FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.

» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Server Development
Reload this Page Help about openldap ssl

 
 
LinkBack Thread Tools
 
Old 06-17-2011, 12:54 PM
Aldyth Maharsha
 
Default Help about openldap ssl
Hi list, i'm have trouble with setup openldap ssl in my ubuntu server 11.04 2.6.38-8-server

I'm can setup ldap without ssl perfectly with samba PDC at different server(ldap server and samba server in another machine). I'm using guide from https://help.ubuntu.com/11.04/serverguide/C/openldap-server.html for setup ldaps but it is failed.


My /etc/ldap/ldap.conf :
root@sunko02:/etc/ssl# cat /etc/ldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE*** dc=sunko,dc=local

#URI*** ldap://ldap.example.com ldap://ldap-master.example.com:666
URI*** ldap://10.1.0.2
TLS_REQCERT allow

TLS_CACERT /etc/ssl/certs/cacert.pem
ssl start_tls
#SIZELIMIT*** 12
#TIMELIMIT*** 15
#DEREF******* never


I'm checking TLS configuration like that :
root@sunko02:/etc/ssl# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config | grep TLS

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn =auth
SASL SSF: 0
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
olcTLSCertificateFile: /etc/ssl/certs/sunko02_slapd_cert.pem

olcTLSCertificateKeyFile: /etc/ssl/private/sunko02_slapd_key.pem
olcAttributeTypes: ( OLcfgGlAt:68 NAME 'olcTLSCACertificateFile' SYNTAX OMsDir
olcAttributeTypes: ( OLcfgGlAt:69 NAME 'olcTLSCACertificatePath' SYNTAX OMsDir

olcAttributeTypes: ( OLcfgGlAt:70 NAME 'olcTLSCertificateFile' SYNTAX OMsDirec
olcAttributeTypes: ( OLcfgGlAt:71 NAME 'olcTLSCertificateKeyFile' SYNTAX OMsDi
olcAttributeTypes: ( OLcfgGlAt:72 NAME 'olcTLSCipherSuite' SYNTAX OMsDirectory

.................................................. .................................................. .......................

And if i'm searching records into ldap server, like that :
root@sunko02:/etc/ssl# ldapsearch -xLLL -d1 -b "dc=sunko,dc=local" -H ldaps://localhost ou=ktm

ldap_url_parse_ext(ldaps://localhost)
ldap_create
ldap_url_parse_ext(ldaps://localhost:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:636

ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request

.................................................. .................................................. .........................

When i'm check with openssl like that :
root@sunko02:/etc/ssl# openssl s_client -connect localhost:636 -showcerts

CONNECTED(00000003)
depth=1 /CN=sunko.local
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
*0 s:/O=sunko.local/CN=sunko02.sunko.local
** i:/CN=sunko.local

-----BEGIN CERTIFICATE-----
MIIDODCCAiKgAwIBAgIETfsLTDALBgkqhkiG9w0BAQUwFjEUMB IGA1UEAxMLc3Vu
a28ubG9jYWwwHhcNMTEwNjE3MDgwNzQwWhcNMTIwNjE2MDgwNz QwWjA0MRQwEgYD
VQQKEwtzdW5rby5sb2NhbDEcMBoGA1UEAxMTc3Vua28wMi5zdW 5rby5sb2NhbDCC

ASAwCwYJKoZIhvcNAQEBA4IBDwAwggEKAoIBAQDQCpCzwdF3ZQ tWrPhXIXNSv6VG
Jts1ljGAwKXp691ImNNFawwMQ1uGIqIQvTeavGLicaFmPdgMWO f7KyFYS/KkOnzK
+klZ6+B3xTmYcY+HBkvIHQMZkgs8F27OI4v2sKH7MvozOR1IZc v9FyGQzvpyEdm+
WGvckNrh0bwhcB2yET/HVndDly3BT5I64jxQdhW5DijjKBXIKptS06u0afqzoDey

iXG2ycxBW2BcwJV6TOuRQkGw3Z3N9gybD6a5zF5M5dXEv5Da98 oiSFMmSTF4cN+6
QJtOxxJi3OcwulCKfeC/7ddYdpiOEtg1KxG0Pwykj42+IWWECS7FN1IiMzT3AgMB
AAGjdjB0MAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0P
AQH/BAUDAwegADAdBgNVHQ4EFgQUkMQMR0ovnpt0ZQM+oxjRyGAdZM AwHwYDVR0j

