Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] Openldap and ssl
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
elmar283
Apprentice
Apprentice


Joined: 06 Dec 2004
Posts: 299
Location: Haarlem, Netherlands

PostPosted: Fri Oct 26, 2012 12:56 pm    Post subject: [SOLVED] Openldap and ssl Reply with quote

I am following the guide on http://www.gentoo-wiki.info/OpenLDAP.
I first tried the guide on http://www.gentoo.org/doc/en/ldap-howto.xml but that also didn't work out.

This is what I want to achieve:
- I want to run an openldap server and put my addresses in there. I don't need to connect to an other ldap-server.
- From there I want to use my mailprograms to access that ldap-server.
- my domain is: eotter1979.xs4all.nl, so I asume on ldap this would be: "dc=eotter1979,dc=xs4all,dc=nl"
- my username is: masterserver: "ou=masterserver"?
- My cn is now root, but I would like it to be "elmarotter" when evertyting works

I already posted before on https://forums.gentoo.org/viewtopic-t-940624-highlight-ldap.html
I was able to solve that problem. See that post for my config files.

Now I'm having problems with ssl and ldapsearch. There doesn't seem to be ssl support.
I also have a mailserver (postfix) with ssl/tsl working as it should. When I try ldapsearch on port 443 it all works fine, but on the ldap port 636 I have no luck.

Does anyone know how I can make this work?

When I run:
ldapsearch -Hldap://eotter1979.xs4all.nl -b "" -s base -Omaxssf=0
I get:
Code:

SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
   additional info: SASL(-13): user not found: no secret in database

And when I try:
openssl s_client -connect eotter1979.xs4all.nl:636 -CAfile /etc/ssl/ldap.pem
I get:
Code:

CONNECTED(00000003)
1389700744:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 211 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---


Last edited by elmar283 on Sat Oct 27, 2012 9:37 am; edited 1 time in total
Back to top
View user's profile Send private message
vaxbrat
l33t
l33t


Joined: 05 Oct 2005
Posts: 731
Location: DC Burbs

PostPosted: Sat Oct 27, 2012 4:47 am    Post subject: need more info Reply with quote

You should repost your current ldap.conf and slapd.conf files on this thread for convenience.

One of the first things I've noticed is that you have posted only cert settings in your slapd.conf but not any other security settings (eg TLS_CIPHER_SUITE and possibly sasl settings). I've been in the process of playing with ldap myself and have successfully gotten local security working via Kerberos tickets and SASL/GSSAPI to do ldapsearch without having to specify the -x switch. However I haven't gotten into using secured sockets and certs with openldap yet. Instead I got sidetracked into using the Fedora 389 directory server to try to get some sort of samba/ldap thing going with some gui's that allow convenient user management, etc. The thing is that 389 DS descends from the old netscape enterprise server and uses a whole different set of mechanisms for security.
Back to top
View user's profile Send private message
elmar283
Apprentice
Apprentice


Joined: 06 Dec 2004
Posts: 299
Location: Haarlem, Netherlands

PostPosted: Sat Oct 27, 2012 8:21 am    Post subject: Reply with quote

Here are my config files:
Code:

elmarotter@masterserver ~ $ sudo cat /etc/openldap/slapd.conf
Wachtwoord:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include      /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral   ldap://root.openldap.org

pidfile      /var/run/openldap/slapd.pid
argsfile   /var/run/openldap/slapd.args

# Load dynamic backend modules:
modulepath   /usr/lib/openldap/openldap
# moduleload   back_sock.so
# moduleload   back_shell.so
# moduleload   back_relay.so
# moduleload   back_perl.so
# moduleload   back_passwd.so
# moduleload   back_null.so
# moduleload   back_monitor.so
# moduleload   back_meta.so
# moduleload   back_ldap.so
# moduleload   back_dnssrv.so
moduleload    back_hdb.so

