# openLDAP + ssl

## Joper

HI!

Please, help me to solve problem wiht Openldap and ssl.!!!!

I think, that a problem in ldap configuration(but i do not understand where) , since certificates are working. 

Because itself openssl it is connected without problems:

```

# openssl s_client -connect padonag.moscow.ximxim.com:636 -cert /etc/ca/padonag-cert.pem -key /etc/ca/padonag-privkey.pem

CONNECTED(00000003)

depth=1 /C=RU/ST=Russia/O=XIM/OU=Moscow/CN=Chlorum

verify error:num=19:self signed certificate in certificate chain

verify return:0

---

Certificate chain

0 s:/C=RU/ST=Russia/O=XIM/OU=Moscow/CN=padonag.moscow.ximxim.com

i:/C=RU/ST=Russia/O=XIM/OU=Moscow/CN=Chlorum

1 s:/C=RU/ST=Russia/O=XIM/OU=Moscow/CN=Chlorum

i:/C=RU/ST=Russia/O=XIM/OU=Moscow/CN=Chlorum

---

Server certificate

-----BEGIN CERTIFICATE-----

xxxxxxxxxxxx

xxxxxxxxxxxx

xxxxxxxxxxxx

xxxxxxxxxxxx

xxxxxxxxxxxx==

-----END CERTIFICATE-----

subject=/C=RU/ST=Russia/O=XIM/OU=Moscow/CN=padonag.moscow.ximxim.com

issuer=/C=RU/ST=Russia/O=XIM/OU=Moscow/CN=Chlorum

---

Acceptable client certificate CA names

/C=RU/ST=Russia/O=XIM/OU=Moscow/CN=Chlorum

---

SSL handshake has read 1761 bytes and written 1245 bytes

---

New, TLSv1/SSLv3, Cipher is AES256-SHA

Server public key is 1024 bit

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol : TLSv1

Cipher : AES256-SHA

Session-ID: 10540B498D2EDFE6AA21ABA4D7EA8A6CE802C98B216BE28E722DDB597E04E8BA

Session-ID-ctx:

Master-Key: 0ECD9FC7135861AD8D6F2EB39942D1D82B93219C1B0194B74251C161C1D2E2B81BC86D5DE99314C9F71F9BD6DA50D2F2

Key-Arg : None

Start Time: 1196866829

Timeout : 300 (sec)

Verify return code: 19 (self signed certificate in certificate chain)

---

