[clug] LDAP over SSL/TLS not working
Kim Holburn
kim.holburn at anu.edu.au
Sun Oct 2 11:42:23 GMT 2005
Hi Jade,
Reading the man page for ldap.conf (and you will have to read the one
that came with yours because they are all slightly different):
You could try this line in ldap.conf:
TLS_REQCERT never
All the other options look to me like they deal with CA certs not a
standalone server cert which is probably what you have.
TLS_REQCERT <level>
Specifies what checks to perform on server
certificates in a TLS
session, if any. The <level> can be specified as one
of the fol-
lowing keywords:
never The client will not request or check any
server certifi-
cate.
allow The server certificate is requested. If no
certificate is
provided, the session proceeds normally. If
a bad cer-
tificate is provided, it will be ignored and
the session
proceeds normally.
try The server certificate is requested. If no
certificate is
provided, the session proceeds normally. If a
bad cer-
tificate is provided, the session is
immediately termi-
nated.
demand | hard
These keywords are equivalent. The server
certificate is
requested. If no certificate is provided, or
a bad cer-
tificate is provided, the session is
immediately termi-
nated. This is the default setting.
On 2005 Oct 02 at 12:52 PM, Jade Barton wrote:
> Thanks Kim, unfortunately the line (or many variations of similar)
> didn't work. I suspect you have pointed me in right direction though,
> and it's something to do with the clients ldap.conf file for the
> following reason... I ran the following commands successfully from
> the client:
>
> ldapsearch -H ldap://xxxx.net/ -b dc=xxxx,dc=net -x (simple auth,
> no encrypt.)
> ldapsearch -H ldaps://xxxx.net/ -b dc=xxxx,dc=net -x (simple
> auth, over SSL)
> ldapsearch -H ldap://xxxx.net/ -ZZ -b dc=xxxx,dc=net -x (simple
> auth, over StartTLS)
>
> They all returned the user data from the server. As soon as I drop
> the "-x" it tries to use SASL and fails. I am wondering if, by
> enabling the checkbox in the "Authentication" dialogue on the client
> it is trying to use SASL also. I haven't set up SASL and don't really
> care if it doesn't use it, as long at the (simple) auth traffic is
> over SSL/TLS.
>
> So in the ldap.conf file I changed
> host 192.168.111.1
> to
> uri ldaps://192.168.111.1/
> but it didn't work :(
>
> As a bit of background these certificates & keyfiles have been
> generated and signed using the OpenSSL software by me. I'm pretty
> confident that they're ok because I use similar ones for encrypted
> SMTP and IMAPS and they seam to work for the LDAP addressbook data via
> the e-mail clients. To encrypt the addressbook traffic I simply
> enabled the SSL checkbox which automatically changed the port to 636.
>
> Confused,
> Jade
>
> On 02/10/05, Kim Holburn <kim.holburn at anu.edu.au> wrote:
>
>>
>>
>> On 2005 Oct 02 at 1:11 AM, Jade Barton wrote:
>>
>>> Hi all,
>>>
>>> I am having some dramas with LDAP over SSL/TLS for authentication
>>> purposes. I have got the following to work:
>>> - Authentication without SSL/TLS (from FC4 box to server). Users
>>> are
>>> able to log on in insecure mode.
>>> - SSL/TLS or insecure mode works when accessing the address book
>>> from
>>> e-mail clients (ie. ou=AddressBook,dc=domain,dc=net). This works
>>> with
>>> or without authentication.
>>>
>>> The bit I haven't got to work is as soon as I enable the "Use TLS to
>>> encrypt connections" box in the FC4 authentication dialogue it won't
>>> authenticate. One of the things that is confusing me is that FC4
>>> has
>>> 2 ldap.conf files on the client (/etc/ldap.conf &
>>> /etc/openldap/ldap.conf shown below). The former appears to be
>>> the one
>>> requiring change(?). I have tried putting "port 636" into the
>>> ldap.conf client file but it didn't seem to help. All I had to
>>> do to
>>> get the e-mail clients to connect via SSL/TLS was change their port
>>> number to 636 and accept the cert when prompted. I have placed the
>>> server certificate in the /etc/openldap/cacerts folder on the
>>> client.
>>>
>>> Google and a copy of "LDAP System Admin. - O'Reilly" aren't
>>> helping me
>>> much. Mainly due to the fact that I am still learning and no doubt
>>> have a few knowledge holes. Any help would be most appreciated,
>>> especially good references. Also, feel free to pick on any other
>>> parts of the slapd.conf file you notice in error. Apologies is some
>>> of this lacks sense, it's late and my head hurts.