BBgwFoAUpvHIAJKiXXZTvev7NkqeQHB/Z+IwCwYJKoZIhvcNAQEFA4IBAQCV1q+p
6yiAVhcdT5to4nZmrFVrz+GimI58+teEqYvjHz/waWHXl1tFblb9Ub2u6gKDJlKv
xsMWOC2ORmgVeBlDzFsGzsMRrtUjF4VeenJpp9r3vEwY/P785v2OOzLbVKonLhgS
DG+78iAo6RIxzPbBcWHsULYd9uqPd7PRKYF9Nw048Iy9aemnsS +9sbkW3qO/A8DU

ebQPNRh1um1hJQx3r04TIY4L0f4xYSrwMdhkvIBWxEB95DtAfq QQYh/ZdPHlo/7F
M6E1FpwT1txS8UlGCJ8ySI8eekM06Pg7OKjhkwmf5t40VjtQsp LqSLyGpgvbfsab
GcsNgTgUpY5/a4KD
-----END CERTIFICATE-----
*1 s:/CN=sunko.local
** i:/CN=sunko.local

-----BEGIN CERTIFICATE-----
MIIC5zCCAdGgAwIBAgIETfsK9jALBgkqhkiG9w0BAQUwFjEUMB IGA1UEAxMLc3Vu
a28ubG9jYWwwHhcNMTEwNjE3MDgwNjE0WhcNMTIwNjE2MDgwNj E0WjAWMRQwEgYD
VQQDEwtzdW5rby5sb2NhbDCCASAwCwYJKoZIhvcNAQEBA4IBDw AwggEKAoIBAQDM

Pnnzbbg1tACaFBM63ZYFrVxiyIdk46CuvXWe1WZ/XEJFzLovQztkvZmHDw23jk8w
dcTAP0IMXwN/MbjF4tkMqziOeteNGS8pkn5QS9tPRalnGN9cjQfCixtFwxJwJd 91
GyaWqy8lHQorY4alBDnpyBxRpAZgY7/CjYkS3TvIN+MM+//ffzBsgiQNxKnzBas3
N7BVSjYGJKB3ei9Jmo/eI6JkWUSP07Ob9bVvNK5BOFlH6B2L+MhE7n0LVRRD41Ls

LXP3A9/F8czmZp8yAPiAaKtwaRK+ka3C7Z6HoOoY+evmcZqAuAwvoZnh3 U27sjtl
pV1o4wzNkVL7yMxwfQxPAgMBAAGjQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0P
AQH/BAUDAwcEADAdBgNVHQ4EFgQUpvHIAJKiXXZTvev7NkqeQHB/Z+IwCwYJKoZI
hvcNAQEFA4IBAQCkNZARxGtbuSa2yHkJF9e0GdSxr/+P8bFkxXD/js+oSEUYfNzu

It4Ub8LFPmNNqiAQt3TCw7eJr/fM0HEcpq7G1CHsg8M00dG5qX794jGnEqv8aoGI
SzRvLiH5YyUdTPjdYlF+CUQAjgz2lyMdv5XSu+SdhVYInMAQ47 Bl2lOo8Q3daumV
HsAxk7ososnuLqgXm1gLL6aOwpJhuljxJhywq8Bt7wnovBDHvW co+gH5wudWXHbV
ik62Iuzos2H+EcZFWmYW6Y/ELbfdAv3ITTiEKFkgir0cXDXVs26wy8BSIp0bgN+w

Oc2WXFRkANeiW/SrARXCIuSBsdGkqYm7xbJe
-----END CERTIFICATE-----
---
Server certificate
subject=/O=sunko.local/CN=sunko02.sunko.local
issuer=/CN=sunko.local
---
No client certificate CA names sent
---

SSL handshake has read 1756 bytes and written 421 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

SSL-Session:
*** Protocol* : TLSv1
*** Cipher*** : AES256-SHA
*** Session-ID: 9DEEFB20AE5ADC9DBDC614E097F34180F98A3017FB483BB2DB D95B0E43F1C57F
*** Session-ID-ctx:
*** Master-Key: D8F5A6A0A091E004F4D6AF4A42F651419BCFCDE76CD839FB9E 658A83B5805489CE33216C67A9A60E66265C15A9878FEA

*** Key-Arg** : None
*** Start Time: 1308308316
*** Timeout** : 300 (sec)
*** Verify return code: 19 (self signed certificate in certificate chain)
---

And i'm try to checking the certificate from ldap client :

root@sunko08:/etc# gnutls-cli --print-cert -p 636 sunko02.sunko.local
Resolving 'sunko02.sunko.local'...
Connecting to '10.1.0.2:636'...
- Certificate type: X.509
*- Got a certificate list of 2 certificates.

