# [SOLVED] LDAP - SASL - Kerberos - Certificate problem

## trupoet

Hey all

I've been trying to setup LDAPS from Linux to AD (Win2k3). LDAP itself works just fine with simple authentication. I have Kerberos installed and have a ticket showing up when I do a klist. 

My problem seems to be with my certificate or configuring my certificate. Basically, I've had the Windows Admin export the certificate from the dc server I am querying for LDAP and have put that cert in /etc/ldap/cacerts. 

I'm trying to get this to work with PHP eventually but right now, just using ldapsearch to verify first.

Running something like:

ldapsearch -v -H ldaps://serverdc.domain.com -D "CN=user,OU=ou,DC=domain,DC=com" -W -Y GSSAPI

The GSSAPI is what implements Kerberos 5 supposedly. Anyways, it prompts me for the PW and then throws the following error:

ldap_initialize( <DEFAULT> )

Enter LDAP Password:

ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Now if I use ldap:// instead of ldaps:// and throw in a -x for simple authentication, it authenticates just fine (just not encrypted obviously).

So I've searched google and also looked at the big long post on AD / Samba / LDAP integration here on the gentoo forums and the situation seems to keep being that you:

1. Create a certificate

2. sign the certificate

3. create a key for it

What I don't get is what am I supposed to do if I didn't create the certificate.....since it's from the AD Domain controller? And how would I get the key and/or CA to go with the cer file? I've looked at the cert itself and it is legitimate, not even self signed. 

I've heard a lot of people saying setup ldap.conf with TLS_CERTREQ never but when I do that, I get the following error:

ldap_initialize( <DEFAULT> )

Enter LDAP Password:

SASL/GSSAPI authentication started

ldap_sasl_interactive_bind_s: Inappropriate authentication (4 :Cool: 

        additional info: 00002029: LdapErr: DSID-0C09016D, comment: Cannot start kerberos signing/sealing when using TLS/SSL, data 0, vece

So it seems to me that it shouldn't even be erroring on the certificate in the first place if I can't use TLS/SSL while using Kerberos. I've taken all my TLS commands out of /etc/ldap.conf (which is symlinked to /etc/openldap/ldap.conf as well) including the one pointing to the cert and still get the error about certificate verify failing. Yet do I even need a certificate in the first place if I'm using Kerberos?

I think part of my problem is that I dont fully understand how certificates, CAs, keys work fully. 

Any help would be appreciated. ThanksLast edited by trupoet on Thu Apr 06, 2006 9:19 pm; edited 1 time in total

----------

## converter

openssl is probably rejecting the host cert because it is from an unknown Certificate Authority (CA).

See this page for information on debugging OpenLDAP client SSL/TLS connections:

http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#6.1

You can run ldapsearch with the -d n option, where n is the debug level. I'm not certain which level or combination of levels to use, but they're documented here (slapd and ldapsearch use the same debug options):

http://www.openldap.org/doc/admin21/runningslapd.html

----------

## trupoet

Thanks a ton

I've been looking at this all day now and getting farther and farther with it. 

Ended up stracing thru and finding that ldapsearch kept wanting to look for an .ldaprc. 

So I went thru the process of creating my own CA, Cert, and Key and addressed them in my .ldaprc.

ldapsearch -d for debugging was $$$ thanks a ton for that. I should have looked that up better.

Now I'm finding out by using openssl s_client that its not my certificate thats being screwy...but the Win2k3 AD Server's cert instead. 

s_client keeps returning:

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0

verify error:num=27:certificate not trusted

verify return:1

depth=0

verify error:num=21:unable to verify the first certificate

verify return:1

and then at the very end:

Verify return code: 21 (unable to verify the first certificate)

The weird thing is the server's cert looks legit to me, fully verisigned and all that from what I can tell. Do I need something on my end that knows about the server's CAs still to do a successful SSL handshake or something? Like export the Root Cert from AD and add it to the end of my CAcert on my linux box?

----------

## trupoet

Ok so I exported the Root Cert from the AD server and added it to my own CA.

Now I'm back to the error saying:

Cannot start kerberos signing/sealing when using TLS/SSL

so basically when any of my TLS commands from my .ldaprc are commented out, it errors saying couldn't verify certificate but when I uncomment them to point to the cert information, it says that kerberos can't be used while using TLS/SSL.

Any ideas?

----------

## trupoet

Ok I figured out the problem....it's kind of misleading.

The fact is, I didn't even need a certificate.

When doing SASL authentication via LDAP, you do NOT specify an s in ldaps://, it just uses ldap:// and automatically encrypts based on your SASL encryption scheme.....I used GSSAPI (kerberos 5). 

Once I took out the S, removed any TLS entries and specified SASL_MECH GSSAPI

it worked perfectly.

I did doublecheck with Ethereal whether the network packets were being encrypted and they were, yay!

----------

