[389-devel] SSO to 389 Server from 389 Client

Chaudhari, Rohit K. Rohit.Chaudhari at jhuapl.edu
Tue Aug 28 23:05:04 UTC 2012 

Hey Andrey and 389 Forum,

I did what you suggested with the openssl s_client command.  The client can see the server certificate on the server side and signifies that the CA certificate is self-signed and everything.  But I still cannot login from the client side as a new user logging in for the first time.

I create a user in LDAP with POSIX attributes (I.e. UID=500 GID=500 /home/test /bin/bash etc.).  I have configured the /etc/hosts file on both sides (server and client).  When I look at wireshark running on the server side, it has a line that says:

TLSv1 Alert (Level: Fatal, Description: Unknown CA)

This makes no sense to me since the client is able to do ldapsearch and the openssl call you mentioned.  Not sure what else to modify at this point.  My main goal right now is to be able to log in as a new user created in LDAP into the client for the first time.  Look forward to your reply or anyone else in the forum.  Much appreciated.



From: Andrey Ivanov <andrey.ivanov at polytechnique.fr<mailto:andrey.ivanov at polytechnique.fr>>
Reply-To: "389 Directory server developer discussion." <389-devel at lists.fedoraproject.org<mailto:389-devel at lists.fedoraproject.org>>
Date: Thursday, July 26, 2012 11:14 AM
To: "389 Directory server developer discussion." <389-devel at lists.fedoraproject.org<mailto:389-devel at lists.fedoraproject.org>>
Subject: Re: [389-devel] SSO to 389 Server from 389 Client

The CA that signed the ldap server's certificate should be configured in TLC_CACERT.
To verify that it's the case and to find out what certificate is used by ldap server you can do

openssl s_client -connect your-ldap-server:636

You could also take a look at the access log of the ldap server to see what's wrong...


2012/7/26 Chaudhari, Rohit K. <Rohit.Chaudhari at jhuapl.edu<mailto:Rohit.Chaudhari at jhuapl.edu>>
So I had the following:

TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow

Then we also enabled SSL in the 389 console and did the ldaps test and it worked just fine.  However, I am still unable to log in with the client to the server.  I created a self-signed CA certificate using certutil.  Then I went to "Manage Certificates" in the 389 console to see if it is put in the CA certificates list and move it to the client as well for TLS/SSL authentication.  Now, the 389 console was not set up with DNS (we just set IP and FQDN in /etc/hosts).  Is there anything else fundamental I am missing?

Thanks.
________________________________________
From: 389-devel-bounces at lists.fedoraproject.org<mailto:389-devel-bounces at lists.fedoraproject.org> [389-devel-bounces at lists.fedoraproject.org<mailto:389-devel-bounces at lists.fedoraproject.org>] On Behalf Of Andrey Ivanov [andrey.ivanov at polytechnique.fr<mailto:andrey.ivanov at polytechnique.fr>]
Sent: Thursday, July 26, 2012 5:16 AM
To: 389 Directory server developer discussion.
Subject: Re: [389-devel] SSO to 389 Server from 389 Client

2012/7/25 Chaudhari, Rohit K. <Rohit.Chaudhari at jhuapl.edu<mailto:Rohit.Chaudhari at jhuapl.edu><mailto:Rohit.Chaudhari at jhuapl.edu<mailto:Rohit.Chaudhari at jhuapl.edu>>>
Hey,

So I did forget to set the TLS_REQCERT parameter.  I now set it to TLS_REQCERT allow. 1
If you put it to "allow" you  should also configure TLS_CACERT. If you haven't done it then try with "TLS_REQCERT never" first.

Also, I put the ldap URL as ldap:// instead of ldaps.  Is there something I have to do on the server side.  I tried logging in with the user on the client side and still it fails.  When I do:

No, you should absolutely test with "ldaps" (or with "ldap" but adding the switch "-ZZZZZ" ). That's the only test that will help you to find out if you have configured SSL/TLS correctly on the client.  The test with "ldap" will always work since no SSL/TLS is involved.

@+


From: 389-devel-bounces at lists.fedoraproject.org<mailto:389-devel-bounces at lists.fedoraproject.org><mailto:389-devel-bounces at lists.fedoraproject.org<mailto:389-devel-bounces at lists.fedoraproject.org>> [mailto:389-devel-bounces at lists.fedoraproject.org<mailto:389-devel-bounces at lists.fedoraproject.org><mailto:389-devel-bounces at lists.fedoraproject.org<mailto:389-devel-bounces at lists.fedoraproject.org>>] On Behalf Of Andrey Ivanov
Sent: Wednesday, July 25, 2012 9:38 AM
To: 389 Directory server developer discussion.
Subject: Re: [389-devel] SSO to 389 Server from 389 Client

Hi,

don't forget either to
* add on the client workstation the CA certificate that signed the LDAP server certifcate to /etc/openldap/ldap.conf (TLS_CACERT parameter)
* or to disable the certificate check: ("TLS_REQCERT never")

You can easily test fro the client whethe rit worked or not :

ldapsearch -x -H ldaps://your.ldap.server.example.com<http://your.ldap.server.example.com><http://your.ldap.server.example.com> -b "" -s base

if the result of this command is the follwoing error then you have not configured the CA on the workstation correctly:
ldap_bind: Can't contact LDAP server (-1)
        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Otherwise you will have the DSE base attributes...

@+
2012/7/25 Chaudhari, Rohit K. <Rohit.Chaudhari at jhuapl.edu<mailto:Rohit.Chaudhari at jhuapl.edu><mailto:Rohit.Chaudhari at jhuapl.edu<mailto:Rohit.Chaudhari at jhuapl.edu>>>
Hello everyone,

The setup is as follows.  We have set up a server with 389 DS without DNS (hardcoded IP addresses in /etc/hosts) and created a CA certificate for distribution on servers and clients.  The 389 client has been set up to allow users created on the server to authenticate against LDAP when logging in for the first time.  However, this is failing.

The server has 389 and a CA certificate.
The client is given the CA certificate as certificate.asc.  Then, we used authconfig-tui to configure the client to use LDAP authentication against the server using TLS/SSL.

In regards to a previous thread, one had brought up that there might be issues using LDAP authentication with TLS if the server is set up without DNS and has IP addresses hard-coded in /etc/hosts.  Does anyone have any suggestions as to why I am unable to log in against the server from my client machine.  The user created in LDAP is given POSIX attributes so that if it's a user attempting to log in for the first time, it is able to do so (since POSIX attributes includes Group ID, UID, etc.)

Thanks.
________________________________________
--
389-devel mailing list
389-devel at lists.fedoraproject.org<mailto:389-devel at lists.fedoraproject.org><mailto:389-devel at lists.fedoraproject.org<mailto:389-devel at lists.fedoraproject.org>>
https://admin.fedoraproject.org/mailman/listinfo/389-devel


--
389-devel mailing list
389-devel at lists.fedoraproject.org<mailto:389-devel at lists.fedoraproject.org><mailto:389-devel at lists.fedoraproject.org<mailto:389-devel at lists.fedoraproject.org>>
https://admin.fedoraproject.org/mailman/listinfo/389-devel
--
389-devel mailing list
389-devel at lists.fedoraproject.org<mailto:389-devel at lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/389-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-devel/attachments/20120828/ee10d7ad/attachment.html>

More information about the 389-devel mailing list