[clug] LDAP over SSL/TLS not working

Kim Holburn kim.holburn at anu.edu.au
Sun Oct 2 08:47:49 GMT 2005 


On 2005 Oct 02 at 12:52 PM, Jade Barton wrote:
> Thanks Kim, unfortunately the line (or many variations of similar)
> didn't work.  I suspect you have pointed me in right direction though,
> and it's something to do with the clients ldap.conf file for the
> following reason...  I ran the following commands successfully from
> the client:
>
> ldapsearch -H ldap://xxxx.net/ -b dc=xxxx,dc=net -x   (simple auth,  
> no encrypt.)
> ldapsearch -H ldaps://xxxx.net/ -b dc=xxxx,dc=net -x   (simple  
> auth, over SSL)
> ldapsearch -H ldap://xxxx.net/ -ZZ -b dc=xxxx,dc=net -x   (simple
> auth, over StartTLS)
>
> They all returned the user data from the server.  As soon as I drop
> the "-x" it tries to use SASL and fails.

Yeah if you drop the "-x" you are asking for kerberos authentication  
which is only going to work if you have set up kerberos.  Simple  
authentication is most probably what you're doing.

> I am wondering if, by
> enabling the checkbox in the "Authentication" dialogue on the client
> it is trying to use SASL also.  I haven't set up SASL and don't really
> care if it doesn't use it, as long at the (simple) auth traffic is
> over SSL/TLS.
>
> So in the ldap.conf file I changed
> host 192.168.111.1
> to
> uri ldaps://192.168.111.1/
> but it didn't work :(
>
> As a bit of background these certificates & keyfiles have been
> generated and signed using the OpenSSL software by me.  I'm pretty
> confident that they're ok because I use similar ones for encrypted
> SMTP and IMAPS and they seam to work for the LDAP addressbook data via
> the e-mail clients.  To encrypt the addressbook traffic I simply
> enabled the SSL checkbox which automatically changed the port to 636.

Unfortunately each version of openldap works slightly differently but  
the later versions require the cert file in ldap.conf.  The  
TLS_CERTFILE line has to point to a valid cert.  You also have to  
have the right word, TLS_CERTFILE is just one I made up, you will  
have to look in the doco to find the right word.