# Sample security restrictions
#   Require integrity protection (prevent hijacking)
#   Require 112-bit (3DES or better) encryption for updates
#   Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#   Root DSE: allow anyone to read it
#   Subschema (sub)entry DSE: allow anyone to read it
#   Other DSEs:
#      Allow self write access
#      Allow authenticated users read access
#      Allow anonymous users to authenticate
#   Directives needed to implement policy:
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
   by self write
   by users read
   by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################

database   hdb
suffix      "dc=eotter1979,dc=xs4all,dc=nl"
#         <kbyte> <min>
checkpoint   32   30
rootdn      "cn=Manager,dc=eotter1979,dc=xs4all,dc=nl"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw      <deleted>
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory   /var/lib/openldap-data
# Indices to maintain
index   objectClass   eq


Code:

elmarotter@masterserver ~ $ sudo cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE   dc=eotter1979,dc=xs4all,dc=nl
URI   ldap://eotter1979.xs4all.nl
#URI   ldap://ldap.example.com ldap://ldap-master.example.com:666

TLS_REQUEST     allow
TLS_CERT        /etc/ssl/ldap.pem
TLS_KEY         /etc/openldap/ldap-key.pem

#SIZELIMIT   12
#TIMELIMIT   15
#DEREF      never


Code:


elmarotter@masterserver /etc/openldap $ ls -lah /etc/openldap/
totaal 56K
drwxr-xr-x   4 root root 4,0K 25 okt 22:40 .
drwxr-xr-x 115 root root  12K 27 okt 09:00 ..
-rw-------   1 root root  845 25 okt 22:37 DB_CONFIG.example
-rw-r--r--   1 root root  388 25 okt 22:53 ldap.conf
-rw-r--r--   1 root root  245 25 okt 22:37 ldap.conf.default
-rw-r--r--   1 root root  916 25 okt 22:41 ldap-key.pem
drwxr-xr-x   2 root root 4,0K 25 okt 22:38 schema
-rw-r-----   1 root ldap 2,6K 25 okt 23:08 slapd.conf
-rw-r-----   1 root ldap 2,3K 25 okt 22:38 slapd.conf.default
-rw-------   1 root root 2,6K 25 okt 22:37 slapd.ldif
-rw-------   1 root root 2,6K 25 okt 22:37 slapd.ldif.default
drwxr-xr-x   2 root root 4,0K 25 okt 22:39 ssl


Code:


elmarotter@masterserver /etc/openldap $ ls -lah /etc/ssl/
totaal 72K
drwxr-xr-x   8 root root 4,0K 25 okt 22:41 .
drwxr-xr-x 115 root root  12K 27 okt 09:00 ..
drwxr-xr-x   2 root root 4,0K 30 mei  2011 apache2
drwxr-xr-x   2 root root  20K 29 sep 16:48 certs
-rw-r--r--   1 root root 1,1K 25 okt 22:41 ldap.pem
drwxr-xr-x   4 root root 4,0K 29 sep 16:47 misc
drwxr-xr-x   2 root root 4,0K 24 okt 18:54 nginx
-rw-r--r--   1 root root  11K  4 mei 22:52 openssl.cnf
drwxr-xr-x   2 root root 4,0K  3 jun  2011 postfix
drwx------   2 root root 4,0K 29 sep 16:47 private


Code:

elmarotter@masterserver /etc/openldap $ emerge -pv openldap

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R    ] net-nds/openldap-2.4.30  USE="berkdb crypt ipv6 perl samba sasl ssl syslog tcpd -cxx -debug -experimental -gnutls -icu -iodbc -kerberos -minimal -odbc -overlays (-selinux) -slp -smbkrb5passwd" 5,323 kB

Total: 1 package (1 reinstall), Size of downloads: 5,323 kB
Back to top
View user's profile Send private message
elmar283
Apprentice
Apprentice


Joined: 06 Dec 2004
Posts: 299
Location: Haarlem, Netherlands

PostPosted: Sat Oct 27, 2012 8:24 am    Post subject: Reply with quote

Quote:
One of the first things I've noticed is that you have posted only cert settings in your slapd.conf but not any other security settings (eg TLS_CIPHER_SUITE and possibly sasl settings).


