[Pkg-openldap-devel] problem with verifying server-certificate

Torsten Becker t.becker at nc-world.de
Wed Aug 16 20:04:09 UTC 2006 

Hello,

i have installed a Debian Testing System within a Linux-Vserver.
I have slapd 2.3.24-2 installed and configured.
With pyca I built a simple ca and created self signed root-certificate, 
server-certificate and certificate for the slapd server that was signed 
from serverCA.
I can do a simple Bind without errors. I can use slapd to authentificate 
users against it. If I try to use tls, I have the problem that with 
"tls_checkpeer yes" in pam_ldap.conf the
login hangs. If I set "tls_checkpeer no" I can set "ssl start_tls" and 
the login will end without errors.
The comandline-tools (ldapsearch) give me no errors if I use -ZZ as 
Parameters. The debuglog tells me that the certificate will be read from 
the server, when asked from the ldapsearch command.

I ran another Test with the commands "openssl s_client -connect 
slapd:389 -showcerts" and "openssl s_client -connect slapd:636 -showcerts".
The first command has the result:

slapd2:/etc/openldap# openssl s_client -connect slapd:389 -showcerts
CONNECTED(00000003)
4709:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
failure:s23_lib.c:188:

The second command shows me the certificates of all CA's up to the self 
signed rootCA.

So I think I can use TLS, but I can not verify the certificate of the 
server via port 389. Have you hints or a solution for me to enable this 
feature? I will use the ability to verify the certificates of the 
clients in the future...but first this have to run. I searched the web 
for abaut 5 days now and can not find athing that gets me further..

Regards, Torsten Becker


My config-files:

/etc/ldap/slapd.conf

-----------------------------------------snip--------------------------------------------------

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema

#######################################################################
#ACL Regeln
access to attrs=userPassword
        by dn="cn=admin,dc=udenheim,dc=nc-world,dc=de" write
        by anonymous auth
        by self write
        by * none

access to dn.base="dc=udenheim,dc=nc-world,dc=de"
        by * read

access to *
        by dn="cn=admin,dc=udenheim,dc=nc-world,dc=de" write
        by * read

schemacheck     on
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel        acl
modulepath      /usr/lib/ldap
moduleload      back_bdb
sizelimit 500
tool-threads 1

#######################################################################
# TLS Parameter
TLSCACertificateFile    /etc/ldap/certs/ca-certs.pem
TLSCertificateFile      /etc/ldap/certs/02.pem
TLSCertificateKeyFile   /etc/ldap/ssl/slapd_key.pem
#TLSCipherSuite         TLSv1:HIGH:MEDIUM:+SSLv2
#security               ssf=128
#TLSVerifyClient                allow
#######################################################################
backend         bdb
checkpoint 512 30
database        bdb
suffix          "dc=udenheim,dc=nc-world,dc=de"
directory       "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index           objectClass eq
lastmod         on
-------------------------------snap------------------------------

/etc/ldap/ldap.conf

-------------------------------snip-------------------------------
BASE    dc=udenheim, dc=nc-world, dc=de
URI     ldap://slapd2.udenheim.nc-world.de
TLS_CACERT      /etc/ldap/certs/rcacert.pem
#TLS_CERT       /etc/pam.d/certs/scacert.pem
#TLS_KEY                /etc/pam.d/ssl/client.key
-----------------------------snap---------------------------------

/etc/pam_ldap.conf

----------------------------snip-----------------------------------
#host 192.168.111.24
base dc=udenheim,dc=nc-world,dc=de
URI ldap://slapd.udenheim.nc-world.de
ldap_version 3
pam_password md5
tls_checkpeer no
tls_cacertfile /etc/ldap/certs/ca-certs.pem
#tls_cert /etc/pam.d/certs/pam_client-cert.pem
#tls_key /etc/pam.d/ssl/pam_client.key
#tls_ciphers TLSv1:HIGH:MEDIUM:+SSLv2
#tls_request allow
ssl start_tls
pam_filter objectClass=posixAccount
pam_login_attribute uid
nss_base_passwd ou=People,dc=udenheim,dc=nc-world,dc=de
nss_base_shadow ou=People,dc=udenheim,dc=nc-world,dc=de
nss_base_group ou=Group,dc=udenheim,dc=nc-world,dc=de
---------------------------snap---------------------------------------

/etc/libnss-ldap.conf

------------------------------snip------------------------------------
host 192.168.111.24
base dc=udenheim,dc=nc-world,dc=de
ldap_version 3
pam_password md5
#tls_checkpeer no
#tls_cacertfile /etc/ldap/certs/ca-certs.pem
#tls_cert /etc/pam.d/certs/pam_client-cert.pem
#tls_key /etc/pam.d/ssl/pam_client.key
#tls_ciphers TLSv1:HIGH:MEDIUM:+SSLv2
#tls_request allow
#ssl start_tls
pam_filter objectClass=posixAccount
pam_login_attribute uid
nss_base_passwd ou=People,dc=udenheim,dc=nc-world,dc=de
nss_base_shadow ou=People,dc=udenheim,dc=nc-world,dc=de
nss_base_group ou=Group,dc=udenheim,dc=nc-world,dc=de
-------------------------------snap-------------------------------------




-- 
*************************
net-concept T. Becker

Tel:    +49 6732 9339 761
Fax:    +49 6732 9339 767
Mobil:  +49  178 4589 296
*************************

More information about the Pkg-openldap-devel mailing list