```

But about attempt of connection to ladp server there is a following:

```

# ldapsearch -D "cn=ldapadmin,dc=moscow,dc=ximxim,dc=com" -W -d 255

ldap_create

Enter LDAP Password:

ldap_bind

ldap_simple_bind

ldap_sasl_bind

ldap_send_initial_request

ldap_new_connection 1 1 0

ldap_int_open_connection

ldap_connect_to_host: TCP padonag.moscow.ximxim.com:636

ldap_new_socket: 3

ldap_prepare_socket: 3

ldap_connect_to_host: Trying 127.0.0.1:636

ldap_connect_timeout: fd: 3 tm: -1 async: 0

TLS trace: SSL_connect:before/connect initialization

tls_write: want=142, written=142

0000: 80 8c 01 03 01 00 63 00 00 00 20 00 00 39 00 00 ......c... ..9..

0010: 38 00 00 35 00 00 88 00 00 87 00 00 84 00 00 16 8..5............

0020: 00 00 13 00 00 0a 07 00 c0 00 00 33 00 00 32 00 ...........3..2.

0030: 00 2f 00 00 45 00 00 44 00 00 41 00 00 07 05 00 ./..E..D..A.....

0040: 80 03 00 80 00 00 05 00 00 04 01 00 80 00 00 15 ................

0050: 00 00 12 00 00 09 06 00 40 00 00 14 00 00 11 00 ........@.......

0060: 00 08 00 00 06 04 00 80 00 00 03 02 00 80 5c 8a ..............\.

0070: 1f 19 c8 9e e4 df 72 c7 0b 1d d2 45 ed 14 54 a8 ......r....E..T.

0080: 4a 6a 0f ad 25 d8 63 9c 4f ab 70 c9 b2 f8 Jj..%.c.O.p...

TLS trace: SSL_connect:SSLv2/v3 write client hello A

tls_read: want=7, got=7

0000: 16 03 01 00 4a 02 00 ....J..

tls_read: want=72, got=72

0000: 00 46 03 01 47 56 bd 9e 00 98 52 f3 86 6e 24 72 .F..GV....R..n$r

0010: 4d 91 49 ff 20 a8 78 45 cc 28 5a 81 e3 b5 ac 3a M.I. .xE.(Z....:

0020: 42 09 0b c8 20 20 5d 20 24 95 6e 28 c8 79 ea 46 B... ] $.n(.y.F

0030: b5 d1 ef f1 88 38 43 32 0a 25 8d b4 f7 3f 8e 5f .....8C2.%...?._

0040: 54 27 a5 3d d7 00 35 00 T'.=..5.

TLS trace: SSL_connect:SSLv3 read server hello A

tls_read: want=5, got=5

0000: 16 03 01 05 ec .....

tls_read: want=1516, got=1516

0000: 0b 00 05 e8 00 05 e5 00 02 ef 30 82 02 eb 30 82 ..........0...0.

0010: 02 54 a0 03 02 01 02 02 09 00 91 56 f6 36 eb 79 .T.........V.6.y

0020: 74 f4 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 t.0...*.H.......

0030: 00 30 4f 31 0b 30 09 06 03 55 04 06 13 02 52 55 .0O1.0...U....RU

0040: 31 0f 30 0d 06 03 55 04 08 13 06 52 75 73 73 69 1.0...U....Russi

0050: 61 31 0c 30 0a 06 03 55 04 0a 13 03 58 49 4d 31 a1.0...U....XIM1

0060: 0f 30 0d 06 03 55 04 0b 13 06 4d 6f 73 63 6f 77 .0...U....Moscow

0070: 31 10 30 0e 06 03 55 04 03 13 07 43 68 6c 6f 72 1.0...U....Chlor

0080: 75 6d 30 1e 17 0d 30 37 31 32 30 35 31 34 32 34 um0...0712051424

0090: 35 36 5a 17 0d 31 37 31 32 30 32 31 34 32 34 35 56Z..17120214245

00a0: 36 5a 30 61 31 0b 30 09 06 03 55 04 06 13 02 52 6Z0a1.0...U....R

00b0: 55 31 0f 30 0d 06 03 55 04 08 13 06 52 75 73 73 U1.0...U....Russ

00c0: 69 61 31 0c 30 0a 06 03 55 04 0a 13 03 58 49 4d ia1.0...U....XIM

00d0: 31 0f 30 0d 06 03 55 04 0b 13 06 4d 6f 73 63 6f 1.0...U....Mosco