What should I add there? The wiki only speaks of the following:
http://www.gentoo-wiki.info/OpenLDAP#Enable_TLS
Code:

Enable TLS
File: /etc/openldap/ldap.conf
BASE    dc=myserver,dc=mydomain,dc=org
URI     ldap://myserver.mydomain.org

TLS_REQUEST     allow
TLS_CERT        /etc/ssl/ldap.pem
TLS_KEY         /etc/openldap/ldap-key.pem
#TLS_REQCERT     never
Back to top
View user's profile Send private message
elmar283
Apprentice
Apprentice


Joined: 06 Dec 2004
Posts: 299
Location: Haarlem, Netherlands

PostPosted: Sat Oct 27, 2012 8:42 am    Post subject: Reply with quote

I found the following website:
http://www.zytrax.com/books/ldap/ch6/ldap-conf.html

I followed the instructions and tried two ways:
One:
Code:

elmarotter@masterserver /etc/openldap $ cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE   dc=eotter1979,dc=xs4all,dc=nl
URI   ldap://eotter1979.xs4all.nl
#URI   ldap://ldap.example.com ldap://ldap-master.example.com:666

TLS_REQUEST     allow
TLS_CERT        /etc/ssl/ldap.pem
TLS_KEY         /etc/openldap/ldap-key.pem
TLS_CACERT   /etc/ssl/ldap.pem
openssl ciphers -v ALL

#SIZELIMIT   12
#TIMELIMIT   15
#DEREF      never


Result:
Code:


elmarotter@masterserver /etc/openldap $ openssl s_client -connect eotter1979.xs4all.nl:636 -CAfile /etc/ssl/ldap.pem
CONNECTED(00000003)
1349801608:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:658:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 211 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---


TWO:
Code:


elmarotter@masterserver /etc/openldap $ cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE   dc=eotter1979,dc=xs4all,dc=nl
URI   ldap://eotter1979.xs4all.nl
#URI   ldap://ldap.example.com ldap://ldap-master.example.com:666

TLS_REQUEST     allow
TLS_CERT        /etc/ssl/ldap.pem
TLS_KEY         /etc/openldap/ldap-key.pem
TLS_CACERT   /etc/ssl/ldap.pem
#openssl ciphers -v ALL

# Cipher-list contains only RSA based
# authentication and key-exchange suites
# supported by TLSv1 (and SSLv3)
TLS_CIPHER_SUITE TLSv1+RSA

# Cipher-list contains only RSA based
# authentication and key-exchange suites
# supported by TLSv1 (and SSLv3)
# excludes EXPORT and NULL suites
TLS_CIPHER_SUITE TLSv1+RSA:!EXPORT:!NULL

# Ordered list of RSA based
# authentication and key-exchange suites
TLS_CIPHER_SUITE DES-CBC-SHA:DES-CBC3-SHA:RC4-SHA:RC4-MD5

# All ciphers excluding NULL
TLS_CIPHER_SUITE ALL:!NULL

# Default equivalent value if not defined
TLS_CIPHER_SUITE ALL

#SIZELIMIT   12
#TIMELIMIT   15
#DEREF      never


Result:
Code:


elmarotter@masterserver /etc/openldap $ openssl s_client -connect eotter1979.xs4all.nl:636 -CAfile /etc/ssl/ldap.pem
CONNECTED(00000003)
1357117064:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:658:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 211 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---


It seems that openssl just isn't supported. This are the ciphers that are supported.
Code:

elmarotter@masterserver /etc/openldap $ openssl ciphers -v ALL
ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA1
AECDH-AES256-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(256)  Mac=SHA1
ADH-AES256-SHA          SSLv3 Kx=DH       Au=None Enc=AES(256)  Mac=SHA1
ADH-CAMELLIA256-SHA     SSLv3 Kx=DH       Au=None Enc=Camellia(256) Mac=SHA1
ECDH-RSA-AES256-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA1
ECDH-ECDSA-AES256-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
PSK-AES256-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-DES-CBC3-SHA  SSLv3 Kx=ECDH     Au=RSA  Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH     Au=ECDSA Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
AECDH-DES-CBC3-SHA      SSLv3 Kx=ECDH     Au=None Enc=3DES(168) Mac=SHA1
ADH-DES-CBC3-SHA        SSLv3 Kx=DH       Au=None Enc=3DES(168) Mac=SHA1
ECDH-RSA-DES-CBC3-SHA   SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5
PSK-3DES-EDE-CBC-SHA    SSLv3 Kx=PSK      Au=PSK  Enc=3DES(168) Mac=SHA1
ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
DHE-RSA-SEED-SHA        SSLv3 Kx=DH       Au=RSA  Enc=SEED(128) Mac=SHA1
DHE-DSS-SEED-SHA        SSLv3 Kx=DH       Au=DSS  Enc=SEED(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA1
AECDH-AES128-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(128)  Mac=SHA1
ADH-AES128-SHA          SSLv3 Kx=DH       Au=None Enc=AES(128)  Mac=SHA1
ADH-SEED-SHA            SSLv3 Kx=DH       Au=None Enc=SEED(128) Mac=SHA1
ADH-CAMELLIA128-SHA     SSLv3 Kx=DH       Au=None Enc=Camellia(128) Mac=SHA1
ECDH-RSA-AES128-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA1
ECDH-ECDSA-AES128-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
SEED-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=SEED(128) Mac=SHA1
CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1
IDEA-CBC-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=SHA1
IDEA-CBC-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=MD5
RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5
PSK-AES128-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA1
ECDHE-RSA-RC4-SHA       SSLv3 Kx=ECDH     Au=RSA  Enc=RC4(128)  Mac=SHA1
ECDHE-ECDSA-RC4-SHA     SSLv3 Kx=ECDH     Au=ECDSA Enc=RC4(128)  Mac=SHA1
AECDH-RC4-SHA           SSLv3 Kx=ECDH     Au=None Enc=RC4(128)  Mac=SHA1
ADH-RC4-MD5             SSLv3 Kx=DH       Au=None Enc=RC4(128)  Mac=MD5
ECDH-RSA-RC4-SHA        SSLv3 Kx=ECDH/RSA Au=ECDH Enc=RC4(128)  Mac=SHA1
ECDH-ECDSA-RC4-SHA      SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=RC4(128)  Mac=SHA1
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
RC4-MD5                 SSLv2 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
PSK-RC4-SHA             SSLv3 Kx=PSK      Au=PSK  Enc=RC4(128)  Mac=SHA1
EDH-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)   Mac=SHA1
EDH-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)   Mac=SHA1
ADH-DES-CBC-SHA         SSLv3 Kx=DH       Au=None Enc=DES(56)   Mac=SHA1
DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
DES-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=MD5
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 export
EXP-ADH-DES-CBC-SHA     SSLv3 Kx=DH(512)  Au=None Enc=DES(40)   Mac=SHA1 export
EXP-DES-CBC-SHA         SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-ADH-RC4-MD5         SSLv3 Kx=DH(512)  Au=None Enc=RC4(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export


And when I try the 443 port I do have some success. But that is not what I want. Could this indicate that openldap isn't listening on port 639?

