LDAP SSL Problems (was: service script (/etc/init.d/ldap))
Craig White
craigwhite at azapple.com
Mon Nov 14 19:57:54 UTC 2005
On Mon, 2005-11-14 at 11:25 -0800, Daniel B. Thurman wrote:
> I think there is a perhaps a problem in the way I have
> created ssl certificates and may not have done it properly.
> I would like to request instructions for creating the slapd.pem
> file please? I used to do this the old way and had a hard
> time trying to seperate the CA cert, unsigned cert/key and
> signed certs - so I dont know which one to use for ldap!
----
this is what I use...YMMV
#### generate openldap certificate ####
openssl req -config /usr/share/ssl/openssl.cnf -new -x509 -days 3650 \
-key ca.key -out ca.cert
openssl genrsa -out ldap.key 1024
openssl req -config /usr/share/ssl/openssl.cnf -new -key ldap.key \
-out ldap.csr
openssl x509 -req -in ldap.csr -out ldap.cert -CA ca.cert -CAkey \
ca.key -CAcreateserial -days 3650
cp ca.cert /etc/ssl
cp ca.key /etc/ssl
cp ldap.key /etc/ssl
cp ldap.csr /etc/ssl
----
>
> I noticed that there has been a change from what I am used
> to and that there is a new location for certificates and it is
> at: /etc/pki/tls specifically. I tried all kinds of ways to
> get this to work and it appears that for some reason, the ldap
> programs is unable to find the certificate.
>
> I added TLS* directives in /etc/ldap.conf and in
> /etc/openldap/slapd.conf (why the redunancy?) and put my created
> certs in the /etc/openldap/cacerts directory.
>
> It appears from the ldapsearch debug output, that it will
> only search for certificates in /etc/pki/tls directory and
> in *maybe* in /etc/openldap/cacerts (see the '#' in front
> of that directory in the debug output. From the debug output,
> it is not clear as to WHAT dir/file was attempted to be opened.
----
there is the server certs and the client certs and the CA - they are not
necessarily the same. The server certs are as directed
in /etc/openldap/slapd.conf and the client certs in typically in
ldap.conf (perhaps both /etc/ldap.conf and /etc/openldap/ldap.conf) as
the former is for padl stuff and the latter is for openldap client stuff
such as ldapsearch
----
>
> Here is the debug output I got:
>
> # ldapsearch -d -1 -H ldaps://ldap.cdkkt.com -b dc=cdkkt,dc=com -x
> ldap_create
> ldap_url_parse_ext(ldaps://ldap.cdkkt.com)
> ldap_bind_s
> ldap_simple_bind_s
> ldap_sasl_bind_s
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_new_connection
> ldap_int_open_connection
> ldap_connect_to_host: TCP ldap.cdkkt.com:636
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 216.99.218.205:636
> ldap_connect_timeout: fd: 3 tm: -1 async: 0
> ldap_ndelay_on: 3
> ldap_is_sock_ready: 3
> ldap_ndelay_off: 3
> TLS: could not load client CA list (file:`',dir:`/etc/pki/tls/slapd.pem # /etc/openldap/cacerts').
> TLS: error:0200A002:system library:opendir:No such file or directory ssl_cert.c:752
> TLS: error:140D7002:SSL routines:SSL_add_dir_cert_subjects_to_stack:system lib ssl_cert.c:754
> ldap_perror
> ldap_bind: Can't contact LDAP server (-1)
>
> So what does it all mean? What file was attempted and why is it
> that my TLS* directives are seemingly ignored in both places
> specificed in /etc/ldap.conf and in /etc/openldap/slapd.conf?
----
I don't know...I'm not one to debug openssl
----
>
> I even copied to put my certificate in /etc/pki/tls/slapd.pem
> since no slapd.pem existed there and oddly enough, a slapd.pem
> did exists in: /etc/pki/tls/certs/slapd.pem - supposedly created
> when I setup kerberos!
>
> Something is royally screwed up somewhere! Please help!
----
You might want to contact ldap at umich.edu or ldap-interop list
http://lists.fini.net/mailman/listinfo/ldap-interop
You also might want to look through Turbo's guide (software projects)
http://www.bayour.com/
Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the users
mailing list