>
> Confused,
> Jade
>
> On 02/10/05, Kim Holburn <kim.holburn at anu.edu.au> wrote:
>
>>
>>
>> On 2005 Oct 02 at 1:11 AM, Jade Barton wrote:
>>
>>> Hi all,
>>>
>>> I am having some dramas with LDAP over SSL/TLS for authentication
>>> purposes.  I have got the following to work:
>>> - Authentication without SSL/TLS (from FC4 box to server).  Users  
>>> are
>>> able to log on in insecure mode.
>>> - SSL/TLS or insecure mode works when accessing the address book  
>>> from
>>> e-mail clients (ie. ou=AddressBook,dc=domain,dc=net). This works  
>>> with
>>> or without authentication.
>>>
>>> The bit I haven't got to work is as soon as I enable the "Use TLS to
>>> encrypt connections" box in the FC4 authentication dialogue it won't
>>> authenticate.  One of the things that is confusing me is that FC4  
>>> has
>>> 2 ldap.conf files on the client (/etc/ldap.conf &
>>> /etc/openldap/ldap.conf shown below). The former appears to be  
>>> the one
>>> requiring change(?).  I have tried putting "port 636" into the
>>> ldap.conf client file but it didn't seem to help.  All I had to  
>>> do to
>>> get the e-mail clients to connect via SSL/TLS was change their port
>>> number to 636 and accept the cert when prompted.  I have placed the
>>> server certificate in the /etc/openldap/cacerts folder on the  
>>> client.
>>>
>>> Google and a copy of "LDAP System Admin. - O'Reilly" aren't  
>>> helping me
>>> much.  Mainly due to the fact that I am still learning and no doubt
>>> have a few knowledge holes.  Any help would be most appreciated,
>>> especially good references.  Also, feel free to pick on any other
>>> parts of the slapd.conf file you notice in error.  Apologies is some
>>> of this lacks sense, it's late and my head hurts.
>>>
>>> Copy of slapd.conf on server... (comments and stuff removed)
>>> -----------------BEGIN-----------------
>>> include            /etc/openldap/schema/core.schema
>>> include            /etc/openldap/schema/cosine.schema
>>> include            /etc/openldap/schema/inetorgperson.schema
>>> ##Include for NIS support
>>> include            /etc/openldap/schema/nis.schema
>>> loglevel        296
>>> pidfile            /var/run/slapd.pid
>>> argsfile        /var/run/slapd.args
>>> ##TLS options
>>> TLSCipherSuite        HIGH:MEDIUM:+SSLv2
>>> TLSCertificateFile    /usr/share/ssl/certs/XXXX_slapdcert.pem
>>> TLSCertificateKeyFile    /usr/share/ssl/private/XXXX_slapdkey.pem
>>>
>>
>> I assume these are a real cert/key pair, not example ones.
>>
>>
>>> password-hash    {SSHA}
>>> # bdb database definitions
>>> database        bdb
>>> suffix            "dc=domain,dc=net"
>>> rootdn            "cn=Manager,dc=domain,dc=net"
>>> rootpw            {SSHA}removed
>>> directory        /var/lib/ldap/xxxx
>>> mode            0600
>>> ##Indexes to maintain
>>> index objectClass,uid,uidNumber,gidNumber    eq
>>> index cn                    eq
>>> ##ACL's
>>> access to attrs=userPassword
>>>     by self write
>>>     by * auth
>>> access to *
>>>         by * read
>>> #################################################################### 
>>> ##
>>> #
>>> -----------------END-----------------
>>> Copy of lapd.conf on client... (comments and stuff removed)
>>> -----------------BEGIN-----------------
>>> [root at xxxx ~]# more /etc/ldap.conf | grep -v ^# | grep .
>>> host 192.168.111.1
>>> base dc=domain,dc=net
>>> ssl start_tls
>>> tls_cacertdir /etc/openldap/cacerts
>>>
>>
>> I think you need a line here saying something like:
>> tls_certfile /usr/share/ssl/certs/XXXX_slapdcert.pem
>>
>>
>>> pam_password md5
>>> -----------------END-----------------
>>> -----------------BEGIN-----------------
>>> [root at xxxx ~]# more /etc/openldap/ldap.conf | grep -v ^# | grep .
>>> HOST 192.168.111.1
>>> BASE dc=domain,dc=net
>>> TLS_CACERTDIR /etc/openldap/cacerts
>>>
>>
>> tls_certfile /usr/share/ssl/certs/XXXX_slapdcert.pem
>>
>>
>>> -----------------END-----------------
>>>
>>>
>>> --
>>> Jade
>>>   --  Of all the manifestations of power,
>>>             restraint impresses men the most --
>>>                                       Thucydides
>>> --
>>> linux mailing list
>>> linux at lists.samba.org
>>> https://lists.samba.org/mailman/listinfo/linux
>>>
>>>
>>
>> --
>> Kim Holburn
>> Network and Security Manager, National ICT Australia Ltd.
>> Ph: +61 2 61258620 M: +61 417820641  F: +61 2 6230 6121 aim:// 
>> kimholburn
>> Email: kim.holburn at nicta.com.au  - PGP Public Key on request
>> callto://kholburn
>> Cacert Root Cert: http://www.cacert.org/cacert.crt
>> Aust. Spam Act: To stop receiving mail from me: reply and let me  
>> know.
>>
>> Use ISO 8601 dates [YYYY-MM-DD] http://www.saqqara.demon.co.uk/
>> datefmt.htm
>> Democracy imposed from without is the severest form of tyranny.
>>                            -- Lloyd Biggle, Jr. Analog, Apr 1961
>>
>>
>>
>>
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux
>

-- 
Kim Holburn
Network and Security Manager, National ICT Australia Ltd.
Ph: +61 2 61258620 M: +61 417820641  F: +61 2 6230 6121 aim://kimholburn
Email: kim.holburn at nicta.com.au  - PGP Public Key on request   
callto://kholburn
Cacert Root Cert: http://www.cacert.org/cacert.crt
Aust. Spam Act: To stop receiving mail from me: reply and let me know.

Use ISO 8601 dates [YYYY-MM-DD] http://www.saqqara.demon.co.uk/ 
datefmt.htm
Democracy imposed from without is the severest form of tyranny.
                           -- Lloyd Biggle, Jr. Analog, Apr 1961

More information about the linux mailing list