2

I did setup an OpenLDAP server with PAM authentication against it. In clear text, it works very well but when I try to add SSL it always faill.

I'm following that guide to get it working : http://kidrek.fr/blog/?p=30

I'm doing that on a Debian lenny system. In my logs I can see : Sep 9 17:00:48 Hostname slapd[3231]: connection_read(13): checking for input on id=14
Sep 9 17:00:48 Hostname slapd[3231]: connection_read(13): unable to get TLS client DN, error=49 id=14
Sep 9 17:00:48 Hostname slapd[3231]: connection_get(13): got connid=14
Sep 9 17:00:48 Hostname slapd[3231]: connection_read(13): checking for input on id=14
Sep 9 17:00:48 Hostname slapd[3231]: ber_get_next on fd 13 failed errno=0 (Success)
Sep 9 17:00:48 Hostname slapd[3231]: connection_closing: readying conn=14 sd=13 for close
Sep 9 17:00:48 Hostname slapd[3231]: connection_close: conn=14 sd=13

On the client side : Sep 9 17:00:47 Hostname id: nss_ldap: could not search LDAP server - Server is unavailable
Sep 9 17:00:47 Hostname id: nss_ldap: could not connect to any LDAP server as cn=admin,dc=company,dc=local - Can't contact LDAP server
Sep 9 17:00:47 Hostname id: nss_ldap: failed to bind to LDAP server ldaps://brublunm13.company.local/: Can't contact LDAP server
Sep 9 17:00:47 Hostname id: nss_ldap: reconnecting to LDAP server...
Sep 9 17:00:47 Hostname id: nss_ldap: could not connect to any LDAP server as cn=admin,dc=company,dc=local - Can't contact LDAP server
Sep 9 17:00:47 Hostname id: nss_ldap: failed to bind to LDAP server ldaps://brublunm13.company.local/: Can't contact LDAP server
Sep 9 17:00:47 Hostname id: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)...
Sep 9 17:00:48 Hostname id: nss_ldap: could not connect to any LDAP server as cn=admin,dc=company,dc=local - Can't contact LDAP server Sep 9 17:00:48 Hostname id: nss_ldap: failed to bind to LDAP server ldaps://brublunm13.company.local/: Can't contact LDAP server
Sep 9 17:00:48 Hostname id: nss_ldap: could not search LDAP server - Server is unavailable

Also, in my slapd.conf I got :
TLSVerifyClient never

Any idea on this ?

Thanks in advance,

Improve this question

2 Answers 2

Reset to default
1

It seems you're trying to use client-side SSL instead of server-side; the client identifies itself using a certificate rather than a password.

Do note that the OpenLDAP SSL implementation is rather tricky - it took me quite a while to figure out that it reads it's SSL certs AFTER it drops privileges, so the SSL-certs need to have read-permissions for the OpenLDAP-user...

Improve this answer
0

I currently have SSL working with OpenLDAP on RHEL - in my slapd.conf, I have:

TLSCACertificateFile /etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/cacerts/slapdcert.pem TLSCertificateKeyFile /etc/openldap/cacerts/slapdkey.pem

You can use:

openssl s_client -connect localhost:636 -showcerts

to check that the server cert is installed and working correctly, and

ldapsearch -ZZ -x -D 'cn=manager,dc=domain,dc=com' -W 'objectclass=*' -v

to check that TLS is working.

I mainly referenced http://www.openldap.org/faq/data/cache/185.html for getting certs generates, and correct permissions set.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.