# [SOLVED] Openldap and ssl

## elmar283

I am following the guide on http://www.gentoo-wiki.info/OpenLDAP.

I first tried the guide on http://www.gentoo.org/doc/en/ldap-howto.xml but that also didn't work out. 

This is what I want to achieve: 

- I want to run an openldap server and put my addresses in there. I don't need to connect to an other ldap-server. 

- From there I want to use my mailprograms to access that ldap-server. 

- my domain is: eotter1979.xs4all.nl, so I asume on ldap this would be: "dc=eotter1979,dc=xs4all,dc=nl" 

- my username is: masterserver: "ou=masterserver"? 

- My cn is now root, but I would like it to be "elmarotter" when evertyting works 

I already posted before on https://forums.gentoo.org/viewtopic-t-940624-highlight-ldap.html

I was able to solve that problem. See that post for my config files.

Now I'm having problems with ssl and ldapsearch. There doesn't seem to be ssl support.

I also have a mailserver (postfix) with ssl/tsl working as it should. When I try ldapsearch on port 443 it all works fine, but on the ldap port 636 I have no luck.

Does anyone know how I can make this work?

When I run:

ldapsearch -Hldap://eotter1979.xs4all.nl -b "" -s base -Omaxssf=0

I get:

```

SASL/DIGEST-MD5 authentication started

Please enter your password: 

ldap_sasl_interactive_bind_s: Invalid credentials (49)

   additional info: SASL(-13): user not found: no secret in database

```

And when I try:

openssl s_client -connect eotter1979.xs4all.nl:636 -CAfile /etc/ssl/ldap.pem

I get:

```

CONNECTED(00000003)

1389700744:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 0 bytes and written 211 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

---

```

Last edited by elmar283 on Sat Oct 27, 2012 9:37 am; edited 1 time in total

----------

## vaxbrat

You should repost your current ldap.conf and slapd.conf files on this thread for convenience.

One of the first things I've noticed is that you have posted only cert settings in your slapd.conf but not any other security settings (eg TLS_CIPHER_SUITE and possibly sasl settings).  I've been in the process of playing with ldap myself and have successfully gotten local security working via Kerberos tickets and SASL/GSSAPI to do ldapsearch without having to specify the -x switch.  However I haven't gotten into using secured sockets and certs with openldap yet.  Instead I got sidetracked into using the Fedora 389 directory server to try to get some sort of samba/ldap thing going with some gui's that allow convenient user management, etc.  The thing is that 389 DS descends from the old netscape enterprise server and uses a whole different set of mechanisms for security.

----------

## elmar283

Here are my config files:

```

elmarotter@masterserver ~ $ sudo cat /etc/openldap/slapd.conf

Wachtwoord: 

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include      /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/nis.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral   ldap://root.openldap.org

pidfile      /var/run/openldap/slapd.pid

argsfile   /var/run/openldap/slapd.args

# Load dynamic backend modules:

modulepath   /usr/lib/openldap/openldap

# moduleload   back_sock.so

# moduleload   back_shell.so

# moduleload   back_relay.so

# moduleload   back_perl.so

# moduleload   back_passwd.so

# moduleload   back_null.so

# moduleload   back_monitor.so

# moduleload   back_meta.so

# moduleload   back_ldap.so

# moduleload   back_dnssrv.so

moduleload    back_hdb.so

# Sample security restrictions

#   Require integrity protection (prevent hijacking)

#   Require 112-bit (3DES or better) encryption for updates

#   Require 63-bit encryption for simple bind

# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:

#   Root DSE: allow anyone to read it

#   Subschema (sub)entry DSE: allow anyone to read it

#   Other DSEs:

#      Allow self write access

#      Allow authenticated users read access

#      Allow anonymous users to authenticate

#   Directives needed to implement policy:

access to dn.base="" by * read

access to dn.base="cn=Subschema" by * read

access to *

   by self write

   by users read

   by anonymous auth

#

# if no access controls are present, the default policy

# allows anyone and everyone to read anything but restricts

# updates to rootdn.  (e.g., "access to * by * read")

#

# rootdn can always read and write EVERYTHING!

#######################################################################

# BDB database definitions

#######################################################################

database   hdb

suffix      "dc=eotter1979,dc=xs4all,dc=nl"

#         <kbyte> <min>

checkpoint   32   30 

rootdn      "cn=Manager,dc=eotter1979,dc=xs4all,dc=nl"

# Cleartext passwords, especially for the rootdn, should

# be avoid.  See slappasswd(8) and slapd.conf(5) for details.

# Use of strong authentication encouraged.

rootpw      <deleted>

# The database directory MUST exist prior to running slapd AND 

# should only be accessible by the slapd and slap tools.

# Mode 700 recommended.

directory   /var/lib/openldap-data

# Indices to maintain

index   objectClass   eq

