hi, Is the server cert trusted on the client ? -- Best Regards,
Mubeesh Ali.V.M On Mon, Nov 22, 2010 at 3:50 AM, bluethundr <[email protected]> wrote: > I am attempting to setup SSL/TLS support on my openLDAP 2.4 server on FreeBSD. > > LBSD2# pkg_info | grep openldap > openldap-sasl-client-2.4.23 Open source LDAP client implementation > with SASL2 support > openldap-sasl-server-2.4.23 Open source LDAP server implementation > > I put my cert file, key file and CA certfile in a directory called > /usr/local/etc/openldap/cacerts > > Here's how it looks: > > [r...@lbsd2:/usr/local/etc/openldap/cacerts]#ls -l > total 48 > dr--r----- 2 root ldap 512 Nov 21 17:12 bak > -r--r----- 1 root ldap 1960 Nov 21 07:05 bsd2.summitnjhome.com.crt > -r--r----- 1 root ldap 4604 Nov 21 17:16 gd_bundle.crt > -r--r----- 1 root ldap 4689 Nov 21 18:59 sf_bundle.crt > -r--r----- 1 root ldap 1537 Nov 21 17:16 sf_issuing.crt > -r--r----- 1 root ldap 1090 Nov 21 12:29 slapd.csr > -r--r----- 1 root ldap 1743 Nov 21 12:26 slapd.key > -r--r----- 1 root ldap 1675 Nov 21 17:25 slapd.pem > > > My cert flie is a GoDaddy turbo-ssl certfile named > bsd2.summitnjhome.com.crt. slapd.key is the key file and slapd.pem is > the same thing only with the password removed. > > I'm a little unsure of which CA file to use but I think that > sf_issuing.crt _should_ work as this is the CA file that I used to > setup a similar SSL enabled LDAP server for a client recently. > Although I have tried all three CA files in this directory: > (gd_bundle.crt, sf_bundle.crt, and sf_issuing.crt). > > I put the various cert/key files into my slapd.conf file like this: > > LBSD2# cat slapd.conf | grep -i tls > ## TLS options for slapd > TLSCipherSuite HIGH:MEDIUM:+SSLv2 > TLSCertificateFile /usr/local/etc/openldap/cacerts/bsd2.summitnjhome.com.crt > TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem > TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_issuing.crt > > > Slapd restarts cleanly! > > LBSD2# /usr/local/etc/rc.d/slapd restart > Stopping slapd. > Waiting for PIDS: 81924. > Starting slapd. > > > Then I attempt to setup a virtual instance of CentOS 5.5 on the client > side and that's where things fall apart...I attempt to ssh to > localhost as an LDAP account: > > [r...@virtcent08:/etc/openldap/cacerts]#ssh bluethu...@localhost > > [...tectonic plates drift, careers begin and end, babies learn to > walk, talk and grow to adulthood..] > > Connection closed by 127.0.0.1 > > [r...@virtcent08:/etc/openldap/cacerts]#getent passwd | grep ldapAccount > [same interminable wait as above] > > > This is what my /etc/ldap.conf file looks like on the client: > > [r...@virtcent08:/etc/openldap/cacerts]#cat /etc/ldap.conf > # Your LDAP server. Must be resolvable without using LDAP. > # Multiple hosts may be specified, each separated by a > # space. How long nss_ldap takes to failover depends on > # whether your LDAP client library supports configurable > # network or connect timeouts (see bind_timelimit). > #host 127.0.0.1 > # The distinguished name of the search base. > base dc=summitnjhome,dc=com > # stored in /etc/ldap.secret (mode 600) > #rootbinddn cn=manager,dc=example,dc=com > # The port. > # Optional: default is 389. > #port 389 > # Search timelimit > #timelimit 30 > timelimit 120 > # Bind/connect timelimit > #bind_timelimit 30 > bind_timelimit 120 > # Idle timelimit; client will close connections > # (nss_ldap only) if the server has not been contacted > # for the number of seconds specified below. > #idle_timelimit 3600 > idle_timelimit 3600 > # Netscape SDK LDAPS > #ssl on > # Netscape SDK SSL options > #sslpath /etc/ssl/certs > # OpenLDAP SSL mechanism > # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 > #ssl start_tls > #ssl on > # OpenLDAP SSL options > # Require and verify server certificate (yes/no) > # Default is to use libldap's default behavior, which can be configured in > # /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for > # OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". > #tls_checkpeer yes > # CA certificates for server certificate verification > # At least one of these are required if tls_checkpeer is "yes" > #tls_cacertfile /etc/ssl/ca.cert > #tls_cacertdir /etc/ssl/certs > # SSL cipher suite > # See man ciphers for syntax > #tls_ciphers TLSv1 > # Client certificate and key > # Use these, if your server requires client authentication. > #tls_cert > #tls_key > # SASL mechanism for PAM authentication - use is experimental > # at present and does not support password policy control > uri ldap://ldap.summitnjhome.com/ > ssl start_tls > tls_cacertdir /etc/openldap/cacerts > pam_password crypt > > This is how my nsswitch on the client side is setup: > > passwd: files ldap > shadow: files ldap > group: files ldap > > And here is the cert dir on my CentOS client: > > [r...