if I should be using ldaps:/// or not. And I
am not sure what the proper "magic" to get TLS working is.
--
Robert Heller -- 978-544-6933
Deepwoods Software -- Custom Software Services
http://www.deepsoft.com/ -- Linux Administration Services
heller(a)deepsoft.com -- Webhosting Services