```

```

elmarotter@masterserver ~ $ sudo cat /etc/openldap/ldap.conf

#

# LDAP Defaults

#

# See ldap.conf(5) for details

# This file should be world readable but not world writable.

BASE   dc=eotter1979,dc=xs4all,dc=nl

URI   ldap://eotter1979.xs4all.nl

#URI   ldap://ldap.example.com ldap://ldap-master.example.com:666

TLS_REQUEST     allow

TLS_CERT        /etc/ssl/ldap.pem

TLS_KEY         /etc/openldap/ldap-key.pem

#SIZELIMIT   12

#TIMELIMIT   15

#DEREF      never

```

```

elmarotter@masterserver /etc/openldap $ ls -lah /etc/openldap/

totaal 56K

drwxr-xr-x   4 root root 4,0K 25 okt 22:40 .

drwxr-xr-x 115 root root  12K 27 okt 09:00 ..

-rw-------   1 root root  845 25 okt 22:37 DB_CONFIG.example

-rw-r--r--   1 root root  388 25 okt 22:53 ldap.conf

-rw-r--r--   1 root root  245 25 okt 22:37 ldap.conf.default

-rw-r--r--   1 root root  916 25 okt 22:41 ldap-key.pem

drwxr-xr-x   2 root root 4,0K 25 okt 22:38 schema

-rw-r-----   1 root ldap 2,6K 25 okt 23:08 slapd.conf

-rw-r-----   1 root ldap 2,3K 25 okt 22:38 slapd.conf.default

-rw-------   1 root root 2,6K 25 okt 22:37 slapd.ldif

-rw-------   1 root root 2,6K 25 okt 22:37 slapd.ldif.default

drwxr-xr-x   2 root root 4,0K 25 okt 22:39 ssl

```

```

elmarotter@masterserver /etc/openldap $ ls -lah /etc/ssl/

totaal 72K

drwxr-xr-x   8 root root 4,0K 25 okt 22:41 .

drwxr-xr-x 115 root root  12K 27 okt 09:00 ..

drwxr-xr-x   2 root root 4,0K 30 mei  2011 apache2

drwxr-xr-x   2 root root  20K 29 sep 16:48 certs

-rw-r--r--   1 root root 1,1K 25 okt 22:41 ldap.pem

drwxr-xr-x   4 root root 4,0K 29 sep 16:47 misc

drwxr-xr-x   2 root root 4,0K 24 okt 18:54 nginx

-rw-r--r--   1 root root  11K  4 mei 22:52 openssl.cnf

drwxr-xr-x   2 root root 4,0K  3 jun  2011 postfix

drwx------   2 root root 4,0K 29 sep 16:47 private

```

```

elmarotter@masterserver /etc/openldap $ emerge -pv openldap

These are the packages that would be merged, in order:

Calculating dependencies... done!

[ebuild   R    ] net-nds/openldap-2.4.30  USE="berkdb crypt ipv6 perl samba sasl ssl syslog tcpd -cxx -debug -experimental -gnutls -icu -iodbc -kerberos -minimal -odbc -overlays (-selinux) -slp -smbkrb5passwd" 5,323 kB

Total: 1 package (1 reinstall), Size of downloads: 5,323 kB
```

----------

## elmar283

 *Quote:*   

> One of the first things I've noticed is that you have posted only cert settings in your slapd.conf but not any other security settings (eg TLS_CIPHER_SUITE and possibly sasl settings). 

