LDAP SSL Problems (was: service script (/etc/init.d/ldap))

Mon Nov 14 16:03:09 UTC 2005

On Mon, 2005-11-14 at 07:48 -0800, Daniel B. Thurman wrote:
> >From: fedora-list-bounces at redhat.com
> >[mailto:fedora-list-bounces at redhat.com]On Behalf Of Daniel B. Thurman
> >Sent: Monday, November 14, 2005 7:28 AM
> >To: For users of Fedora Core releases (E-mail)
> >Subject: LDAP service script (/etc/init.d/ldap)
> >
> >
> >
> >Hi Folks,
> >
> >I got ldap working but I am not able to get ldaps (secure) to work.
> >
> >I ran some tests:
> >
> >Simple auth, no encryption
> >====================
> >ldapsearch -H ldap://hostname/ -b dc=example,dc=com -x
> >
> >RESULTS: WORKS!
> >
> >Simple auth, SSL via LDAPS
> >======================
> >ldapsearch -H ldaps://hostname/ -b dc=example,dc=com -x
> >
> >RESULTS: FAIL: ldap_bind: Can't contact LDAP server (-1)
> >
> > - Ran slapd -d -1 : See no error hints
> > - Looked in /var/log/messages - nothing
> > - netstat -a : shows listener: ldaps
> >
> >If anyone has any suggestions, please let me know!
> >
> >Also, if anyone has any really good links on getting ldap/kerberos/ssl
> >working please let me know!
> >
> >Thanks
> >Dan
> >
> 
> Sorry folks about the bad subject line.  I fixed that.
> 
> I wanted to add more information:
> 
> openssl s_client -CAfile /etc/openldap/cacerts/ldapCA.pem -connect ldap.cdkkt.com:636
> CONNECTED(00000003)
> depth=1 /C=US/ST=Oregon/L=Beaverton/O=DBT And Associates/OU=ldap/CN=ldap.cdkkt.com/emailAddress=admin at cdkkt.com
> verify return:1
> depth=0 /C=US/ST=Oregon/L=Beaverton/O=DBT And Associates/OU=ldap/CN=ldap.cdkkt.com/emailAddress=admin at cdkkt.com
> verify return:1
> ---
> Certificate chain
>  0 s:/C=US/ST=Oregon/L=Beaverton/O=DBT And Associates/OU=ldap/CN=ldap.cdkkt.com/emailAddress=admin at cdkkt.com
>    i:/C=US/ST=Oregon/L=Beaverton/O=DBT And Associates/OU=ldap/CN=ldap.cdkkt.com/emailAddress=admin at cdkkt.com
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIID0zCCAzygAwIBAgIBATANBgkqhkiG9w0BAQQFADCBlzELMAkGA1UEBhMCVVMx
> DzANBgNVBAgTBk9yZWdvbjESMBAGA1UEBxMJQmVhdmVydG9uMRswGQYDVQQKExJE
> QlQgQW5kIEFzc29jaWF0ZXMxDTALBgNVBAsTBGxkYXAxFzAVBgNVBAMTDmxkYXAu
> Y2Rra3QuY29tMR4wHAYJKoZIhvcNAQkBFg9hZG1pbkBjZGtrdC5jb20wHhcNMDUx
> MTEzMjM1NjA4WhcNMDYxMTEzMjM1NjA4WjCBlzELMAkGA1UEBhMCVVMxDzANBgNV
> BAgTBk9yZWdvbjESMBAGA1UEBxMJQmVhdmVydG9uMRswGQYDVQQKExJEQlQgQW5k
> IEFzc29jaWF0ZXMxDTALBgNVBAsTBGxkYXAxFzAVBgNVBAMTDmxkYXAuY2Rra3Qu
> Y29tMR4wHAYJKoZIhvcNAQkBFg9hZG1pbkBjZGtrdC5jb20wgZ8wDQYJKoZIhvcN
> AQEBBQADgY0AMIGJAoGBAO17IIZe1fv3KGrM+bACxMPeqC+Y0ncsGM7lrAObSYTw
> QlQfsF4fDnBhPrEgyYS5BD7CV5ETyBdUmQfVcs/l5G5AjhAmMUF4POieBwJWsW/I
> hTN+nWPn1Reu6WcqpliU1Jqz5bxy17IOT93Ah/Qnrh9KNVALZ6ZoK0iRirReINIl
> AgMBAAGjggErMIIBJzAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM
> IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUmpJK9I5ZX77qgL1p/RSJ
> 9I5MtQ8wgcwGA1UdIwSBxDCBwYAU65DeeNVXt8w3GKUqoF10LK1kf4ahgZ2kgZow
> gZcxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZPcmVnb24xEjAQBgNVBAcTCUJlYXZl
> cnRvbjEbMBkGA1UEChMSREJUIEFuZCBBc3NvY2lhdGVzMQ0wCwYDVQQLEwRsZGFw
> MRcwFQYDVQQDEw5sZGFwLmNka2t0LmNvbTEeMBwGCSqGSIb3DQEJARYPYWRtaW5A
> Y2Rra3QuY29tggkApfBH0A0Oy+kwDQYJKoZIhvcNAQEEBQADgYEAC+Y21AFYLdVB
> psK+4IDVA2+rv8G0pGy+jO4FH+GbKGZbSzCFGPdKigpvDatCxGIndkw8LN58In92
> 4By4U95NvYLLCjdc1DtIDMxEjTNTWwkEjKy/Nkn2vblJp8lrIrHJGimcapimr4zx
> ui4CfJBXtrV3bc2Zp20eaLRgVciv+fU=
> -----END CERTIFICATE-----
> subject=/C=US/ST=Oregon/L=Beaverton/O=DBT And Associates/OU=ldap/CN=ldap.cdkkt.com/emailAddress=admin at cdkkt.com
> issuer=/C=US/ST=Oregon/L=Beaverton/O=DBT And Associates/OU=ldap/CN=ldap.cdkkt.com/emailAddress=admin at cdkkt.com
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1145 bytes and written 340 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 1024 bit
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : AES256-SHA
>     Session-ID: EEEC2E025097267E2E39E129A1130FDA7921D57F86C4D8CC94CE4D7CBF712865    Session-ID-ctx:
>     Master-Key: 28ACBE74CC2972246E9E1039D182643652DC2CC1F91333F68B700F22318C93CCB881A287BEF91AC498B2068C7DFAB39F
>     Key-Arg   : None
>     Krb5 Principal: None
>     Start Time: 1131983082
>     Timeout   : 300 (sec)
>     Verify return code: 0 (ok)
> ---
> 
> *****  HANGS HERE!!!!!
> 
> So, from the test it looks like there is a problem.  Anyone
> care to comment???
----
guessing that you probably need some TLS_REQCERT type of entry in
slapd.conf and perhaps an entry in ~/.ldaprc for user stuff

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.