[Pkg-openldap-devel] problem with verifying server-certificate

t.becker at fh-bingen.de t.becker at fh-bingen.de
Thu Aug 17 11:38:08 UTC 2006 

Hello,

i have installed a Debian Testing System within a Linux-Vserver.
I have slapd 2.3.24-2 installed and configured.
With pyca I built a simple ca and created self signed root-certificate,
server-certificate and certificate for the slapd server that was signed from
serverCA.
I can do a simple Bind without errors. I can use slapd to authentificate users
against it. If I try to use tls, I have the problem that with "tls_checkpeer
yes" in pam_ldap.conf the
login hangs. If I set "tls_checkpeer no" I can set "ssl start_tls" and the login
will end without errors.
The comandline-tools (ldapsearch) give me no errors if I use -ZZ as Parameters.
The debuglog tells me that the certificate will be read from the server, when
asked from the ldapsearch command.

I ran another Test with the commands "openssl s_client -connect slapd:389
-showcerts" and "openssl s_client -connect slapd:636 -showcerts".
The first command has the result:

slapd2:/etc/openldap# openssl s_client -connect slapd:389 -showcerts
CONNECTED(00000003)
4709:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:

The second command shows me the certificates of all CA's up to the self signed
rootCA.

So I think I can use TLS, but I can not verify the certificate of the server via
port 389. Have you hints or a solution for me to enable this feature? I will use
the ability to verify the certificates of the clients in the future...but first
this have to run. I searched the web for abaut 5 days now and can not find
athing that gets me further..

Regards, Torsten Becker


My config-files:

/etc/ldap/slapd.conf

-----------------------------------------snip--------------------------------------------------

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema

#######################################################################
#ACL Regeln
access to attrs=userPassword
       by dn="cn=admin,dc=udenheim,dc=nc-world,dc=de" write
       by anonymous auth
       by self write
       by * none

access to dn.base="dc=udenheim,dc=nc-world,dc=de"
       by * read

access to *
       by dn="cn=admin,dc=udenheim,dc=nc-world,dc=de" write
       by * read

schemacheck     on
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel        acl
modulepath      /usr/lib/ldap
moduleload      back_bdb
sizelimit 500
tool-threads 1

#######################################################################
# TLS Parameter
TLSCACertificateFile    /etc/ldap/certs/ca-certs.pem
TLSCertificateFile      /etc/ldap/certs/02.pem
TLSCertificateKeyFile   /etc/ldap/ssl/slapd_key.pem
#TLSCipherSuite         TLSv1:HIGH:MEDIUM:+SSLv2
#security               ssf=128
#TLSVerifyClient                allow
#######################################################################
backend         bdb
checkpoint 512 30
database        bdb
suffix          "dc=udenheim,dc=nc-world,dc=de"
directory       "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index           objectClass eq
lastmod         on
-------------------------------snap------------------------------

/etc/ldap/ldap.conf

-------------------------------snip-------------------------------
BASE    dc=udenheim, dc=nc-world, dc=de
URI     ldap://slapd2.udenheim.nc-world.de
TLS_CACERT      /etc/ldap/certs/rcacert.pem
#TLS_CERT       /etc/pam.d/certs/scacert.pem
#TLS_KEY                /etc/pam.d/ssl/client.key
-----------------------------snap---------------------------------

/etc/pam_ldap.conf

----------------------------snip-----------------------------------
#host 192.168.111.24
base dc=udenheim,dc=nc-world,dc=de
URI ldap://slapd.udenheim.nc-world.de
ldap_version 3
pam_password md5
tls_checkpeer no
tls_cacertfile /etc/ldap/certs/ca-certs.pem
#tls_cert /etc/pam.d/certs/pam_client-cert.pem
#tls_key /etc/pam.d/ssl/pam_client.key
#tls_ciphers TLSv1:HIGH:MEDIUM:+SSLv2
#tls_request allow
ssl start_tls
pam_filter objectClass=posixAccount
pam_login_attribute uid
nss_base_passwd ou=People,dc=udenheim,dc=nc-world,dc=de
nss_base_shadow ou=People,dc=udenheim,dc=nc-world,dc=de
nss_base_group ou=Group,dc=udenheim,dc=nc-world,dc=de
---------------------------snap---------------------------------------

/etc/libnss-ldap.conf

------------------------------snip------------------------------------
host 192.168.111.24
base dc=udenheim,dc=nc-world,dc=de
ldap_version 3
pam_password md5
#tls_checkpeer no
#tls_cacertfile /etc/ldap/certs/ca-certs.pem
#tls_cert /etc/pam.d/certs/pam_client-cert.pem
#tls_key /etc/pam.d/ssl/pam_client.key
#tls_ciphers TLSv1:HIGH:MEDIUM:+SSLv2
#tls_request allow
#ssl start_tls
pam_filter objectClass=posixAccount
pam_login_attribute uid
nss_base_passwd ou=People,dc=udenheim,dc=nc-world,dc=de
nss_base_shadow ou=People,dc=udenheim,dc=nc-world,dc=de
nss_base_group ou=Group,dc=udenheim,dc=nc-world,dc=de
-------------------------------snap-------------------------------------







----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

More information about the Pkg-openldap-devel mailing list