@virtcent08:/etc/openldap/cacerts]#ls -l > total 72 > lrwxrwxrwx 1 root root 13 Nov 21 09:44 97552d04.0 -> gd_bundle.crt > lrwxrwxrwx 1 root root 14 Nov 21 09:44 b737b221.0 -> sf_issuing.crt > dr--r--r-- 2 root root 4096 Nov 21 2010 bak > -r--r--r-- 1 root root 1960 Nov 21 07:05 bsd2.summitnjhome.com.crt > lrwxrwxrwx 1 root root 25 Nov 21 09:44 c75be861.0 -> > bsd2.summitnjhome.com.crt > -r--r--r-- 1 root root 4604 Nov 21 2010 gd_bundle.crt > -r--r--r-- 1 root root 1537 Nov 21 2010 sf_issuing.crt > -r--r--r-- 1 root root 1090 Nov 21 12:29 slapd.csr > -r--r--r-- 1 root root 1743 Nov 21 12:26 slapd.key > -r--r--r-- 1 root root 1675 Nov 21 2010 slapd.pem > > > Back on the server side there is a lot of activity in the ldap logs > (here is an excerpt) > > Nov 21 20:21:38 LBSD2 slapd[81972]: daemon: read activity on 11 > Nov 21 20:21:38 LBSD2 slapd[81972]: daemon: select: listen=6 > active_threads=0 tvp=NULL > Nov 21 20:21:38 LBSD2 slapd[81972]: daemon: select: listen=7 > active_threads=0 tvp=NULL > Nov 21 20:21:38 LBSD2 slapd[81972]: connection_read(11): input > error=-2 id=1017, closing. > Nov 21 20:21:38 LBSD2 slapd[81972]: connection_closing: readying > conn=1017 sd=11 for close > Nov 21 20:21:38 LBSD2 slapd[81972]: daemon: activity on 1 descriptor > > I've encloses a more complete log file as an attachment. > > I then try to show the CA files with an openssl command. > > First with sf_issuing.crt - > > slapd.conf: > > TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_issuing.crt > > On the client: > > [r...@virtcent08:/etc/openldap/cacerts]#openssl s_client -connect > ldap.summitnjhome.com:389 -showcerts -CAfile sf_issuing.crt > CONNECTED(00000003) > 3143:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > failure:s23_lib.c:188 > > > Next with sf_bundle.crt - > > slapd.conf: > > TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_bundle.crt > > > [r...@virtcent08:/etc/openldap/cacerts]#openssl s_client -connect > ldap.summitnjhome.com:389 -showcerts -CAfile sf_bundle.crt > 3149:error:02001002:system library:fopen:No such file or > directory:bss_file.c:122:fopen('sf_bundle.crt','r') > 3149:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125: > 3149:error:0B084002:x509 certificate > routines:X509_load_cert_crl_file:system lib:by_file.c:279: > CONNECTED(00000003) > 3149:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > failure:s23_lib.c:188: > > Next with gd_bundle.crt - > > TLSCACertificateFile /usr/local/etc/openldap/cacerts/gd_bundle.crt > > [r...@virtcent08:/etc/openldap/cacerts]#openssl s_client -connect > ldap.summitnjhome.com:389 -showcerts -CAfile gd_bundle.crt > CONNECTED(00000003) > 3156:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > failure:s23_lib.c:188: > > > Disabling TLS on the client side authentication works again! > > [r...@virtcent08:/etc/openldap/cacerts]#ssh bluethu...@localhost > bluethu...@localhost's password: > Last login: Sun Nov 21 09:41:34 2010 from 192.168.1.50 > ######################################################### > # SUMMITNJHOME.COM # > # TITLE: VIRTCENT08 BOX # > # LOCATION: SUMMIT BASEMENT # > # # > ######################################################### > > > Any thought on how to resolve the current situation would be most > appreciated! ;) > > > > > -- > Here's my RSA Public key: > gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9 > > Share and enjoy!! > _______________________________________________ > [email protected] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[email protected]" > _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[email protected]"
