Persuading openldap to work with SSL on Ubuntu with cn=config

Posted by Roger on Server Fault See other posts from Server Fault or by Roger
Published on 2011-08-23T19:04:41Z Indexed on 2012/12/10 23:06 UTC
Read the original article Hit count: 494

Filed under:
|
|
|
|

I simply cannot get this (TLS connection to openldap) to work and would appreciate some assistance.

I have a working openldap server on ubuntu 10.04 LTS, it is configured to use cn=config and most of the info I can find for TLS seems to use the older slapd.conf file :-(

I've been largely following the instructions here https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html plus stuff I've read here and elsewhere - which of course could be part of the problem as I don't totally understand all of this yet!

I have created an ssl.ldif file as follows;

dn:cn=config

add: olcTLSCipherSuite
olcTLSCipherSuite: TLSV1+RSA:!NULL
add: olcTLSCRLCheck
olcTLSCRLCheck: none
add: olcTLSVerifyClient
olcTLSVerifyClient: never
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ldap_cacert.pem
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/my.domain.com_slapd_cert.pem
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/my.domain.com_slapd_key.pem

and I import it using the following command line

ldapmodify -x -D cn=admin,dc=mydomain,dc=com -W -f ssl.ldif

I have edited /etc/default/slapd so that it has the following services line;

SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"

And everytime I'm making a change, I'm restarting slapd with /etc/init.d/slapd restart

The following command line to test out the non TLS connection works fine;

ldapsearch -d 9 -D cn=admin,dc=mydomain,dc=com -w mypassword \
-b dc=mydomain,dc=com -H "ldap://mydomain.com" "cn=roger*"

But when I switch to ldaps using this command line;

ldapsearch -d 9 -D cn=admin,dc=mydomain,dc=com -w mypassword \
-b dc=mydomain,dc=com -H "ldaps://mydomain.com" "cn=roger*"

This is what I get;

ldap_url_parse_ext(ldaps://mydomain.com)
ldap_create
ldap_url_parse_ext(ldaps://mydomain.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP mydomain.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: can't connect: A TLS packet with unexpected length was received..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Now if I check netstat -al I can see;

tcp        0      0 *:www                   *:*                     LISTEN
tcp        0      0 *:ssh                   *:*                     LISTEN
tcp        0      0 *:https                 *:*                     LISTEN
tcp        0      0 *:ldaps                 *:*                     LISTEN
tcp        0      0 *:ldap                  *:*                     LISTEN

I'm not sure if this is significant as well ... I suspect it is;

openssl s_client -connect mydomain.com:636 -showcerts
CONNECTED(00000003)
916:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

I think I've made all my certificates etc OK and here are the results of some checks;

If I do this;

certtool -e --infile /etc/ssl/certs/ldap_cacert.pem

I get Chain verification output: Verified.

certtool -e --infile /etc/ssl/certs/mydomain.com_slapd_cert.pem

Gives "certtool: the last certificate is not self signed" but it otherwise seems OK?

Where have I gone wrong? Surely getting openldap to run securely on ubuntu should be easy and not require a degree in rocket science!

Any ideas?

© Server Fault or respective owner

Related posts about linux

Related posts about ubuntu