00e0: 77 31 22 30 20 06 03 55 04 03 13 19 70 61 64 6f w1"0 ..U....pado

00f0: 6e 61 67 2e 6d 6f 73 63 6f 77 2e 78 69 6d 78 69 nag.moscow.ximxi

0100: 6d 2e 63 6f 6d 30 81 9f 30 0d 06 09 2a 86 48 86 m.com0..0...*.H.

0110: f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 ...........0....

0120: 81 00 a8 6b 1e 0d 52 d1 86 61 bf 08 74 d5 b0 0c ...k..R..a..t...

0130: ab ce a7 84 77 fa d6 33 71 94 d0 4c 36 e9 9d 53 ....w..3q..L6..S

0140: dc ae 16 31 fe 95 0d b1 a5 1e 43 a8 df ef 8b 1e ...1......C.....

0150: 83 55 6a 82 0f a7 7d 1e 38 6e a3 b9 25 ad 11 c6 .Uj...}.8n..%...

0160: e9 37 ea b3 4d 90 d7 2e b3 b3 8f 77 5a e9 12 0c .7..M......wZ...

0170: fc 06 b1 76 d7 24 af f5 36 c5 c7 90 4f 3f 43 14 ...v.$..6...O?C.

0180: e1 42 ea e9 9e 4d 2e b4 bd 46 39 28 c8 3b 37 d4 .B...M...F9(.;7.

0190: dd 95 6c 87 30 1d 92 af 6a 42 65 bd 8e 30 f5 00 ..l.0...jBe..0..

01a0: 91 59 02 03 01 00 01 a3 81 bc 30 81 b9 30 1d 06 .Y........0..0..

01b0: 03 55 1d 0e 04 16 04 14 b4 74 a9 ef aa 43 2b 29 .U.......t...C+)

01c0: c6 ec 88 0b f8 fe 3b f3 ae aa 6f 14 30 7f 06 03 ......;...o.0...

01d0: 55 1d 23 04 78 30 76 80 14 e5 08 99 11 1c e7 06 U.#.x0v.........

01e0: d4 5c 1d d2 c3 17 15 d1 8b 06 ad a7 da a1 53 a4 .\............S.

01f0: 51 30 4f 31 0b 30 09 06 03 55 04 06 13 02 52 55 Q0O1.0...U....RU

0200: 31 0f 30 0d 06 03 55 04 08 13 06 52 75 73 73 69 1.0...U....Russi

0210: 61 31 0c 30 0a 06 03 55 04 0a 13 03 58 49 4d 31 a1.0...U....XIM1

0220: 0f 30 0d 06 03 55 04 0b 13 06 4d 6f 73 63 6f 77 .0...U....Moscow

0230: 31 10 30 0e 06 03 55 04 03 13 07 43 68 6c 6f 72 1.0...U....Chlor

0240: 75 6d 82 09 00 91 56 f6 36 eb 79 74 f3 30 0c 06 um....V.6.yt.0..

0250: 03 55 1d 13 04 05 30 03 01 01 ff 30 09 06 03 55 .U....0....0...U

0260: 1d 11 04 02 30 00 30 0d 06 09 2a 86 48 86 f7 0d ....0.0...*.H...

0270: 01 01 05 05 00 03 81 81 00 86 71 64 1c 8f 9c 64 ..........qd...d

0280: 20 0a 6d 88 9c 65 98 77 c0 9b b3 b2 75 7f 6d b5 .m..e.w....u.m.

0290: f2 39 9e 4d 14 9a 3c a4 d1 5a c9 f3 a5 f9 64 1a .9.M..<..Z....d.

02a0: a0 f1 96 19 92 de c4 fb 78 3e 89 9f e0 38 0a 4d ........x>...8.M

02b0: 78 6e f6 fb 90 a3 c8 77 2f 38 8a 76 f4 d5 5b f0 xn.....w/8.v..[.

02c0: 74 fc 85 e4 2a 78 ff 9e b3 a9 75 9c c9 0e ba e6 t...*x....u.....

02d0: 10 2a e8 2b 4d 36 9f 37 18 bf a6 e7 50 51 c3 ac .*.+M6.7....PQ..

02e0: ff 4c e4 27 51 d8 79 e4 dc fa f2 00 b4 2c 6c 3c .L.'Q.y......,l<

02f0: 0e 6b 00 65 38 a2 b5 e6 90 00 02 f0 30 82 02 ec .k.e8.......0...

0300: 30 82 02 55 a0 03 02 01 02 02 09 00 91 56 f6 36 0..U.........V.6

0310: eb 79 74 f3 30 0d 06 09 2a 86 48 86 f7 0d 01 01 .yt.0...*.H.....

0320: 05 05 00 30 4f 31 0b 30 09 06 03 55 04 06 13 02 ...0O1.0...U....

0330: 52 55 31 0f 30 0d 06 03 55 04 08 13 06 52 75 73 RU1.0...U....Rus

0340: 73 69 61 31 0c 30 0a 06 03 55 04 0a 13 03 58 49 sia1.0...U....XI

