# OpenLDAP SSL/TLS problem with pam/nss [SOLVED]

## humbletech99

I have an OpenLDAP server running which I am trying to get to use SSL/TLS. It works without it, but it does not work when I switch on ssl/tls.

```
getent passwd
```

returns nothing from the ldap server, and the logs show:

```
Jun 12 13:23:22 myhost getent: nss_ldap: failed to bind to LDAP server ldaps://ldap.mydomain.com/: Can't contact LDAP server

Jun 12 13:23:22 myhost getent: nss_ldap: could not search LDAP server - Server is unavailable

Jun 12 13:23:22 myhost slapd[31771]: conn=9 fd=15 ACCEPT from IP=x.x.x.x:59963 (IP=0.0.0.0:636)

Jun 12 13:23:22 myhost slapd[31771]: conn=9 fd=15 closed (TLS negotiation failure)
```

I have set these options in ldap.conf for the nss/pam ldap modules

```
tls_checkpeer yes

tls_ciphers HIGH

ssl yes

tls_cacert /etc/openldap/cacerts/slapd.cert
```

and I have the following options in slapd.conf:

```
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

TLSCertificateFile /etc/pki/tls/certs/slapd.cert

TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
```

I don't think that increasing debugging in slapd will help as it looks like it's the client nss and pam ldap modules that are failing to verify the certificate. Setting

```
tls_checkpeer no
```

 allows the getent to work, but of course this is insecure...

The cert file and pem file are there with the right permissions, and I am testing this from the same server that slapd is running from right now, so the cacert mentioned in the ldap.conf file is there on the local filesystem too and I copied it to the right path...

So my question is, how do I go about debugging this? I cannot see any more logging information or options to increase logging for the pam/nss modules... and I don't know much about openssl in general (I know I should but I've always hated it)

----------

## vaxbrat

Your ldap server should have some sort of logging on its side that might suggest what's going on with the cert.

----------

## humbletech99

the server side logging doesn't help because the client simply connects and disconnects.

I think it's to do with cert signing, I'm going to have to set up my own CA and distribute the CA cert to all clients to trust the slapd cert I think...

EDIT: I've not been able to get the CA signed cert to work, it works ok when doing openssl s_client and it verifies the certificate against the cafile, but the getent still results in the same errors about tls negotiation failure.

I cannot see how to get more information out of the pam/nss ldap libs but when using "tls_checkpeer no" it works fine, so it appears to be purely a trust issue, but I have double checked that tls_cacert has the right path to the ca certficate file (am testing from the server for the minute).

I am totally at a loss. I hate SSL/TLS.   :Sad: 

----------

## sgao

 *humbletech99 wrote:*   

> the server side logging doesn't help because the client simply connects and disconnects.
> 
> I think it's to do with cert signing, I'm going to have to set up my own CA and distribute the CA cert to all clients to trust the slapd cert I think...
> 
> EDIT: I've not been able to get the CA signed cert to work, it works ok when doing openssl s_client and it verifies the certificate against the cafile, but the getent still results in the same errors about tls negotiation failure.
> ...

 

You need to have two types of certificates, one for your own CA, one for your ldap server. In your setup, you are using the defualt CA cert, ca-bundle, which is not going to work. 

For OpenLDAP server: 

 *Quote:*   

>  TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
> 
> TLSCertificateFile /etc/openldap/certs/server.crt
> 
> TLSCertificateKeyFile /etc/openldap/certs/server.key
> ...

 

For OpenLdap client:

 *Quote:*   

> TLS_CACERT /etc/openldap/certs/cacert.pem
> 
> TLS_REQCERT demand

 

For PAM/NSS:

 *Quote:*   

> 
> 
> ssl start_tls
> 
> tls_cacertfile /etc/openldap/certs/cacert.pem

 

Change path and CA certificate file name to your environment. The key is using the same CA certificate that is used to sign your LDAP server certificate for ldap client.

----------

## humbletech99

I got it to work, there wasn't technically a problem but it seems that the pam/nss libs were using the openldap ldap.conf instead of their own, both had to have the same settings otherwise it wouldn't work.

Technically this shouldn't have been the case but hey, as soon as I put the settings in the openldap.conf (which should only have been for ldapsearch etc) it started working.

Of course I used my self signed + CA cert to get this working.

----------