*- Certificate[0] info:
* - subject `O=sunko.local,CN=sunko02.sunko.local', issuer `CN=sunko.local', RSA key 2048 bits, signed using RSA-SHA, activated `2011-06-17 08:07:40 UTC', expires `2012-06-16 08:07:40 UTC', SHA-1 fingerprint `f649580f9a039ae3356c80fc5a9786606a94892f'


-----BEGIN CERTIFICATE-----
MIIDODCCAiKgAwIBAgIETfsLTDALBgkqhkiG9w0BAQUwFjEUMB IGA1UEAxMLc3Vu
a28ubG9jYWwwHhcNMTEwNjE3MDgwNzQwWhcNMTIwNjE2MDgwNz QwWjA0MRQwEgYD
VQQKEwtzdW5rby5sb2NhbDEcMBoGA1UEAxMTc3Vua28wMi5zdW 5rby5sb2NhbDCC

ASAwCwYJKoZIhvcNAQEBA4IBDwAwggEKAoIBAQDQCpCzwdF3ZQ tWrPhXIXNSv6VG
Jts1ljGAwKXp691ImNNFawwMQ1uGIqIQvTeavGLicaFmPdgMWO f7KyFYS/KkOnzK
+klZ6+B3xTmYcY+HBkvIHQMZkgs8F27OI4v2sKH7MvozOR1IZc v9FyGQzvpyEdm+
WGvckNrh0bwhcB2yET/HVndDly3BT5I64jxQdhW5DijjKBXIKptS06u0afqzoDey

iXG2ycxBW2BcwJV6TOuRQkGw3Z3N9gybD6a5zF5M5dXEv5Da98 oiSFMmSTF4cN+6
QJtOxxJi3OcwulCKfeC/7ddYdpiOEtg1KxG0Pwykj42+IWWECS7FN1IiMzT3AgMB
AAGjdjB0MAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0P
AQH/BAUDAwegADAdBgNVHQ4EFgQUkMQMR0ovnpt0ZQM+oxjRyGAdZM AwHwYDVR0j

BBgwFoAUpvHIAJKiXXZTvev7NkqeQHB/Z+IwCwYJKoZIhvcNAQEFA4IBAQCV1q+p
6yiAVhcdT5to4nZmrFVrz+GimI58+teEqYvjHz/waWHXl1tFblb9Ub2u6gKDJlKv
xsMWOC2ORmgVeBlDzFsGzsMRrtUjF4VeenJpp9r3vEwY/P785v2OOzLbVKonLhgS
DG+78iAo6RIxzPbBcWHsULYd9uqPd7PRKYF9Nw048Iy9aemnsS +9sbkW3qO/A8DU

ebQPNRh1um1hJQx3r04TIY4L0f4xYSrwMdhkvIBWxEB95DtAfq QQYh/ZdPHlo/7F
M6E1FpwT1txS8UlGCJ8ySI8eekM06Pg7OKjhkwmf5t40VjtQsp LqSLyGpgvbfsab
GcsNgTgUpY5/a4KD
-----END CERTIFICATE-----

*- Certificate[1] info:
* - subject `CN=sunko.local', issuer `CN=sunko.local', RSA key 2048 bits, signed using RSA-SHA, activated `2011-06-17 08:06:14 UTC', expires `2012-06-16 08:06:14 UTC', SHA-1 fingerprint `8fa7124b92ee007fcec09bca618c2fa2100dbe5c'


-----BEGIN CERTIFICATE-----
MIIC5zCCAdGgAwIBAgIETfsK9jALBgkqhkiG9w0BAQUwFjEUMB IGA1UEAxMLc3Vu
a28ubG9jYWwwHhcNMTEwNjE3MDgwNjE0WhcNMTIwNjE2MDgwNj E0WjAWMRQwEgYD
VQQDEwtzdW5rby5sb2NhbDCCASAwCwYJKoZIhvcNAQEBA4IBDw AwggEKAoIBAQDM

Pnnzbbg1tACaFBM63ZYFrVxiyIdk46CuvXWe1WZ/XEJFzLovQztkvZmHDw23jk8w
dcTAP0IMXwN/MbjF4tkMqziOeteNGS8pkn5QS9tPRalnGN9cjQfCixtFwxJwJd 91
GyaWqy8lHQorY4alBDnpyBxRpAZgY7/CjYkS3TvIN+MM+//ffzBsgiQNxKnzBas3
N7BVSjYGJKB3ei9Jmo/eI6JkWUSP07Ob9bVvNK5BOFlH6B2L+MhE7n0LVRRD41Ls