0350: 4d 31 0f 30 0d 06 03 55 04 0b 13 06 4d 6f 73 63 M1.0...U....Mosc

0360: 6f 77 31 10 30 0e 06 03 55 04 03 13 07 43 68 6c ow1.0...U....Chl

0370: 6f 72 75 6d 30 1e 17 0d 30 37 31 32 30 35 31 34 orum0...07120514

0380: 31 39 32 36 5a 17 0d 31 37 31 32 30 32 31 34 31 1926Z..171202141

0390: 39 32 36 5a 30 4f 31 0b 30 09 06 03 55 04 06 13 926Z0O1.0...U...

03a0: 02 52 55 31 0f 30 0d 06 03 55 04 08 13 06 52 75 .RU1.0...U....Ru

03b0: 73 73 69 61 31 0c 30 0a 06 03 55 04 0a 13 03 58 ssia1.0...U....X

03c0: 49 4d 31 0f 30 0d 06 03 55 04 0b 13 06 4d 6f 73 IM1.0...U....Mos

03d0: 63 6f 77 31 10 30 0e 06 03 55 04 03 13 07 43 68 cow1.0...U....Ch

03e0: 6c 6f 72 75 6d 30 81 9f 30 0d 06 09 2a 86 48 86 lorum0..0...*.H.

03f0: f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 ...........0....

0400: 81 00 b4 1e a6 a3 9d a9 d3 fe 0b f4 aa 46 ac b6 .............F..

0410: 07 bb 5e 88 5b d4 af 24 30 a5 f2 d7 17 13 8c f8 ..^.[..$0.......

0420: be 73 c4 0e ea 9e 7c f8 9a 8c ec de e9 e3 f7 2e .s....|.........

0430: 4f bd cd 21 fa 39 ef 9a f2 1b b8 51 d5 74 34 cd O..!.9.....Q.t4.

0440: 14 78 47 ff eb ee be ab 5b 44 b7 39 cc ba 9b 1c .xG.....[D.9....

0450: 24 c2 61 60 a0 05 5c e2 c5 c9 9c b2 ad 82 76 98 $.a`..\.......v.

0460: 79 88 b5 5f 8a 81 f8 4e f3 7f b6 f1 c5 53 7c bc y.._...N.....S|.

0470: 9e b6 79 12 f8 1a 18 35 af 8b bd c9 04 a4 ec eb ..y....5........

0480: 8f 8d 02 03 01 00 01 a3 81 cf 30 81 cc 30 1d 06 ..........0..0..

0490: 03 55 1d 0e 04 16 04 14 e5 08 99 11 1c e7 06 d4 .U..............

04a0: 5c 1d d2 c3 17 15 d1 8b 06 ad a7 da 30 7f 06 03 \...........0...

04b0: 55 1d 23 04 78 30 76 80 14 e5 08 99 11 1c e7 06 U.#.x0v.........

04c0: d4 5c 1d d2 c3 17 15 d1 8b 06 ad a7 da a1 53 a4 .\............S.

04d0: 51 30 4f 31 0b 30 09 06 03 55 04 06 13 02 52 55 Q0O1.0...U....RU

04e0: 31 0f 30 0d 06 03 55 04 08 13 06 52 75 73 73 69 1.0...U....Russi

04f0: 61 31 0c 30 0a 06 03 55 04 0a 13 03 58 49 4d 31 a1.0...U....XIM1

0500: 0f 30 0d 06 03 55 04 0b 13 06 4d 6f 73 63 6f 77 .0...U....Moscow

0510: 31 10 30 0e 06 03 55 04 03 13 07 43 68 6c 6f 72 1.0...U....Chlor

0520: 75 6d 82 09 00 91 56 f6 36 eb 79 74 f3 30 0c 06 um....V.6.yt.0..

0530: 03 55 1d 13 04 05 30 03 01 01 ff 30 1c 06 03 55 .U....0....0...U

0540: 1d 11 04 15 30 13 81 11 73 72 6f 67 6f 76 40 78 ....0...srogov@x

0550: 69 6d 78 69 6d 2e 63 6f 6d 30 0d 06 09 2a 86 48 imxim.com0...*.H

0560: 86 f7 0d 01 01 05 05 00 03 81 81 00 87 24 51 42 .............$QB

0570: 76 af a7 45 c4 94 ec a5 40 6f 25 e1 bf 83 57 97 v..E....@o%...W.

0580: 3e 9c 9b 94 e5 6f fd 0f f4 aa 14 fc 49 50 d8 c0 >....o......IP..

0590: 92 9f fc 47 8b ac bc 47 cd 3c ca 1b fb 5c 60 f3 ...G...G.<...\`.

05a0: 10 60 a0 ca 39 cd 25 38 40 5e 02 04 b2 be 78 da .`..9.%8@^....x.

05b0: 2f d8 9c a3 d7 1d 2e e7 7b 25 84 89 cf 1e 17 da /.......{%......

05c0: 43 4f c7 c7 7f 12 cd 55 3b 78 bf c9 bf b9 07 17 CO.....U;x......

05d0: 4f 23 25 87 d9 29 f7 ce b5 6f cb cf 76 f4 ff 6a O#%..)...o..v..j

05e0: 60 71 a6 73 00 26 58 d8 43 59 00 dc `q.s.&X.CY..

TLS certificate verification: depth: 1, err: 0, subject: /C=RU/ST=Russia/O=XIM/OU=Moscow/CN=Chlorum, issuer: /C=RU/ST=Russia/O=XIM/OU=Moscow/CN=Chlorum

TLS certificate verification: depth: 0, err: 0, subject: /C=RU/ST=Russia/O=XIM/OU=Moscow/CN=padonag.moscow.ximxim.com, issuer: /C=RU/ST=Russia/O=XIM/OU=Moscow/CN=Chlorum

TLS trace: SSL_connect:SSLv3 read server certificate A

tls_read: want=5, got=5

0000: 16 03 01 00 61 ....a

tls_read: want=97, got=97

0000: 0d 00 00 59 03 01 02 40 00 53 00 51 30 4f 31 0b ...Y...@.S.Q0O1.

0010: 30 09 06 03 55 04 06 13 02 52 55 31 0f 30 0d 06 0...U....RU1.0..

0020: 03 55 04 08 13 06 52 75 73 73 69 61 31 0c 30 0a .U....Russia1.0.

0030: 06 03 55 04 0a 13 03 58 49 4d 31 0f 30 0d 06 03 ..U....XIM1.0...

0040: 55 04 0b 13 06 4d 6f 73 63 6f 77 31 10 30 0e 06 U....Moscow1.0..

0050: 03 55 04 03 13 07 43 68 6c 6f 72 75 6d 0e 00 00 .U....Chlorum...

0060: 00 .

TLS trace: SSL_connect:SSLv3 read server certificate request A

TLS trace: SSL_connect:SSLv3 read server done A

TLS trace: SSL_connect:SSLv3 write client certificate A

TLS trace: SSL_connect:SSLv3 write client key exchange A

TLS trace: SSL_connect:SSLv3 write change cipher spec A

TLS trace: SSL_connect:SSLv3 write finished A

tls_write: want=210, written=210

0000: 16 03 01 00 07 0b 00 00 03 00 00 00 16 03 01 00 ................

0010: 86 10 00 00 82 00 80 a3 46 10 f7 71 19 a2 5b 5e ........F..q..[^

0020: bd ce fb 7a e1 21 9f 93 01 51 3d 30 88 63 75 94 ...z.!...Q=0.cu.

0030: 08 ba 50 61 24 4a 32 65 a5 60 f8 34 e5 3e 44 c0 ..Pa$J2e.`.4.>D.

0040: 97 f6 c7 e5 08 c2 d9 8a 54 ad d5 f7 e0 51 41 3d ........T....QA=

0050: 73 20 66 27 2f 4a 4b ca 14 92 6e 8d 87 83 63 75 s f'/JK...n...cu

0060: 10 16 fb 74 6a 21 37 09 1a d2 d5 81 4f b6 39 47 ...tj!7.....O.9G

0070: c4 ed 52 6b a2 1e 2c 38 5f f7 2c 4b b0 58 c1 6c ..Rk..,8_.,K.X.l

0080: 24 e6 6c a9 13 17 1a 00 b6 aa e1 f0 fa 62 6d 0f $.l..........bm.

0090: 2e bb 9f cb 26 8a 37 14 03 01 00 01 01 16 03 01 ....&.7.........

00a0: 00 30 9d 7c 23 55 97 eb 54 e1 2b 82 49 ac 13 8f .0.|#U..T.+.I...

00b0: d1 ac 59 a7 14 21 21 1c 85 51 b6 f2 a6 02 da c5 ..Y..!!..Q......

00c0: 7f 2e 1d f2 1e fa 9f e4 33 fc c4 2d d0 7a ba 7f ........3..-.z..

00d0: 85 ba ..

TLS trace: SSL_connect:SSLv3 flush data

tls_read: want=5, got=5

0000: 15 03 01 00 02 .....

tls_read: want=2, got=2

0000: 02 28 .(

TLS trace: SSL3 alert read:fatal:handshake failure

TLS trace: SSL_connect:failed in SSLv3 read finished A

TLS: can't connect.

ldap_perror

ldap_bind: Can't contact LDAP server (-1)

additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

```

LDAP's log

```
Dec  7 14:17:55 padonag slapd[30170]: conn=0 fd=16 ACCEPT from IP=192.168.1.222:54227 (IP=0.0.0.0:636)                                                        

Dec  7 14:17:55 padonag slapd[30170]: conn=0 fd=16 closed (TLS negotiation failure)

```

Ssl dump on ldap-server

```

# ssldump -i eth0

New TCP connection #1: 192.168.1.222(54228) <-> 192.168.1.221(636)

1 1  0.0067 (0.0067)  C>S SSLv2 compatible client hello

  Version 3.1

  cipher suites

  Unknown value 0x39

  Unknown value 0x38

  Unknown value 0x35

  TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

  TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

  TLS_RSA_WITH_3DES_EDE_CBC_SHA

  SSL2_CK_3DES

  Unknown value 0x33

  Unknown value 0x32

  Unknown value 0x2f

  TLS_RSA_WITH_IDEA_CBC_SHA

  SSL2_CK_IDEA

  SSL2_CK_RC2

  TLS_RSA_WITH_RC4_128_SHA

  TLS_RSA_WITH_RC4_128_MD5

  SSL2_CK_RC4

  TLS_DHE_RSA_WITH_DES_CBC_SHA

  TLS_DHE_DSS_WITH_DES_CBC_SHA

  TLS_RSA_WITH_DES_CBC_SHA

  SSL2_CK_DES

  TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA

  TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA

  TLS_RSA_EXPORT_WITH_DES40_CBC_SHA

  TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5

  SSL2_CK_RC2_EXPORT40

  TLS_RSA_EXPORT_WITH_RC4_40_MD5

  SSL2_CK_RC4_EXPORT40

1 2  0.0070 (0.0002)  S>C  Handshake

      ServerHello

        Version 3.1

        session_id[32]=

          e6 0e d4 28 c2 d4 40 09 6f 61 df de 8b f1 a8 6b

          ac d7 7b 6c ca b0 42 1e 04 4c 81 35 ce 83 85 a0

        cipherSuite         Unknown value 0x35

        compressionMethod                   NULL

1 3  0.0070 (0.0000)  S>C  Handshake

      Certificate

1 4  0.0070 (0.0000)  S>C  Handshake

      CertificateRequest

        certificate_types                   rsa_sign

        certificate_types                   dss_sign

Segmentation fault

```

My configs:

/etc/openldap/ldap.conf

```

# cat /etc/openldap/ldap.conf

#

# LDAP Defaults

#

# See ldap.conf(5) for details

# This file should be world readable but not world writable.

BASE    dc=moscow,dc=ximxim,dc=com

URI     ldaps://padonag.moscow.ximxim.com

TLS_CACERT /etc/openldap/ssl/padonag-cacert.pem

#TLS_CERT /etc/openldap/ssl/padonag-cert.pem

#TLS_KEY /etc/openldap/ssl/padonag-privkey.pem

TLS_REQCERT allow

#SIZELIMIT      12

#TIMELIMIT      15

#DEREF          never

```

Fragment of /etc/openldap/slapd.conf

```
# Define SSL and TLS properties (optional)

TLSCipherSuite         HIGH:MEDIUM:+SSLv2:+TLSv1

TLSCertificateFile /etc/openldap/ssl/padonag-cert.pem

TLSCertificateKeyFile /etc/openldap/ssl/padonag-privkey.pem

TLSCACertificateFile /etc/openldap/ssl/padonag-cacert.pem

TLSVerifyClient demand

```

/etc/ldap.conf

```

tls_cacertfile /etc/openldap/ssl/padonag-cacert.pem

tls_cert /etc/openldap/ssl/padonag-cert.pem

tls_key /etc/openldap/ssl/padonag-privkey.pem

tls_cacertdir /etc/openldap/ssl

ssl on

BASE    dc=moscow,dc=ximxim,dc=com

URI     ldaps://padonag.moscow.ximxim.com/

ldap_version 3

nss_reconnect_tries 4                   # number of times to double the sleep time

nss_reconnect_sleeptime 1               # initial sleep value

nss_reconnect_maxsleeptime 16   # max sleep value to cap at

nss_reconnect_maxconntries 2    # how many tries before sleeping

```

And without ssl all works normally....Last edited by Joper on Mon Dec 10, 2007 11:21 am; edited 2 times in total

----------

## Joper

UP

----------

## Joper

up

----------

## dialsc

hi,

first check your /etc/openldap/slapd.conf if your realy need all clients to be authenticated using a certificate. If not, set TLSVerifyClient to anything else, e.g. try.

than, the log says that you have started a sasl session when connecting to the ldap server. did you configure sasl? if not, add the -x switch to your ldapsearch command which tells the ldapclient to perform a simple bind, not a sasl enabled one which uses tls. as i see from your /etc/ldap.conf you are telling the ldapClient to connect to the server using ldaps. this is a ssl connection but missing the -x switch the client connects using tls - as mentioned - and this will never work as you cannot talk tls over ssl.

furthermore i see that you are using the same certificate in both configuration files, the server (/etc/openldap/slapd.conf ) and the client (/etc/ldap.conf). i'm not sure but i think this is wrong and will not work proper. pointing the ldapClient caCertificateSettings to the same caCertificateDate as the server should be ok as it is needed to verify the server's certificate when connecting to it.

please try again using this information.

hth,

dialsc

----------

## Joper

 *dialsc wrote:*   

> hi,
> 
> first check your /etc/openldap/slapd.conf if your realy need all clients to be authenticated using a certificate. If not, set TLSVerifyClient to anything else, e.g. try.
> 
> than, the log says that you have started a sasl session when connecting to the ldap server. did you configure sasl? if not, add the -x switch to your ldapsearch command which tells the ldapclient to perform a simple bind, not a sasl enabled one which uses tls. as i see from your /etc/ldap.conf you are telling the ldapClient to connect to the server using ldaps. this is a ssl connection but missing the -x switch the client connects using tls - as mentioned - and this will never work as you cannot talk tls over ssl.
> ...

 

Thanks for information. But I all equally not so well understand the mechanism of work in the secured mode.

And to many HOWTO's write absolutely different things.

You wrote, that configuration of the client are stored in a /etc/ldap.conf, but at me they are stored in a /etc/openldap/ldap.conf, and the /etc/ldap.conf concerns to a package nns_ldap.

Could  you simply result examples of working configs with support of certificates and ssl(so it will be easier to me to understand)? Because I couple with this 3-rd week and while and has not understood as it should be.

----------

## dialsc

hi,

first of all, a little information.

when connecting to the ldap server there are four mechanims which can be use in general.

Simple Bind which is to authenticate using the dn of the user to use and its passwort without any encyption

Simple Bind over SSL (the old standard way -> ldaps://...)

Simple Bind over TLS (the newer encryption standard -> ldap://... !!!!!!)

SASL (another authentication method which overs the possibility to authenticate and authorize using different users, always working over TLS)

a view words on the certificates. you will have to create your own Certification Authority and have your LDAP Server Certificate signed by it in order to get things working proper. After creating the CA you will have a (mostly called) cacert.pem CA certificate which is to be used as the certificate for the TLSCACertificateFile parameter at your slapd.conf and ldap.conf configuration files. Then, after creating the CA, you need to create the server certificate, sign it by the CA and use it as the certificate for the TLSCertificateFile parameter.

Having the server certifiate signed by the CA is important because the client will check if the server's certificate has been signed by the CA the client's ca settings pointing to (the ca certificate).

There are a lot of very good howtos describing how to do that.

Here are some links:

http://sandbox.rulemaker.net/ngps/m2/howto.ca.html

http://www.openssl.org/docs/HOWTO/certificates.txt

http://www.gtlib.cc.gatech.edu/pub/linux/docs/HOWTO/other-formats/html_single/SSL-Certificates-HOWTO.html#AEN160

You will find so many howtos by just searching at google so i will not list more here.

The realy important thing is, that your certificates are valid and the certificate chain is working proper.

Please make sure that all the certificate/CA related stuff is working proper before you go on configuring openldap!

as long as you do not intend to use pam bind to ldap which uses the nss_ldap forget the /etc/ldap.conf

please look at the following /etc/openldap/slapd.conf (and read the comments!)

```

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include      /etc/openldap/schema/core.schema      # This will propably not be enough. You will have to include more schemas

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral   ldap://root.openldap.org

pidfile   /var/run/openldap/slapd.pid            # Check that these path definitions meet your environment

argsfile   /var/run/openldap/slapd.args

# Load dynamic backend modules:

# modulepath   /usr/lib/openldap/openldap

# moduleload   back_sql.so

# moduleload   back_shell.so

# moduleload   back_relay.so

# moduleload   back_perl.so

# moduleload   back_passwd.so

# moduleload   back_null.so

# moduleload   back_monitor.so

# moduleload   back_meta.so

# moduleload   back_hdb.so

# moduleload   back_dnssrv.so

# Sample security restrictions

#   Require integrity protection (prevent hijacking)

#   Require 112-bit (3DES or better) encryption for updates

#   Require 63-bit encryption for simple bind

# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:

#   Root DSE: allow anyone to read it

#   Subschema (sub)entry DSE: allow anyone to read it

#   Other DSEs:

#      Allow self write access

#      Allow authenticated users read access

#      Allow anonymous users to authenticate

#   Directives needed to implement policy:

access to dn.base="" by * read

access to dn.base="cn=Subschema" by * read

access to *

   by self write

   by users read

   by anonymous auth

#

# if no access controls are present, the default policy

# allows anyone and everyone to read anything but restricts

# updates to rootdn.  (e.g., "access to * by * read")

#

# rootdn can always read and write EVERYTHING!

# Define SSL and TLS properties (optional)

#

# TIP: Create a specific folder, e.g. /data/pki/certs

# and store your certificates there to have them all

# located under the same path.

# Then, for ldap, create the subfolder ldap and put the

# certificates there.

#

# TLSCipherSuite         HIGH:MEDIUM:+SSLv2:+TLSv1      # Only define this if you realy know what you are doing

TLSCertificateFile /etc/openldap/ssl/padonag-cert.pem

TLSCertificateKeyFile /etc/openldap/ssl/padonag-privkey.pem

TLSCACertificateFile /etc/openldap/ssl/padonag-cacert.pem

# TLSVerifyClient demand                  # This should propably be "allow" or "try" until you whant to force certificate based client authentication

#######################################################################

# BDB database definitions

#######################################################################

database   bdb

suffix      "dc=moscow,dc=ximxim,dc=com"

checkpoint   1024   5 # <kbyte> <min>

rootdn      "cn=LdapManager,dc=moscow,dc=ximxim,dc=com"   # This entry will not exist at your DIT but always be available

# Cleartext passwords, especially for the rootdn, should

# be avoid.  See slappasswd(8) and slapd.conf(5) for details.

# Use of strong authentication encouraged.

rootpw      secret                     # Replace with your own very secret password

# The database directory MUST exist prior to running slapd AND 

# should only be accessible by the slapd and slap tools.

# Mode 700 recommended.

directory   /var/lib/openldap-data            # Check that this meets your environment

# Indices to maintain

index   objectClass   eq

index   cn      pres,sub,eq

index   uid      pres,sub,eq

index   memberUID   eq

index   uniqueMember   eq

```

now look at this /etc/openldap/ldap.conf

```

#

# LDAP Defaults

#

# See ldap.conf(5) for details

# This file should be world readable but not world writable.

#BASE   dc=local,dc=site

BASE   dc=moscow,dc=ximxim,dc=com

URI   ldap://padonag.moscow.ximxim.com

#SIZELIMIT   12

#TIMELIMIT   15

#DEREF      never

TLS_CACERT   /etc/openldap/ssl/padonag-cacert.pem

TLS_REQCERT   try

SASL_MECH       digest-md5

```

these two configuration files should work proper. but as i'm using the openldap's configuration within the DIT, thus not the slapd.conf anymore one or two things might be incorrect. but in generel it should be ok.

please note that within the ldap.conf the URI is defined not to use SSL. specify the uri to use through the -H parameter (e.g. -H ldaps://padonag.moscow.ximxim.com) to force connectiong to the server using SSL when testing your installation. after everything works well, change the configuration settings. furthermore forgett the SASL_MECH parameter at the ldap.conf. this will come into play when configuring SASL if you do ever.

One more note to make things easier:

Create a special directory for all the CA/certificates stuff, e.g. /data/pki. Under this put your CA folder (e.g. /data/pki/demoCA). then create another subfolder /data/pki/certs and put one subfolder for every service into it -> /data/pki/certs/ldap. now put all the certificate data used by your ldap server (server-cert.pem, server-cert-key.pem, what ever) into this folder and point the configuration settings to these files. This will help you keep your certificate related data managable.

K, comming here i hope you will get things up and running now, please let me know in either case.

greez,

dialsc

----------

## Joper

Dialsc, thankyou for additional information. I have understood much.

But I, probably, not so have explained a problem. I have not enough only encryption. It is necessary, that without the certificate it would be impossible to be connected.

Slapd debug speaks the following:

 *Quote:*   

> 
> 
> ...........
> 
> TLS trace: SSL3 alert write:fatal:handshake failure
> ...

 

----------

## Joper

up

----------

## dialsc

joper,

taking a look to your initial post i figured out further that you use the same certificate for the ldapServer and the ldapClient, do you?

you have to create and sign a new client certificate to use for the ldap client.

try creating one and use it within your /etc/openldap/ldap.conf configuration file, thus it gets used by the ldapClient.

does this work?

greez,

dialsc

----------

## Joper

Yes, and was. But besides it, I tried will be connected from other machine, with other certificate(signged by CA certificate). Result - the same.

As I have understood, for TLS-connection the port ldap: // (389) is used. But me for some reason at attempt of connection on this port, a server does not ask certificates (it at once will authorize) though in/etc/openldap/slapd.conf it is specified TLSVerifyClient demand.

Can you, if you will not complicate, will try to configure at yourself authorization of the client under certificates? And, if it will turn out,  you will show you configs.

----------

## Joper

up

----------

## dialsc

joper,

sorry for answering that late but i'm a bit short of time at moment.

anyway, may i ask you to compare your configuration(s) and settings and so on with the instructions of the howto which is to be found under http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html?

as i'm not able to change my hole installation in order to help you with this problem (sorry for that) it would be a good base to do further investigations on your problem.

one question i ask you to answer is what did you use for the common name of the client certificate?

have a nice day and if you will not find the time to answer soon, merry christmas!

greez,

dialsc

----------

