[clug] LDAP over SSL/TLS not working
Jade Barton
jade.barton at gmail.com
Sun Oct 2 02:52:34 GMT 2005
Thanks Kim, unfortunately the line (or many variations of similar)
didn't work. I suspect you have pointed me in right direction though,
and it's something to do with the clients ldap.conf file for the
following reason... I ran the following commands successfully from
the client:
ldapsearch -H ldap://xxxx.net/ -b dc=xxxx,dc=net -x (simple auth, no encrypt.)
ldapsearch -H ldaps://xxxx.net/ -b dc=xxxx,dc=net -x (simple auth, over SSL)
ldapsearch -H ldap://xxxx.net/ -ZZ -b dc=xxxx,dc=net -x (simple
auth, over StartTLS)
They all returned the user data from the server. As soon as I drop
the "-x" it tries to use SASL and fails. I am wondering if, by
enabling the checkbox in the "Authentication" dialogue on the client
it is trying to use SASL also. I haven't set up SASL and don't really
care if it doesn't use it, as long at the (simple) auth traffic is
over SSL/TLS.
So in the ldap.conf file I changed
host 192.168.111.1
to
uri ldaps://192.168.111.1/
but it didn't work :(
As a bit of background these certificates & keyfiles have been
generated and signed using the OpenSSL software by me. I'm pretty
confident that they're ok because I use similar ones for encrypted
SMTP and IMAPS and they seam to work for the LDAP addressbook data via
the e-mail clients. To encrypt the addressbook traffic I simply
enabled the SSL checkbox which automatically changed the port to 636.
Confused,
Jade
On 02/10/05, Kim Holburn <kim.holburn at anu.edu.au> wrote:
>
>
> On 2005 Oct 02 at 1:11 AM, Jade Barton wrote:
> > Hi all,
> >
> > I am having some dramas with LDAP over SSL/TLS for authentication
> > purposes. I have got the following to work:
> > - Authentication without SSL/TLS (from FC4 box to server). Users are
> > able to log on in insecure mode.
> > - SSL/TLS or insecure mode works when accessing the address book from
> > e-mail clients (ie. ou=AddressBook,dc=domain,dc=net). This works with
> > or without authentication.
> >
> > The bit I haven't got to work is as soon as I enable the "Use TLS to
> > encrypt connections" box in the FC4 authentication dialogue it won't
> > authenticate. One of the things that is confusing me is that FC4 has
> > 2 ldap.conf files on the client (/etc/ldap.conf &
> > /etc/openldap/ldap.conf shown below). The former appears to be the one
> > requiring change(?). I have tried putting "port 636" into the
> > ldap.conf client file but it didn't seem to help. All I had to do to
> > get the e-mail clients to connect via SSL/TLS was change their port
> > number to 636 and accept the cert when prompted. I have placed the
> > server certificate in the /etc/openldap/cacerts folder on the client.
> >
> > Google and a copy of "LDAP System Admin. - O'Reilly" aren't helping me
> > much. Mainly due to the fact that I am still learning and no doubt
> > have a few knowledge holes. Any help would be most appreciated,
> > especially good references. Also, feel free to pick on any other
> > parts of the slapd.conf file you notice in error. Apologies is some
> > of this lacks sense, it's late and my head hurts.
> >
> > Copy of slapd.conf on server... (comments and stuff removed)
> > -----------------BEGIN-----------------
> > include /etc/openldap/schema/core.schema
> > include /etc/openldap/schema/cosine.schema
> > include /etc/openldap/schema/inetorgperson.schema
> > ##Include for NIS support
> > include /etc/openldap/schema/nis.schema
> > loglevel 296
> > pidfile /var/run/slapd.pid
> > argsfile /var/run/slapd.args
> > ##TLS options
> > TLSCipherSuite HIGH:MEDIUM:+SSLv2
> > TLSCertificateFile /usr/share/ssl/certs/XXXX_slapdcert.pem
> > TLSCertificateKeyFile /usr/share/ssl/private/XXXX_slapdkey.pem
>
> I assume these are a real cert/key pair, not example ones.
>
> > password-hash {SSHA}
> > # bdb database definitions
> > database bdb
> > suffix "dc=domain,dc=net"
> > rootdn "cn=Manager,dc=domain,dc=net"
> > rootpw {SSHA}removed
> > directory /var/lib/ldap/xxxx
> > mode 0600
> > ##Indexes to maintain
> > index objectClass,uid,uidNumber,gidNumber eq
> > index cn eq
> > ##ACL's
> > access to attrs=userPassword
> > by self write
> > by * auth
> > access to *
> > by * read
> > ######################################################################
> > #
> > -----------------END-----------------
> > Copy of lapd.conf on client... (comments and stuff removed)
> > -----------------BEGIN-----------------
> > [root at xxxx ~]# more /etc/ldap.conf | grep -v ^# | grep .
> > host 192.168.111.1
> > base dc=domain,dc=net
> > ssl start_tls
> > tls_cacertdir /etc/openldap/cacerts
>
> I think you need a line here saying something like:
> tls_certfile /usr/share/ssl/certs/XXXX_slapdcert.pem
>
> > pam_password md5
> > -----------------END-----------------
> > -----------------BEGIN-----------------
> > [root at xxxx ~]# more /etc/openldap/ldap.conf | grep -v ^# | grep .
> > HOST 192.168.111.1
> > BASE dc=domain,dc=net
> > TLS_CACERTDIR /etc/openldap/cacerts
>
> tls_certfile /usr/share/ssl/certs/XXXX_slapdcert.pem
>
> > -----------------END-----------------
> >
> >
> > --
> > Jade
> > -- Of all the manifestations of power,
> > restraint impresses men the most --
> > Thucydides
> > --
> > linux mailing list
> > linux at lists.samba.org
> > https://lists.samba.org/mailman/listinfo/linux
> >
>
> --
> Kim Holburn
> Network and Security Manager, National ICT Australia Ltd.
> Ph: +61 2 61258620 M: +61 417820641 F: +61 2 6230 6121 aim://kimholburn
> Email: kim.holburn at nicta.com.au - PGP Public Key on request
> callto://kholburn
> Cacert Root Cert: http://www.cacert.org/cacert.crt
> Aust. Spam Act: To stop receiving mail from me: reply and let me know.
>
> Use ISO 8601 dates [YYYY-MM-DD] http://www.saqqara.demon.co.uk/
> datefmt.htm
> Democracy imposed from without is the severest form of tyranny.
> -- Lloyd Biggle, Jr. Analog, Apr 1961
>
>
>
More information about the linux
mailing list