Code:
elmarotter@masterserver /etc/openldap $ openssl s_client -connect eotter1979.xs4all.nl:443 -CAfile /etc/ssl/ldap.pem
CONNECTED(00000003)
depth=0 C = NL, ST = Friesland, L = Leeuwarden, O = eotter1979.xs4all.nl, CN = eotter1979.xs4all.nl, emailAddress = elmarotter@eotter1979.xs4all.nl
verify error:num=18:self signed certificate
verify return:1
depth=0 C = NL, ST = Friesland, L = Leeuwarden, O = eotter1979.xs4all.nl, CN = eotter1979.xs4all.nl, emailAddress = elmarotter@eotter1979.xs4all.nl
verify return:1
---
Certificate chain
 0 s:/C=NL/ST=Friesland/L=Leeuwarden/O=eotter1979.xs4all.nl/CN=eotter1979.xs4all.nl/emailAddress=elmarotter@eotter1979.xs4all.nl
   i:/C=NL/ST=Friesland/L=Leeuwarden/O=eotter1979.xs4all.nl/CN=eotter1979.xs4all.nl/emailAddress=elmarotter@eotter1979.xs4all.nl
---
Server certificate
-----BEGIN CERTIFICATE-----
<deleted>
-----END CERTIFICATE-----
subject=/C=NL/ST=Friesland/L=Leeuwarden/O=eotter1979.xs4all.nl/CN=eotter1979.xs4all.nl/emailAddress=elmarotter@eotter1979.xs4all.nl
issuer=/C=NL/ST=Friesland/L=Leeuwarden/O=eotter1979.xs4all.nl/CN=eotter1979.xs4all.nl/emailAddress=elmarotter@eotter1979.xs4all.nl
---
No client certificate CA names sent
---
SSL handshake has read 1459 bytes and written 409 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 4C12B0B9FFDD361DB791B3CEE28D02109D81C70F2B3859741A63CC32B225FF3A
    Session-ID-ctx:
    Master-Key: <deleted>
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket:
    <deleted>

    Compression: 1 (zlib compression)
    Start Time: 1351326826
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
Back to top
View user's profile Send private message
elmar283
Apprentice
Apprentice


Joined: 06 Dec 2004
Posts: 299
Location: Haarlem, Netherlands

PostPosted: Sat Oct 27, 2012 9:04 am    Post subject: Reply with quote

I think that I've solved the problem by following this guide:
http://www.zytrax.com/books/ldap/ch15/#tls

I created a new cert and a new key:
Code:

elmarotter@masterserver ~ $ cd /etc/openldap/
mkdir /certs
mkdir /certs/keys
cd certs
# create server/CA cert and private key without passphrase
# valid for 10 years using current RSA recommendations for key size
# RSA is used as the key-exchange protocol
openssl req -x509 -nodes -days 3650 -newkey rsa:2048  -keyout keys/ldapskey.pem -out ldapscert.pem

# leaves the cert in
# cert may used as a server or CA cert)
# certs/ldapscert.pem
# leaves the private key in
# certs/keys/ldapskey.pem

# set permissions
chown -R ldap:ldap /certs/*
chmod 0400 certs/keys/ldapskey.pem


Then my config files:
Code:

elmarotter@masterserver /etc/openldap $ sudo cat /etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include      /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral   ldap://root.openldap.org

pidfile      /var/run/openldap/slapd.pid
argsfile   /var/run/openldap/slapd.args

# Load dynamic backend modules:
modulepath   /usr/lib/openldap/openldap
# moduleload   back_sock.so
# moduleload   back_shell.so
# moduleload   back_relay.so
# moduleload   back_perl.so
# moduleload   back_passwd.so
# moduleload   back_null.so
# moduleload   back_monitor.so
# moduleload   back_meta.so
# moduleload   back_ldap.so
# moduleload   back_dnssrv.so
moduleload    back_hdb.so

# Sample security restrictions
#   Require integrity protection (prevent hijacking)
#   Require 112-bit (3DES or better) encryption for updates
#   Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#   Root DSE: allow anyone to read it
#   Subschema (sub)entry DSE: allow anyone to read it
#   Other DSEs:
#      Allow self write access
#      Allow authenticated users read access
#      Allow anonymous users to authenticate
#   Directives needed to implement policy:
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
   by self write
   by users read
   by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################

database   hdb
suffix      "dc=eotter1979,dc=xs4all,dc=nl"
#         <kbyte> <min>
checkpoint   32   30
rootdn      "cn=Manager,dc=eotter1979,dc=xs4all,dc=nl"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw      <deleted>
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory   /var/lib/openldap-data
# Indices to maintain
index   objectClass   eq


# Security - TLS section
TLSCertificateFile /etc/openldap/certs/ldapscert.pem
TLSCertificateKeyFile /etc/openldap/certs/keys/ldapskey.pem
TLSCipherSuite TLSv1+RSA:!NULL
# the following directive is the default but
# is explicitly included for visibility reasons
TLSVerifyClient never


