Thursday, October 27, 2016

ubuntu - Setting up a Linux client for OpenLDAP over SSL

I'm trying to set up SSL with a server running OpenLDAP (and using OpenSSL, not GnuTLS).



The server seems to be working fine: I can authenticate using ldap:// and can also use ldaps:// from Apache Directory Studio. I can use LDAPS from the client as well, as long as I have this setting in /etc/ldap.conf:




tls_checkpeer no


As soon as I try to use tls_checkpeer yes the SSL connection is refused.



I have the following settings on the server:



olcTLSCACertificateFile  /etc/ssl/certs/cacert.pem
olcTLSCertificateFile    /etc/ssl/private/newcert.pem
olcTLSCertificateKeyFile /etc/ssl/private/newreq.pem



The client has these related entries:



# ssl on
uri ldaps://192.168.1.15
tls_checkpeer no
# tls_cacertdir /etc/ssl/certs
# tls_cacertfile /etc/ssl/certs/cacert.pem



The file /etc/ssl/certs/cacert.pem is accessible to users for reading. With the above configuration, it works. If I uncomment one of the two commented tls_* configuration entries and change to tls_checkpeer yes it fails.



I've tried using both cacert.pem and newcert.pem for the certificate (tls_cacertfile) and it didn't work. The cacert.pem has a -----BEGIN CERTIFICATE----- section, as does newcert.pem.



However, the cacert.pem has this under X509v3 extensions:



X509v3 Basic Constraints: 
    CA:TRUE



...and the newcert.pem file has this in the same section:



X509v3 Basic Constraints: 
    CA:FALSE
Netscape Comment: 
    OpenSSL Generated Certificate


Other certificates in /etc/ssl/certs have nothing in them except the block marked by BEGIN CERTIFICATE.




Using this command:



openssl s_client -connect 192.168.6.144:636 -showcerts


I can see the contents of cacert.pem and newcert.pem being used for the session.



I've not made changes to /etc/ldap/ldap.conf on either the client or the server.




Errors from the client include:



Feb  8 14:32:24 foo nscd: nss_ldap: could not connect to any LDAP server as cn=admin,dc=example,dc=com - Can't contact LDAP server
Feb  8 14:32:24 foo nscd: nss_ldap: failed to bind to LDAP server ldaps://bar: Can't contact LDAP server
Feb  8 14:32:24 foo nscd: nss_ldap: could not search LDAP server - Server is unavailable


There's no special log entries on the server. The client is Ubuntu Lucid Lynx 10.04, as is the server. All are using nscd.



Attempting to replicate the problem on a Red Hat Enterprise Linux 5.7 system fails in the opposite direction: something that should probably fail, does not: using tls_checkpeer yes with an empty tls_cacertdir directory. I need SSL to work on both systems; we have a mix of both Ubuntu and RHEL.




I restarted nscd after each configuration change.



These are my actual questions:




  • How do I get the tls_checkpeer option working? (main question)

  • Does ssl on actually do anything on the client?




Thanks.

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...