Re: TLS enabled LDAP, clients fail to connect

Mon, 22 Nov 2010 04:48:22 -0800 

On 21/11/10 23.20, bluethundr wrote:

I am attempting to setup SSL/TLS support on my openLDAP 2.4 server on FreeBSD.

...

[r...@virtcent08:/etc/openldap/cacerts]#openssl s_client -connect
ldap.summitnjhome.com:389 -showcerts -CAfile gd_bundle.crt
CONNECTED(00000003)
3156:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:


From the man page, s_client(1):


"If the handshake fails then there are several possible causes, if it is 
nothing obvious like no client certificate then the -bugs, -ssl2, -ssl3, 
-tls1, -no_ssl2, -no_ssl3, -no_tls1 options can be tried in case it is a 
buggy server."


But rather than using s_client, you may try using ldapsearch(1)

I use openldap-sasl-server-2.4.23, in slapd.conf:

TLSCipherSuite          HIGH
TLSCertificateFile      /path/to/server/certs/MyServerCert.cer
TLSCertificateKeyFile   /path/to/server/certs/MyServerKey.key


The server need only be configured with TLSCACertificateFile options if 
you use TLS for client authentication. Multiple certificates can be 
stored in this file by concatenating the certificate files.


in ldap.conf:

TLS_CACERT      /path/to/certs/MyCARoot.cer


The MyCARoot.cer must be the CA root certificate used to issue the 
server certificate. You may add more certificates by concatenation.


Other TLS options may be configured to enable TLS client authentication.

Then with the command:


ldapsearch -Z -h ldap.example.com -x -D "cn=My Name, ou=Some Org, 
dc=example, dc=com" -w UpsThisIsVerySecret -b "dc=example, dc=com" 
"(telephoneNumber=*555*)" cn sn telephoneNumber


I connect, in paralel using snort -vCd port 389, I see this:

11/22-13:31:15.332512 172.16.1.127:52454 -> 172.16.0.1:389
TCP TTL:64 TOS:0x0 ID:18677 IpLen:20 DgmLen:83 DF
***AP*** Seq: 0x1B6C4BE1  Ack: 0xB1212BEB  Win: 0x8218  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1062950892 2880608010
0....w...1.3.6.1.4.1.1466.20037


That 1.3.6.1.4.1.1466.20037 is the OID for StartTLS. The rest is 
giberish, but it works.


BR, Erik
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[email protected]"






















					Reply via email to