Code:


elmarotter@masterserver /etc/openldap $ sudo cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE   dc=eotter1979,dc=xs4all,dc=nl
URI   ldap://eotter1979.xs4all.nl
#URI   ldap://ldap.example.com ldap://ldap-master.example.com:666

TLS_REQUEST     allow
TLS_CERT        /etc/openldap/certs/ldapscert.pem
TLS_KEY         /etc/openldap/certs/keys/ldapkey.pem
TLS_CACERT   /etc/openldap/certs/ldapscert.pem
#openssl ciphers -v ALL

# Cipher-list contains only RSA based
# authentication and key-exchange suites
# supported by TLSv1 (and SSLv3)
TLS_CIPHER_SUITE TLSv1+RSA

# Cipher-list contains only RSA based
# authentication and key-exchange suites
# supported by TLSv1 (and SSLv3)
# excludes EXPORT and NULL suites
TLS_CIPHER_SUITE TLSv1+RSA:!EXPORT:!NULL

# Ordered list of RSA based
# authentication and key-exchange suites
TLS_CIPHER_SUITE DES-CBC-SHA:DES-CBC3-SHA:RC4-SHA:RC4-MD5

# All ciphers excluding NULL
TLS_CIPHER_SUITE ALL:!NULL

# Default equivalent value if not defined
TLS_CIPHER_SUITE ALL

#SIZELIMIT   12
#TIMELIMIT   15
#DEREF      never


I restarted slapd
Code:

elmarotter@masterserver /etc/openldap $ sudo /etc/init.d/slapd restart
 * Stopping ldap-server ...                                                                                                                                                                           [ ok ]
 * Starting ldap-server ...   


Then:
Code:

elmarotter@masterserver /etc/openldap $ openssl s_client -connect eotter1979.xs4all.nl:636 -CAfile /etc/openldap/certs/ldapscert.pem
CONNECTED(00000003)
depth=0 C = NL, ST = Friesland, L = Leeuwarden, O = eotter1979.xs4all.nl, CN = eotter1979.xs4all.nl, emailAddress = <deleted>
verify return:1
---
Certificate chain
 0 s:/C=NL/ST=Friesland/L=Leeuwarden/O=eotter1979.xs4all.nl/CN=eotter1979.xs4all.nl/emailAddress=<deleted>
   i:/C=NL/ST=Friesland/L=Leeuwarden/O=eotter1979.xs4all.nl/CN=eotter1979.xs4all.nl/emailAddress=<deleted>
---
Server certificate
-----BEGIN CERTIFICATE-----
<deleted>
-----END CERTIFICATE-----
subject=/C=NL/ST=Friesland/L=Leeuwarden/O=eotter1979.xs4all.nl/CN=eotter1979.xs4all.nl/emailAddress=<deleted>
issuer=/C=NL/ST=Friesland/L=Leeuwarden/O=eotter1979.xs4all.nl/CN=eotter1979.xs4all.nl/emailAddress=<deleted>
---
No client certificate CA names sent
---
SSL handshake has read 1365 bytes and written 537 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 03F019CFDF00491B82EB3003C548620E7749B03C4EB057030369F1C26804750E
    Session-ID-ctx:
    Master-Key: <deleted>
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket:
   <deleted>

    Compression: 1 (zlib compression)
    Start Time: 1351328179
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
Back to top
View user's profile Send private message
bensimons
n00b
n00b


Joined: 20 Feb 2014
Posts: 8

PostPosted: Thu Feb 20, 2014 11:25 am    Post subject: Reply with quote

elmar283 wrote:
I think that I've solved the problem by following this guide:
http://www.zytrax.com/books/ldap/ch15


Brilliant. Thank-you.

This is a very good guide. It is detailed, technically correct,
disciplined in what to get working first, and quite funny in parts.

PS. minor note: there's some (obvious) typo's with the leading '/' on the dir-names
in the 'mkdir' commands. ie: you'd really want to:
mkdir -p /etc/openldap/certs/keys
cd /etc/openldap/certs
openssl ...
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum