Hello everybody,
I'm just trying to set up a LDAPS server using my own certification authority, but the ldap server does not accept/understand my client certificate. Instead, the server sais:
TLS: can't accept: The peer did not send any certificate..
What I did:
1.) I set up LDAP without SSL/TLS to make sure that it is configured properly. This worked out fine so far, I can use ldapsearch, ldapadd, phpldapadmin ...
2.) I created a self signed certificate for my RootCA, used it to sign my ServerCA and used the ServerCA to sign the certificates for my ldap server and client.
The certificates of RootCA and ServerCA have been concatenated into one file <name of ca>.chain.crt
3.) Changed ldap.conf and slapd.conf as described below
4.) Tried to do an ldapsearch on the client -> failed
5.) Tried openssl client -> success
Here are the details:
Client: =======
# ldapsearch -x -LLL -ZZ -d 1
ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP <serverip>:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying <serverip>:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: can't connect: A TLS packet with unexpected length was received.. ldap_err2string ldap_start_tls: Can't contact LDAP server (-1)
Server: ========
# slapd -VV @(#) $OpenLDAP: slapd 2.4.9 (Aug 1 2008 01:09:46) $ buildd@king:/build/buildd/openldap2.3-2.4.9/debian/build/servers/slapd
# slapd -h "ldaps://<ip>/" -u openldap -g openldap -d 127
... ... connection_get(13): got connid=32 connection_read(13): checking for input on id=32 tls_read: want=5, got=5 0000: 16 03 02 00 07 ..... tls_read: want=7, got=7 0000: 0b 00 00 03 00 00 00 ....... TLS: can't accept: The peer did not send any certificate.. connection_read(13): TLS accept failure error=-1 id=32, closing connection_closing: readying conn=32 sd=13 for close connection_close: conn=32 sd=13 daemon: removing 13
But if I use openssl s_client, I get a differnet result:
Client: =======
openssl s_client -showcerts -connect <serverfqdn>:636 \ -CAfile cacerts/<ca>.chain.crt -cert certs/<clientfqdn>.cert.pem \ -key private/<clientfqdn>.key.pem
CONNECTED(00000003) depth=2 /C=... verify return:1 depth=1 /C=... verify return:1 depth=0 /C=... verify return:1 --- Certificate chain 0 s:/C=... i:/C=... -----BEGIN CERTIFICATE----- <Certificate data> -----END CERTIFICATE----- --- Server certificate subject=/C=... issuer=/C=... --- Acceptable client certificate CA names /C=... /C=... --- SSL handshake has read 1806 bytes and written 4358 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: F63D4DB4A918CC3BC8F8617AD49F6C6EFCB316203466EC91DBCF0C2E3700DE1E Session-ID-ctx: Master-Key: <master key> Key-Arg : None Start Time: 1219848938 Timeout : 300 (sec) Verify return code: 0 (ok) ---
And on server side, everything seems to be o.k. There is no error and the last lines of output are:
=> ldap_dn2bv(16) <= ldap_dn2bv(cn=<cn of client>,ou=<ou>,o=<o>,st=<st>,c=<c>)=0 daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero
ldap.conf (partially) ---------------------
uri ldaps://132.176.4.6/ ssl yes tls_cacertfile /usr/lib/ssl/cacartes/<ca>.chain.crt tls_ciphers TLSv1 tls_cert /usr/lib/ssl/certs/<clientfqdn>.cert.pem tls_key /usr/lib/ssl/private/<clientfqdn>.key.pem
ldap.conf (partially) ---------------------
TLSCACertificateFile /usr/lib/ssl/certs/<ca>.chain.crt TLSCertificateFile /usr/lib/ssl/openldap/<serverfqdn>.cert.pem TLSCertificateKeyFile /usr/lib/ssl/openldap/private/<serverfqdn>.key.pem TLSVerifyClient demand
What did I do wrong?
Best regards,
Hauke Coltzau
Hauke Coltzau wrote:
Hello everybody,
I'm just trying to set up a LDAPS server using my own certification authority, but the ldap server does not accept/understand my client certificate. Instead, the server sais:
TLS: can't accept: The peer did not send any certificate..
Here are the details:
Client:
# ldapsearch -x -LLL -ZZ -d 1
ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP<serverip>:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying<serverip>:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: can't connect: A TLS packet with unexpected length was received.. ldap_err2string ldap_start_tls: Can't contact LDAP server (-1)
Server:
# slapd -VV @(#) $OpenLDAP: slapd 2.4.9 (Aug 1 2008 01:09:46) $ buildd@king:/build/buildd/openldap2.3-2.4.9/debian/build/servers/slapd
# slapd -h "ldaps://<ip>/" -u openldap -g openldap -d 127
You cannot use StartTLS (ldapsearch -Z) with an ldaps:// server, it's redundant.
ldap.conf (partially)
uri ldaps://132.176.4.6/
ssl yes tls_cacertfile /usr/lib/ssl/cacartes/<ca>.chain.crt tls_ciphers TLSv1
The above 3 keywords are not valid for ldap.conf. Read the ldap.conf(5) manpage.
tls_cert /usr/lib/ssl/certs/<clientfqdn>.cert.pem tls_key /usr/lib/ssl/private/<clientfqdn>.key.pem
What did I do wrong?
Hi everybody,
thank you all for your immediate replies.
As you correctly pointed out, the options I used were wrong. With following ldap.conf, everything works out fine.
base dc=... URI ldaps://<fqdn of ldap server>/ ldap_version 3 rootbinddn cn=... bind_policy soft pam_password md5
TLS_REQCERT yes TLS_CACERT /usr/lib/ssl/certs/<ca>.chain.crt
The ldap.conf I used before has been created by dpkg-reconfigure and I simply changed the default values there. That was a mistake ;-) Creating a new ldap.conf from scratch with a man-page at hand obviously did the trick.
Thank you very much for your help,
Best regards,
Hauke
On Thursday 28 August 2008 12:28:25 Hauke Coltzau wrote:
Hi everybody,
thank you all for your immediate replies.
As you correctly pointed out, the options I used were wrong. With following ldap.conf, everything works out fine.
base dc=... URI ldaps://<fqdn of ldap server>/ ldap_version 3 rootbinddn cn=... bind_policy soft pam_password md5
TLS_REQCERT yes TLS_CACERT /usr/lib/ssl/certs/<ca>.chain.crt
The ldap.conf I used before has been created by dpkg-reconfigure and I simply changed the default values there. That was a mistake ;-) Creating a new ldap.conf from scratch with a man-page at hand obviously did the trick.
You still seem to be confused between different ldap.conf files, bind_policy, pam_password etc. are not valid in the OpenLDAP ldap.conf file, most likely one belongs in /etc/libnss_ldap.conf and the the other in /etc/libpam_ldap.conf (on Debian-based systems, or /etc/ldap.conf on distros that use the default config file location for nss_ldap/pam_ldap as shipped upstream).
While you may have a working configuration, it may be more by luck than good judgement.
Regards, Buchan
openldap-technical@openldap.org