[Pkg-openldap-devel] problem with verifying server-certificate
t.becker at fh-bingen.de
t.becker at fh-bingen.de
Thu Aug 17 11:38:08 UTC 2006
Hello,
i have installed a Debian Testing System within a Linux-Vserver.
I have slapd 2.3.24-2 installed and configured.
With pyca I built a simple ca and created self signed root-certificate,
server-certificate and certificate for the slapd server that was signed from
serverCA.
I can do a simple Bind without errors. I can use slapd to authentificate users
against it. If I try to use tls, I have the problem that with "tls_checkpeer
yes" in pam_ldap.conf the
login hangs. If I set "tls_checkpeer no" I can set "ssl start_tls" and the login
will end without errors.
The comandline-tools (ldapsearch) give me no errors if I use -ZZ as Parameters.
The debuglog tells me that the certificate will be read from the server, when
asked from the ldapsearch command.
I ran another Test with the commands "openssl s_client -connect slapd:389
-showcerts" and "openssl s_client -connect slapd:636 -showcerts".
The first command has the result:
slapd2:/etc/openldap# openssl s_client -connect slapd:389 -showcerts
CONNECTED(00000003)
4709:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
The second command shows me the certificates of all CA's up to the self signed
rootCA.
So I think I can use TLS, but I can not verify the certificate of the server via
port 389. Have you hints or a solution for me to enable this feature? I will use
the ability to verify the certificates of the clients in the future...but first
this have to run. I searched the web for abaut 5 days now and can not find
athing that gets me further..
Regards, Torsten Becker
My config-files:
/etc/ldap/slapd.conf
-----------------------------------------snip--------------------------------------------------
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
#######################################################################
#ACL Regeln
access to attrs=userPassword
by dn="cn=admin,dc=udenheim,dc=nc-world,dc=de" write
by anonymous auth
by self write
by * none
access to dn.base="dc=udenheim,dc=nc-world,dc=de"
by * read
access to *
by dn="cn=admin,dc=udenheim,dc=nc-world,dc=de" write
by * read
schemacheck on
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel acl
modulepath /usr/lib/ldap
moduleload back_bdb
sizelimit 500
tool-threads 1
#######################################################################
# TLS Parameter
TLSCACertificateFile /etc/ldap/certs/ca-certs.pem
TLSCertificateFile /etc/ldap/certs/02.pem
TLSCertificateKeyFile /etc/ldap/ssl/slapd_key.pem
#TLSCipherSuite TLSv1:HIGH:MEDIUM:+SSLv2
#security ssf=128
#TLSVerifyClient allow
#######################################################################
backend bdb
checkpoint 512 30
database bdb
suffix "dc=udenheim,dc=nc-world,dc=de"
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass eq
lastmod on
-------------------------------snap------------------------------
/etc/ldap/ldap.conf
-------------------------------snip-------------------------------
BASE dc=udenheim, dc=nc-world, dc=de
URI ldap://slapd2.udenheim.nc-world.de
TLS_CACERT /etc/ldap/certs/rcacert.pem
#TLS_CERT /etc/pam.d/certs/scacert.pem
#TLS_KEY /etc/pam.d/ssl/client.key
-----------------------------snap---------------------------------
/etc/pam_ldap.conf
----------------------------snip-----------------------------------
#host 192.168.111.24
base dc=udenheim,dc=nc-world,dc=de
URI ldap://slapd.udenheim.nc-world.de
ldap_version 3
pam_password md5
tls_checkpeer no
tls_cacertfile /etc/ldap/certs/ca-certs.pem
#tls_cert /etc/pam.d/certs/pam_client-cert.pem
#tls_key /etc/pam.d/ssl/pam_client.key
#tls_ciphers TLSv1:HIGH:MEDIUM:+SSLv2
#tls_request allow
ssl start_tls
pam_filter objectClass=posixAccount
pam_login_attribute uid
nss_base_passwd ou=People,dc=udenheim,dc=nc-world,dc=de
nss_base_shadow ou=People,dc=udenheim,dc=nc-world,dc=de
nss_base_group ou=Group,dc=udenheim,dc=nc-world,dc=de
---------------------------snap---------------------------------------
/etc/libnss-ldap.conf
------------------------------snip------------------------------------
host 192.168.111.24
base dc=udenheim,dc=nc-world,dc=de
ldap_version 3
pam_password md5
#tls_checkpeer no
#tls_cacertfile /etc/ldap/certs/ca-certs.pem
#tls_cert /etc/pam.d/certs/pam_client-cert.pem
#tls_key /etc/pam.d/ssl/pam_client.key
#tls_ciphers TLSv1:HIGH:MEDIUM:+SSLv2
#tls_request allow
#ssl start_tls
pam_filter objectClass=posixAccount
pam_login_attribute uid
nss_base_passwd ou=People,dc=udenheim,dc=nc-world,dc=de
nss_base_shadow ou=People,dc=udenheim,dc=nc-world,dc=de
nss_base_group ou=Group,dc=udenheim,dc=nc-world,dc=de
-------------------------------snap-------------------------------------
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
More information about the Pkg-openldap-devel
mailing list