 

What should I add there? The wiki only speaks of the following:

http://www.gentoo-wiki.info/OpenLDAP#Enable_TLS

```

Enable TLS

File: /etc/openldap/ldap.conf

BASE    dc=myserver,dc=mydomain,dc=org

URI     ldap://myserver.mydomain.org

TLS_REQUEST     allow

TLS_CERT        /etc/ssl/ldap.pem

TLS_KEY         /etc/openldap/ldap-key.pem

#TLS_REQCERT     never

```

----------

## elmar283

I found the following website:

http://www.zytrax.com/books/ldap/ch6/ldap-conf.html

I followed the instructions and tried two ways:

One:

```

elmarotter@masterserver /etc/openldap $ cat /etc/openldap/ldap.conf

#

# LDAP Defaults

#

# See ldap.conf(5) for details

# This file should be world readable but not world writable.

BASE   dc=eotter1979,dc=xs4all,dc=nl

URI   ldap://eotter1979.xs4all.nl

#URI   ldap://ldap.example.com ldap://ldap-master.example.com:666

TLS_REQUEST     allow

TLS_CERT        /etc/ssl/ldap.pem

TLS_KEY         /etc/openldap/ldap-key.pem

TLS_CACERT   /etc/ssl/ldap.pem

openssl ciphers -v ALL

#SIZELIMIT   12

#TIMELIMIT   15

#DEREF      never

```

Result:

```

elmarotter@masterserver /etc/openldap $ openssl s_client -connect eotter1979.xs4all.nl:636 -CAfile /etc/ssl/ldap.pem

CONNECTED(00000003)

1349801608:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:658:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 7 bytes and written 211 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

---

```

TWO:

```

elmarotter@masterserver /etc/openldap $ cat /etc/openldap/ldap.conf

#

# LDAP Defaults

#

# See ldap.conf(5) for details

# This file should be world readable but not world writable.

BASE   dc=eotter1979,dc=xs4all,dc=nl

URI   ldap://eotter1979.xs4all.nl

#URI   ldap://ldap.example.com ldap://ldap-master.example.com:666

TLS_REQUEST     allow

TLS_CERT        /etc/ssl/ldap.pem

TLS_KEY         /etc/openldap/ldap-key.pem

TLS_CACERT   /etc/ssl/ldap.pem

#openssl ciphers -v ALL

# Cipher-list contains only RSA based

# authentication and key-exchange suites 

# supported by TLSv1 (and SSLv3)

TLS_CIPHER_SUITE TLSv1+RSA

# Cipher-list contains only RSA based

# authentication and key-exchange suites 

# supported by TLSv1 (and SSLv3)

# excludes EXPORT and NULL suites

TLS_CIPHER_SUITE TLSv1+RSA:!EXPORT:!NULL

# Ordered list of RSA based

# authentication and key-exchange suites

TLS_CIPHER_SUITE DES-CBC-SHA:DES-CBC3-SHA:RC4-SHA:RC4-MD5

# All ciphers excluding NULL

TLS_CIPHER_SUITE ALL:!NULL

# Default equivalent value if not defined

TLS_CIPHER_SUITE ALL

#SIZELIMIT   12

#TIMELIMIT   15

#DEREF      never

```

Result:

```

elmarotter@masterserver /etc/openldap $ openssl s_client -connect eotter1979.xs4all.nl:636 -CAfile /etc/ssl/ldap.pem

CONNECTED(00000003)

1357117064:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:658:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 7 bytes and written 211 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

---