>>>
>>> Copy of slapd.conf on server... (comments and stuff removed)
>>> -----------------BEGIN-----------------
>>> include /etc/openldap/schema/core.schema
>>> include /etc/openldap/schema/cosine.schema
>>> include /etc/openldap/schema/inetorgperson.schema
>>> ##Include for NIS support
>>> include /etc/openldap/schema/nis.schema
>>> loglevel 296
>>> pidfile /var/run/slapd.pid
>>> argsfile /var/run/slapd.args
>>> ##TLS options
>>> TLSCipherSuite HIGH:MEDIUM:+SSLv2
>>> TLSCertificateFile /usr/share/ssl/certs/XXXX_slapdcert.pem
>>> TLSCertificateKeyFile /usr/share/ssl/private/XXXX_slapdkey.pem
>>>
>>
>> I assume these are a real cert/key pair, not example ones.
>>
>>
>>> password-hash {SSHA}
>>> # bdb database definitions
>>> database bdb
>>> suffix "dc=domain,dc=net"
>>> rootdn "cn=Manager,dc=domain,dc=net"
>>> rootpw {SSHA}removed
>>> directory /var/lib/ldap/xxxx
>>> mode 0600
>>> ##Indexes to maintain
>>> index objectClass,uid,uidNumber,gidNumber eq
>>> index cn eq
>>> ##ACL's
>>> access to attrs=userPassword
>>> by self write
>>> by * auth
>>> access to *
>>> by * read
>>> ####################################################################
>>> ##
>>> #
>>> -----------------END-----------------
>>> Copy of lapd.conf on client... (comments and stuff removed)
>>> -----------------BEGIN-----------------
>>> [root at xxxx ~]# more /etc/ldap.conf | grep -v ^# | grep .
>>> host 192.168.111.1
>>> base dc=domain,dc=net
>>> ssl start_tls
>>> tls_cacertdir /etc/openldap/cacerts
>>>
>>
>> I think you need a line here saying something like:
>> tls_certfile /usr/share/ssl/certs/XXXX_slapdcert.pem
>>
>>
>>> pam_password md5
>>> -----------------END-----------------
>>> -----------------BEGIN-----------------
>>> [root at xxxx ~]# more /etc/openldap/ldap.conf | grep -v ^# | grep .
>>> HOST 192.168.111.1
>>> BASE dc=domain,dc=net
>>> TLS_CACERTDIR /etc/openldap/cacerts
>>>
>>
>> tls_certfile /usr/share/ssl/certs/XXXX_slapdcert.pem
>>
>>
>>> -----------------END-----------------
>>>
>>>
>>> --
>>> Jade
>>> -- Of all the manifestations of power,
>>> restraint impresses men the most --
>>> Thucydides
>>> --
>>> linux mailing list
>>> linux at lists.samba.org
>>> https://lists.samba.org/mailman/listinfo/linux
>>>
>>>
>>
>> --
>> Kim Holburn
>> Network and Security Manager, National ICT Australia Ltd.
>> Ph: +61 2 61258620 M: +61 417820641 F: +61 2 6230 6121 aim://
>> kimholburn
>> Email: kim.holburn at nicta.com.au - PGP Public Key on request
>> callto://kholburn
>> Cacert Root Cert: http://www.cacert.org/cacert.crt
>> Aust. Spam Act: To stop receiving mail from me: reply and let me
>> know.
>>
>> Use ISO 8601 dates [YYYY-MM-DD] http://www.saqqara.demon.co.uk/
>> datefmt.htm
>> Democracy imposed from without is the severest form of tyranny.
>> -- Lloyd Biggle, Jr. Analog, Apr 1961
>>
>>
>>
>
--
Kim Holburn
Network and Security Manager, National ICT Australia Ltd.
Ph: +61 2 61258620 M: +61 417820641 F: +61 2 6230 6121 aim://kimholburn
Email: kim.holburn at nicta.com.au - PGP Public Key on request
callto://kholburn
Cacert Root Cert: http://www.cacert.org/cacert.crt
Aust. Spam Act: To stop receiving mail from me: reply and let me know.
Use ISO 8601 dates [YYYY-MM-DD] http://www.saqqara.demon.co.uk/
datefmt.htm
Democracy imposed from without is the severest form of tyranny.
-- Lloyd Biggle, Jr. Analog, Apr 1961
More information about the linux
mailing list