Hi, We have to implement a 2 way SSL mechanism on a LDAP connector in our product. In order to test the implementation, we have chosen openLDAP2.4 as the data source. Currently we have done the following steps: On the OpenLDAP end: 1. Installed OpenLDAP with TLS feature 2.Created a CA using OpenSSL /etc/pki/tls/misc/CA –newca 3.Created a certificate using OpenSSL openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem 4.Signed the certificate using the CA created /etc/pki/tls/misc/CA –sign 5. Finally stored the cacert.pem, newreq.pem and newcert.pem under /opt/openldap/certificate folder 6. Following changes were made in sldap.conf TLSCipherSuite MEDIUM:+SSLv2:+SSLv3:RSA TLSCACertificatePath /opt/openldap/certificate/ TLSCACertificateFile /opt/openldap/certificate/cacert.pem TLSCertificateFile /opt/openldap/certificate/servercrt.pem TLSCertificateKeyFile /opt/openldap/certificate/serverkey.pem # Use the following if client authentication is required TLSVerifyClient demand 7.Similarly a new certificate for client was created using client’s details such as host name etc 8.Signed by the previously created CA On the client side: 1. Following changes were made in ldap.conf HOST spsdel192 PORT 636 TLS_CACERTDIR/etc/openldap/certs TLS_REQCERT demand TLS_CACERT /etc/openldap/certs/cacert.pem Finally when executing [root@spsdel193 ~]# ldapsearch -v -Z -D cn=root,o=ShawEnterprise -w secret -b o=accounts,o=shawEnterprise ldap_initialize( <DEFAULT> ) ldap_start_tls: Connect error (-11) additional info: TLS error -12227:SSL peer was unable to negotiate an acceptable set of security parameters. ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) [root@spsdel193 ~]# Any solution to resolve this issue would be of great help. Thanks in advance. Regards Vidya
On Wed, 11 Dec 2013, vidya bharadwaj wrote:
have to implement a 2 way SSL mechanism on a LDAP connector in our product. In order to test the implementation, we have chosen openLDAP2.4 as the data source.
You should *first* get SSL working without client certs. Once you have that working, *then* add client certs to the config.
Next: is your intent to do a) "upgrade from cleartext to SSL" (i.e., make an ldap:// connection and then use the StartTLS extension to negotiate TLS), OR b) "SSL on connect" (i.e., make an ldaps:// connection where SSL is negotiated immediately after connecting)
?
I ask, because your config bits mix the two, which won't work: port 636 is reserved for ldaps (choice (b)), but you used the -Z option to ldapsearch (choice (a)). You must pick one.
If you want to do (a), then you should be using ldap:// on port 389 with the -Z (or -ZZ) option.
If you want to do (b), then you should be using ldaps:// on port 636 and *not* use the -Z option.
...
- Following changes
were made in sldap.conf TLSCipherSuite MEDIUM:+SSLv2:+SSLv3:RSA
So you want to be completely insecure? Why bother enabling SSL if you're going to permit SSLv2 and even ciphers that DON'T ENCRYPT.
$ openssl ciphers -v MEDIUM:+SSLv2:+SSLv3:RSA | grep Enc=None NULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1 NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5 $
You should yell at the person or documentation that suggested using that line and stop trusting them for anything involving security.
...
On the client side: 1. Following changes were made in ldap.conf HOST spsdel192 PORT 636
Do not use the HOST and PORT options. Use the URI option, as that lets you specify the schema (ldap vs ldaps) in the same line. Next, in order for the server certificate to be validated, the hostname you connect to (in the URI) must match what's in the certificate, which should be an FQDN. I.e., something like:
URI ldaps://spsdel192.YOUR.DOMAIN.GOES.HERE:636/
Philip Guenther
openldap-technical@openldap.org
-
Philip Guenther -
vidya bharadwaj