```

It seems that openssl just isn't supported. This are the ciphers that are supported.

```

elmarotter@masterserver /etc/openldap $ openssl ciphers -v ALL

ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1

ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1

DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1

DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1

DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1

DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA1

AECDH-AES256-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(256)  Mac=SHA1

ADH-AES256-SHA          SSLv3 Kx=DH       Au=None Enc=AES(256)  Mac=SHA1

ADH-CAMELLIA256-SHA     SSLv3 Kx=DH       Au=None Enc=Camellia(256) Mac=SHA1

ECDH-RSA-AES256-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA1

ECDH-ECDSA-AES256-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA1

AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1

CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1

PSK-AES256-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA1

ECDHE-RSA-DES-CBC3-SHA  SSLv3 Kx=ECDH     Au=RSA  Enc=3DES(168) Mac=SHA1

ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH     Au=ECDSA Enc=3DES(168) Mac=SHA1

EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1

EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1

AECDH-DES-CBC3-SHA      SSLv3 Kx=ECDH     Au=None Enc=3DES(168) Mac=SHA1

ADH-DES-CBC3-SHA        SSLv3 Kx=DH       Au=None Enc=3DES(168) Mac=SHA1

ECDH-RSA-DES-CBC3-SHA   SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1

ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1

DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1

DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5 

PSK-3DES-EDE-CBC-SHA    SSLv3 Kx=PSK      Au=PSK  Enc=3DES(168) Mac=SHA1

ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1

ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1

DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1

DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1

DHE-RSA-SEED-SHA        SSLv3 Kx=DH       Au=RSA  Enc=SEED(128) Mac=SHA1

DHE-DSS-SEED-SHA        SSLv3 Kx=DH       Au=DSS  Enc=SEED(128) Mac=SHA1

DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1

DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA1

AECDH-AES128-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(128)  Mac=SHA1

ADH-AES128-SHA          SSLv3 Kx=DH       Au=None Enc=AES(128)  Mac=SHA1

ADH-SEED-SHA            SSLv3 Kx=DH       Au=None Enc=SEED(128) Mac=SHA1

ADH-CAMELLIA128-SHA     SSLv3 Kx=DH       Au=None Enc=Camellia(128) Mac=SHA1

ECDH-RSA-AES128-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA1

ECDH-ECDSA-AES128-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA1

AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1

SEED-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=SEED(128) Mac=SHA1

CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1

IDEA-CBC-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=SHA1

IDEA-CBC-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=MD5 

RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5 

PSK-AES128-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA1

ECDHE-RSA-RC4-SHA       SSLv3 Kx=ECDH     Au=RSA  Enc=RC4(128)  Mac=SHA1

ECDHE-ECDSA-RC4-SHA     SSLv3 Kx=ECDH     Au=ECDSA Enc=RC4(128)  Mac=SHA1

AECDH-RC4-SHA           SSLv3 Kx=ECDH     Au=None Enc=RC4(128)  Mac=SHA1

ADH-RC4-MD5             SSLv3 Kx=DH       Au=None Enc=RC4(128)  Mac=MD5 

ECDH-RSA-RC4-SHA        SSLv3 Kx=ECDH/RSA Au=ECDH Enc=RC4(128)  Mac=SHA1

ECDH-ECDSA-RC4-SHA      SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=RC4(128)  Mac=SHA1

RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1

RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5 

RC4-MD5                 SSLv2 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5 

PSK-RC4-SHA             SSLv3 Kx=PSK      Au=PSK  Enc=RC4(128)  Mac=SHA1

EDH-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)   Mac=SHA1

EDH-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)   Mac=SHA1

ADH-DES-CBC-SHA         SSLv3 Kx=DH       Au=None Enc=DES(56)   Mac=SHA1

DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1

DES-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=MD5 

EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 export

EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 export

EXP-ADH-DES-CBC-SHA     SSLv3 Kx=DH(512)  Au=None Enc=DES(40)   Mac=SHA1 export

EXP-DES-CBC-SHA         SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 export

EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export

EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export

EXP-ADH-RC4-MD5         SSLv3 Kx=DH(512)  Au=None Enc=RC4(40)   Mac=MD5  export

EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export

EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export

```

And when I try the 443 port I do have some success. But that is not what I want. Could this indicate that openldap isn't listening on port 639?

```
elmarotter@masterserver /etc/openldap $ openssl s_client -connect eotter1979.xs4all.nl:443 -CAfile /etc/ssl/ldap.pem

CONNECTED(00000003)

depth=0 C = NL, ST = Friesland, L = Leeuwarden, O = eotter1979.xs4all.nl, CN = eotter1979.xs4all.nl, emailAddress = elmarotter@eotter1979.xs4all.nl

verify error:num=18:self signed certificate

verify return:1

depth=0 C = NL, ST = Friesland, L = Leeuwarden, O = eotter1979.xs4all.nl, CN = eotter1979.xs4all.nl, emailAddress = elmarotter@eotter1979.xs4all.nl

verify return:1

---

Certificate chain

 0 s:/C=NL/ST=Friesland/L=Leeuwarden/O=eotter1979.xs4all.nl/CN=eotter1979.xs4all.nl/emailAddress=elmarotter@eotter1979.xs4all.nl

   i:/C=NL/ST=Friesland/L=Leeuwarden/O=eotter1979.xs4all.nl/CN=eotter1979.xs4all.nl/emailAddress=elmarotter@eotter1979.xs4all.nl

---

Server certificate

-----BEGIN CERTIFICATE-----

<deleted>

-----END CERTIFICATE-----

subject=/C=NL/ST=Friesland/L=Leeuwarden/O=eotter1979.xs4all.nl/CN=eotter1979.xs4all.nl/emailAddress=elmarotter@eotter1979.xs4all.nl

issuer=/C=NL/ST=Friesland/L=Leeuwarden/O=eotter1979.xs4all.nl/CN=eotter1979.xs4all.nl/emailAddress=elmarotter@eotter1979.xs4all.nl

---

No client certificate CA names sent

---

SSL handshake has read 1459 bytes and written 409 bytes

---

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA

Server public key is 1024 bit

Secure Renegotiation IS supported

Compression: zlib compression

Expansion: zlib compression

SSL-Session:

    Protocol  : TLSv1

    Cipher    : DHE-RSA-AES256-SHA

    Session-ID: 4C12B0B9FFDD361DB791B3CEE28D02109D81C70F2B3859741A63CC32B225FF3A

    Session-ID-ctx: 

    Master-Key: <deleted>

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    TLS session ticket:

    <deleted>

    Compression: 1 (zlib compression)

    Start Time: 1351326826

    Timeout   : 300 (sec)

    Verify return code: 18 (self signed certificate)

---
```

