Persuading openldap to work with SSL on Ubuntu with cn=config
- by Roger
I simply cannot get this (TLS connection to openldap) to work and would appreciate some assistance.
I have a working openldap server on ubuntu 10.04 LTS, it is configured to use cn=config and most of the info I can find for TLS seems to use the older slapd.conf file :-(
I've been largely following the instructions here https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html plus stuff I've read here and elsewhere - which of course could be part of the problem as I don't totally understand all of this yet!
I have created an ssl.ldif file as follows;
dn:cn=config
add: olcTLSCipherSuite
olcTLSCipherSuite: TLSV1+RSA:!NULL
add: olcTLSCRLCheck
olcTLSCRLCheck: none
add: olcTLSVerifyClient
olcTLSVerifyClient: never
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ldap_cacert.pem
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/my.domain.com_slapd_cert.pem
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/my.domain.com_slapd_key.pem
and I import it using the following command line
ldapmodify -x -D cn=admin,dc=mydomain,dc=com -W -f ssl.ldif
I have edited /etc/default/slapd so that it has the following services line;
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
And everytime I'm making a change, I'm restarting slapd with /etc/init.d/slapd restart
The following command line to test out the non TLS connection works fine;
ldapsearch -d 9 -D cn=admin,dc=mydomain,dc=com -w mypassword \
-b dc=mydomain,dc=com -H "ldap://mydomain.com" "cn=roger*"
But when I switch to ldaps using this command line;
ldapsearch -d 9 -D cn=admin,dc=mydomain,dc=com -w mypassword \
-b dc=mydomain,dc=com -H "ldaps://mydomain.com" "cn=roger*"
This is what I get;
ldap_url_parse_ext(ldaps://mydomain.com)
ldap_create
ldap_url_parse_ext(ldaps://mydomain.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP mydomain.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: can't connect: A TLS packet with unexpected length was received..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Now if I check netstat -al I can see;
tcp 0 0 *:www *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 *:https *:* LISTEN
tcp 0 0 *:ldaps *:* LISTEN
tcp 0 0 *:ldap *:* LISTEN
I'm not sure if this is significant as well ... I suspect it is;
openssl s_client -connect mydomain.com:636 -showcerts
CONNECTED(00000003)
916:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
I think I've made all my certificates etc OK and here are the results of some checks;
If I do this;
certtool -e --infile /etc/ssl/certs/ldap_cacert.pem
I get Chain verification output: Verified.
certtool -e --infile /etc/ssl/certs/mydomain.com_slapd_cert.pem
Gives "certtool: the last certificate is not self signed" but it otherwise seems OK?
Where have I gone wrong? Surely getting openldap to run securely on ubuntu should be easy and not require a degree in rocket science!
Any ideas?