LXP3A9/F8czmZp8yAPiAaKtwaRK+ka3C7Z6HoOoY+evmcZqAuAwvoZnh3 U27sjtl
pV1o4wzNkVL7yMxwfQxPAgMBAAGjQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0P
AQH/BAUDAwcEADAdBgNVHQ4EFgQUpvHIAJKiXXZTvev7NkqeQHB/Z+IwCwYJKoZI
hvcNAQEFA4IBAQCkNZARxGtbuSa2yHkJF9e0GdSxr/+P8bFkxXD/js+oSEUYfNzu

It4Ub8LFPmNNqiAQt3TCw7eJr/fM0HEcpq7G1CHsg8M00dG5qX794jGnEqv8aoGI
SzRvLiH5YyUdTPjdYlF+CUQAjgz2lyMdv5XSu+SdhVYInMAQ47 Bl2lOo8Q3daumV
HsAxk7ososnuLqgXm1gLL6aOwpJhuljxJhywq8Bt7wnovBDHvW co+gH5wudWXHbV
ik62Iuzos2H+EcZFWmYW6Y/ELbfdAv3ITTiEKFkgir0cXDXVs26wy8BSIp0bgN+w

Oc2WXFRkANeiW/SrARXCIuSBsdGkqYm7xbJe
-----END CERTIFICATE-----

- The hostname in the certificate matches 'sunko02.sunko.local'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted

- Version: TLS1.1
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

It is can handshake but peer's certificate not trusted, it is seem like a "bug" or i must using certificate from ssl certificate company?...

Any idea?

Best Regards,
Aldyth M

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 06-17-2011, 01:10 PM
Ante Karamatić
 
Default Help about openldap ssl
U Pet, 17. 06. 2011., u 19:54 +0700, Aldyth Maharsha je napisao/la:

> It is can handshake but peer's certificate not trusted, it is seem
> like a "bug" or i must using certificate from ssl certificate
> company?...

You client doesn't trust you. Your client should either be aware of the
certificate you have (by having CA certifikate in /etc/ssl/certs) or you
could just make it ignore the certificate problems all together.
Open /etc/ldap/ldap.conf and add:

TLS_REQCERT allow

Read ldap.conf(5) for more info.

--
Ante Karamatic


--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 06-20-2011, 03:00 AM
Aldyth Maharsha
 
Default Help about openldap ssl
I must add TLS_REQCERT allow at ldap server or ldap client?

best regards,
Aldyth M

2011/6/17 Ante Karamatić <ante.karamatic@canonical.com>

U Pet, 17. 06. 2011., u 19:54 +0700, Aldyth Maharsha je napisao/la:



> It is can handshake but peer's certificate not trusted, it is seem

> like a "bug" or i must using certificate from ssl certificate

> company?...



You client doesn't trust you. Your client should either be aware of the

certificate you have (by having CA certifikate in /etc/ssl/certs) or you

could just make it ignore the certificate problems all together.

Open /etc/ldap/ldap.conf and add:



TLS_REQCERT allow



Read ldap.conf(5) for more info.



--

Ante Karamatic





--

ubuntu-server mailing list

ubuntu-server@lists.ubuntu.com

https://lists.ubuntu.com/mailman/listinfo/ubuntu-server

More info: https://wiki.ubuntu.com/ServerTeam



--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 06-20-2011, 03:05 AM
Aldyth Maharsha
 
Default Help about openldap ssl
If i'm ignore certificate, it is mean i don't using certificate in ldap system?, how to using certificates because security reason?..

Best Regards,
Aldyth M

2011/6/20 Aldyth Maharsha <demhyt@gmail.com>

I must add TLS_REQCERT allow at ldap server or ldap client?

best regards,
Aldyth M


2011/6/17 Ante Karamatić <ante.karamatic@canonical.com>

U Pet, 17. 06. 2011., u 19:54 +0700, Aldyth Maharsha je napisao/la:



> It is can handshake but peer's certificate not trusted, it is seem

> like a "bug" or i must using certificate from ssl certificate

> company?...



You client doesn't trust you. Your client should either be aware of the

certificate you have (by having CA certifikate in /etc/ssl/certs) or you

could just make it ignore the certificate problems all together.

Open /etc/ldap/ldap.conf and add:



TLS_REQCERT allow



Read ldap.conf(5) for more info.



--

Ante Karamatic





--

ubuntu-server mailing list

ubuntu-server@lists.ubuntu.com

https://lists.ubuntu.com/mailman/listinfo/ubuntu-server

More info: https://wiki.ubuntu.com/ServerTeam





--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 

Thread Tools




All times are GMT. The time now is 12:55 AM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org

Contact Us - Linux Archive - Archive - Top -