----------

## elmar283

I think that I've solved the problem by following this guide:

http://www.zytrax.com/books/ldap/ch15/#tls

I created a new cert and a new key:

```

elmarotter@masterserver ~ $ cd /etc/openldap/

mkdir /certs

mkdir /certs/keys

cd certs

# create server/CA cert and private key without passphrase

# valid for 10 years using current RSA recommendations for key size

# RSA is used as the key-exchange protocol

openssl req -x509 -nodes -days 3650 -newkey rsa:2048  -keyout keys/ldapskey.pem -out ldapscert.pem

# leaves the cert in 

# cert may used as a server or CA cert)

# certs/ldapscert.pem 

# leaves the private key in 

# certs/keys/ldapskey.pem

# set permissions

chown -R ldap:ldap /certs/*

chmod 0400 certs/keys/ldapskey.pem

```

Then my config files:

```

elmarotter@masterserver /etc/openldap $ sudo cat /etc/openldap/slapd.conf

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include      /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/nis.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral   ldap://root.openldap.org

pidfile      /var/run/openldap/slapd.pid

argsfile   /var/run/openldap/slapd.args

# Load dynamic backend modules:

modulepath   /usr/lib/openldap/openldap

# moduleload   back_sock.so

# moduleload   back_shell.so

# moduleload   back_relay.so

# moduleload   back_perl.so

# moduleload   back_passwd.so

# moduleload   back_null.so

# moduleload   back_monitor.so

# moduleload   back_meta.so

# moduleload   back_ldap.so

# moduleload   back_dnssrv.so

moduleload    back_hdb.so

# Sample security restrictions

#   Require integrity protection (prevent hijacking)

#   Require 112-bit (3DES or better) encryption for updates

#   Require 63-bit encryption for simple bind

# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:

#   Root DSE: allow anyone to read it

#   Subschema (sub)entry DSE: allow anyone to read it

#   Other DSEs:

#      Allow self write access

#      Allow authenticated users read access

#      Allow anonymous users to authenticate

#   Directives needed to implement policy:

access to dn.base="" by * read

access to dn.base="cn=Subschema" by * read

access to *

   by self write

   by users read

   by anonymous auth

#

# if no access controls are present, the default policy

# allows anyone and everyone to read anything but restricts

# updates to rootdn.  (e.g., "access to * by * read")

#

# rootdn can always read and write EVERYTHING!

#######################################################################

# BDB database definitions

#######################################################################

database   hdb

suffix      "dc=eotter1979,dc=xs4all,dc=nl"

#         <kbyte> <min>

checkpoint   32   30 

rootdn      "cn=Manager,dc=eotter1979,dc=xs4all,dc=nl"

# Cleartext passwords, especially for the rootdn, should

# be avoid.  See slappasswd(8) and slapd.conf(5) for details.

# Use of strong authentication encouraged.

rootpw      <deleted>

# The database directory MUST exist prior to running slapd AND 

# should only be accessible by the slapd and slap tools.

# Mode 700 recommended.

directory   /var/lib/openldap-data

# Indices to maintain

index   objectClass   eq

# Security - TLS section

TLSCertificateFile /etc/openldap/certs/ldapscert.pem

TLSCertificateKeyFile /etc/openldap/certs/keys/ldapskey.pem

TLSCipherSuite TLSv1+RSA:!NULL

# the following directive is the default but 

# is explicitly included for visibility reasons

TLSVerifyClient never
```

```

elmarotter@masterserver /etc/openldap $ sudo cat /etc/openldap/ldap.conf

#

# LDAP Defaults

#

# See ldap.conf(5) for details

# This file should be world readable but not world writable.

BASE   dc=eotter1979,dc=xs4all,dc=nl

URI   ldap://eotter1979.xs4all.nl

#URI   ldap://ldap.example.com ldap://ldap-master.example.com:666

TLS_REQUEST     allow

TLS_CERT        /etc/openldap/certs/ldapscert.pem

TLS_KEY         /etc/openldap/certs/keys/ldapkey.pem

TLS_CACERT   /etc/openldap/certs/ldapscert.pem

#openssl ciphers -v ALL

# Cipher-list contains only RSA based

# authentication and key-exchange suites 

# supported by TLSv1 (and SSLv3)

TLS_CIPHER_SUITE TLSv1+RSA

# Cipher-list contains only RSA based

# authentication and key-exchange suites 

# supported by TLSv1 (and SSLv3)

# excludes EXPORT and NULL suites

TLS_CIPHER_SUITE TLSv1+RSA:!EXPORT:!NULL

# Ordered list of RSA based

# authentication and key-exchange suites

TLS_CIPHER_SUITE DES-CBC-SHA:DES-CBC3-SHA:RC4-SHA:RC4-MD5

# All ciphers excluding NULL

TLS_CIPHER_SUITE ALL:!NULL

# Default equivalent value if not defined

TLS_CIPHER_SUITE ALL

#SIZELIMIT   12

#TIMELIMIT   15

#DEREF      never

```

I restarted slapd

```

elmarotter@masterserver /etc/openldap $ sudo /etc/init.d/slapd restart

 * Stopping ldap-server ...                                                                                                                                                                           [ ok ]

 * Starting ldap-server ...    

```

Then:

```

elmarotter@masterserver /etc/openldap $ openssl s_client -connect eotter1979.xs4all.nl:636 -CAfile /etc/openldap/certs/ldapscert.pem

CONNECTED(00000003)

depth=0 C = NL, ST = Friesland, L = Leeuwarden, O = eotter1979.xs4all.nl, CN = eotter1979.xs4all.nl, emailAddress = <deleted>

verify return:1

---

Certificate chain

 0 s:/C=NL/ST=Friesland/L=Leeuwarden/O=eotter1979.xs4all.nl/CN=eotter1979.xs4all.nl/emailAddress=<deleted>

   i:/C=NL/ST=Friesland/L=Leeuwarden/O=eotter1979.xs4all.nl/CN=eotter1979.xs4all.nl/emailAddress=<deleted>

---

Server certificate

-----BEGIN CERTIFICATE-----

<deleted>

-----END CERTIFICATE-----

subject=/C=NL/ST=Friesland/L=Leeuwarden/O=eotter1979.xs4all.nl/CN=eotter1979.xs4all.nl/emailAddress=<deleted>

issuer=/C=NL/ST=Friesland/L=Leeuwarden/O=eotter1979.xs4all.nl/CN=eotter1979.xs4all.nl/emailAddress=<deleted>

---

No client certificate CA names sent

---

SSL handshake has read 1365 bytes and written 537 bytes

---

New, TLSv1/SSLv3, Cipher is AES256-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: zlib compression

Expansion: zlib compression

SSL-Session:

    Protocol  : TLSv1

    Cipher    : AES256-SHA

    Session-ID: 03F019CFDF00491B82EB3003C548620E7749B03C4EB057030369F1C26804750E

    Session-ID-ctx: 

    Master-Key: <deleted>

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    TLS session ticket:

   <deleted>

    Compression: 1 (zlib compression)

    Start Time: 1351328179

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

---

```

----------

## bensimons

 *elmar283 wrote:*   

> I think that I've solved the problem by following this guide:
> 
> http://www.zytrax.com/books/ldap/ch15

 

Brilliant. Thank-you.

This is a very good guide. It is detailed, technically correct, 

disciplined in what to get working first, and quite funny in parts.

PS. minor note: there's some (obvious) typo's with the leading '/' on the dir-names

in the 'mkdir' commands. ie: you'd really want to:

mkdir -p /etc/openldap/certs/keys 

cd /etc/openldap/certs

openssl ...

----------

