[LDAP-interop] start tls fails for ldapsearch but works forpam_ldap, ldap_nss [SOLVED]

Doug Campbell doug at bpta.net
Wed Apr 6 23:00:28 EDT 2005


The reason I was having problems can be seen in my /etc/openldap/ldap.conf
file below.  I had the tls_cert and tls_key directives in there.  They are
NOT global configuration directives but should instead go in the user's
ldaprc or .ldaprc in the user's home directory.

Doug

> I am using FC3, OpenLDAP 2.2.24.
>
> I am trying to get start tls working.
>
> When I use the following:
>
> ldapsearch -x -h snoopy.swro.local -b "dc=swro,dc=local" -D
> "cn=Manager,dc=swro,dc=local" -W -ZZ -d 384
>
> I get the following error:
>
> request 1 done
> TLS: can't connect.
> ldap_start_tls: Connect error (-11)
>         additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
> alert handshake failure
>
>
> Any ideas?  Also, even though I have TLSVerifyClient Demand set in
> slapd.conf, I found that I can successfully issue:
>
> ldapsearch -x -h snoopy.swro.local -b "dc=swro,dc=local" -D
> "cn=Manager,dc=swro,dc=local" -W
>
> I thought it "demand"ed that any client be verified.  Finally,
> since I tried
> it, I will mention that
>
> ldapsearch -x -h snoopy.swro.local -b "dc=swro,dc=local" -D
> "cn=Manager,dc=swro,dc=local" -W -Z
>
> produced the same error as the original above.
>
> I have the PADL (I think that is what it is called) stuff working and my
> server is now using LDAP over TLS to handle authentication.  Here is the
> /etc/ldap.conf file:
>
> # @(#)$Id: ldap.conf,v 1.28 2003/05/29 13:01:04 lukeh Exp $
> #
> # This is the configuration file for the LDAP nameservice
> # switch library and the LDAP PAM module.
> #
> # PADL Software
> # http://www.padl.com
> #
>
> # Your LDAP server. Must be resolvable without using LDAP.
> # Multiple hosts may be specified, each separated by a
> # space. How long nss_ldap takes to failover depends on
> # whether your LDAP client library supports configurable
> # network or connect timeouts (see bind_timelimit).
> host snoopy.swro.local
>
> # The distinguished name of the search base.
> base dc=swro,dc=local
>
> # The distinguished name to bind to the server with.
> # Optional: default is to bind anonymously.
> binddn cn=samba,ou=dsa,dc=swro,dc=local
>
> # The credentials to bind with.
> # Optional: default is no credential.
> bindpw xxxxxxxxxxxxxxx
>
> # The distinguished name to bind to the server with
> # if the effective user ID is root. Password is
> # stored in /etc/ldap.secret (mode 600)
> #rootbinddn cn=manager,dc=example,dc=com
> roobtbinddn cn=Manager,dc=swro,dc=local
>
> # RFC2307bis naming contexts
> # Syntax:
> # nss_base_XXX		base?scope?filter
> # where scope is {base,one,sub}
> # and filter is a filter to be &'d with the
> # default filter.
> # You can omit the suffix eg:
> # nss_base_passwd	ou=People,
> # to append the default base DN but this
> # may incur a small performance impact.
> nss_base_passwd		dc=swro,dc=local?sub
> nss_base_shadow		dc=swro,dc=local?sub
> nss_base_group		ou=Groups,dc=swro,dc=local?one
>
> # OpenLDAP SSL options
> # Require and verify server certificate (yes/no)
> # Default is "no"
> tls_checkpeer yes
>
> # CA certificates for server certificate verification
> # At least one of these are required if tls_checkpeer is "yes"
> tls_cacert /usr/share/ssl/certs/ca.swro.local.pem
>
> # Client certificate and key
> # Use these, if your server requires client authentication.
> tls_cert   /usr/share/ssl/certs/ldap.pem
> tls_key    /usr/share/ssl/certs/ldap.key.pem
>
> # Security options
> ssl start_tls
> pam_password md5
>
>
> Here are my slapd.conf and my ldap.conf from my /etc/openldap directory:
>
> /etc/openldap/slapd.conf
>
> #
> # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable.
> #
> include		/etc/openldap/schema/core.schema
> include		/etc/openldap/schema/cosine.schema
> include		/etc/openldap/schema/inetorgperson.schema
> include		/etc/openldap/schema/nis.schema
> include         /etc/openldap/schema/samba.schema
>
> # Allow LDAPv2 client connections.  This is NOT the default.
> #allow bind_v2
>
> pidfile		/var/run/slapd.pid
> argsfile	/var/run/slapd.args
>
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCACertificateFile /usr/share/ssl/certs/ca.swro.local.pem
> TLSCertificateFile /usr/share/ssl/certs/snoopy.swro.local.pem
> TLSCertificateKeyFile /usr/share/ssl/certs/snoopy.swro.local.key.pem
> TLSVerifyClient demand
>
> database	bdb
> suffix		"dc=swro,dc=local"
> rootdn		"cn=Manager,dc=swro,dc=local"
> rootpw		{SSHA}4wUu62dbwiuQlD31LF5k+SRsvVp1EtP/
> # The password for the above is 'nastyon3'
>
> # The database directory MUST exist prior to running slapd AND
> # should only be accessible by the slapd and slap tools.
> # Mode 700 recommended.
> directory	/var/lib/ldap
>
> [..snipped indices and ACLS..]
>
>
> /etc/openldap/ldap.conf
>
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
>
> 	never
> HOST snoopy.swro.local
> BASE dc=swro,dc=local
>
> tls_cert   /usr/share/ssl/certs/ldap.pem
> tls_key    /usr/share/ssl/certs/ldap.key.pem
>
> # CA certificates for server certificate verification
> # At least one of these are required if tls_checkpeer is "yes"
> tls_cacert /usr/share/ssl/certs/ca.swro.local.pem
>
>
>
>
> Here is a more detailed debug of the ldapsearch command:
>
>
> _______________________________________________
> LDAP-interop mailing list
> LDAP-interop at fini.net
> http://lists.fini.net/mailman/listinfo/ldap-interop

_______________________________________________
LDAP-interop mailing list
LDAP-interop at fini.net
http://lists.fini.net/mailman/listinfo/ldap-interop



More information about the LDAP-interop mailing list