topic Re: OpenLdap - TSL-SSL in Operating System - Linux

OpenLdap - TSL-SSL

KarloChacon — Wed, 02 Feb 2011 13:23:14 GMT

hi guys

I configured OpenLdap and now I want to configure it using TLS-SSL

but I cannot get it working with the Linux clients. Enviroment: Centos 5.5

Openldap Server configuration:
1.
cd /etc/openldap/cacerts
openssl req -x509 -nodes -newkey rsa:1024 -days 730 -out slapd.crt -keyout slapd.key
chown ldap.ldap slapd.*
chmod 400 slapd.*

2.
Add lines below to
/etc/openldap/slapd.conf

TLSCACertificateFile /etc/openldap/cacerts/slapd.crt
TLSCertificateFile /etc/openldap/cacerts/slapd.crt
TLSCertificateKeyFile /etc/openldap/cacerts/slapd.key

and that's it
I see it works (or I think since JXplorer connects using SSL-636 port) see attachment

but Centos 5.5 clients don't want to connect

When there is no SSL users can connect normally
but when SSL configure the username is typed but prompt for password never comes up... users just get a session timeout
by the way nothing on messages neither openldap server or client

Client configuration is done via authconfig-tui (included in the attachment)

any idea why is not working guys?
Am I missing something?

thanks a lot

Re: OpenLdap - TSL-SSL

Marcin Bartoszek — Thu, 03 Feb 2011 09:16:38 GMT

Hi Karlo,

What is your openldap's loglevel?
Can you set full debugging and drop any logs into this thread?

Regards,
M.

Re: OpenLdap - TSL-SSL

KarloChacon — Sun, 13 Feb 2011 16:07:00 GMT

it looks like I got it working.....

Now when I configured Centos clients with authconfig-tui to use TLS they connect with an OpenLdap user but in logs says 389... not 636
can be TLS enanbled and still using port 389?
I'm going to include both logs:
Scenario.
Openldap TLS Configured and enabled. OK. In both scenarios client connect with an LDAP user.
1. Client without TLS logs:
[code]Feb 13 08:42:50 masterdns slapd[3911]: conn=2 fd=16 ACCEPT from IP=192.168.2.73:45037 (IP=0.0.0.0:389)
Feb 13 08:42:50 masterdns slapd[3911]: conn=2 op=0 BIND dn="" method=128
Feb 13 08:42:50 masterdns slapd[3911]: conn=2 op=0 RESULT tag=97 err=0 text=
Feb 13 08:42:50 masterdns slapd[3911]: conn=2 op=1 SRCH base="dc=training,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=adri))"
Feb 13 08:42:50 masterdns slapd[3911]: conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Feb 13 08:42:50 masterdns slapd[3911]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb 13 08:42:52 masterdns slapd[3911]: conn=2 op=2 SRCH base="dc=training,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=adri))"
Feb 13 08:42:52 masterdns slapd[3911]: conn=2 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Feb 13 08:42:52 masterdns slapd[3911]: conn=2 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb 13 08:42:52 masterdns slapd[3911]: conn=2 op=3 SRCH base="dc=training,dc=com" scope=2 deref=0 filter="(&(objectClass=shadowAccount)(uid=adri))"
Feb 13 08:42:52 masterdns slapd[3911]: conn=2 op=3 SRCH attr=uid userPassword shadowLastChange shadowMax shadowMin shadowWarning shadowInactive shadowExpire shadowFlag
Feb 13 08:42:52 masterdns slapd[3911]: conn=2 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb 13 08:42:52 masterdns slapd[3911]: conn=2 op=4 SRCH base="dc=training,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=adri))"
Feb 13 08:42:52 masterdns slapd[3911]: conn=2 op=4 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Feb 13 08:42:52 masterdns slapd[3911]: conn=2 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=[/code]

2. Client with TLS enabled Logs
[code]Feb 13 09:41:35 masterdns slapd[4096]: conn=5 fd=15 ACCEPT from IP=192.168.2.74:35441 (IP=0.0.0.0:389)
Feb 13 09:41:35 masterdns slapd[4096]: conn=5 op=0 STARTTLS
Feb 13 09:41:35 masterdns slapd[4096]: conn=5 op=0 RESULT oid= err=0 text=
Feb 13 09:41:35 masterdns slapd[4096]: conn=5 fd=15 TLS established tls_ssf=256 ssf=256
Feb 13 09:41:35 masterdns slapd[4096]: conn=5 op=1 BIND dn="" method=128
Feb 13 09:41:35 masterdns slapd[4096]: conn=5 op=1 RESULT tag=97 err=0 text=
Feb 13 09:41:35 masterdns slapd[4096]: conn=5 op=2 SRCH base="dc=training,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=adri))"
Feb 13 09:41:35 masterdns slapd[4096]: conn=5 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Feb 13 09:41:35 masterdns slapd[4096]: conn=5 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb 13 09:41:38 masterdns slapd[4096]: conn=5 op=3 SRCH base="dc=training,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=adri))"
Feb 13 09:41:38 masterdns slapd[4096]: conn=5 op=3 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Feb 13 09:41:38 masterdns slapd[4096]: conn=5 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb 13 09:41:38 masterdns slapd[4096]: conn=5 op=4 SRCH base="dc=training,dc=com" scope=2 deref=0 filter="(&(objectClass=shadowAccount)(uid=adri))"
Feb 13 09:41:38 masterdns slapd[4096]: conn=5 op=4 SRCH attr=uid userPassword shadowLastChange shadowMax shadowMin shadowWarning shadowInactive shadowExpire shadowFlag
Feb 13 09:41:38 masterdns slapd[4096]: conn=5 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb 13 09:41:38 masterdns slapd[4096]: conn=5 op=5 SRCH base="dc=training,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=adri))"
Feb 13 09:41:38 masterdns slapd[4096]: conn=5 op=5 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Feb 13 09:41:38 masterdns slapd[4096]: conn=5 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text=[/code]

Can be TLS been enabled and TLS configured clients use 389 port? or I am still configuring this TLS incorrectly.

Thanks a lot

Re: OpenLdap - TSL-SSL

Matti_Kurkela — Mon, 14 Feb 2011 12:20:27 GMT

Yes, it can.

When you're using TLS with LDAP, LDAP client can open a connection using a regular LDAP port, and then perform a StartTLS operation - essentially saying "start encryption now, please."

If the client does not request a StartTLS operation, the connection remains unencrypted. The server can be configured to reject unencrypted connections, or to accept them.

With SSL, the server port is configured to expect a SSL handshake immediately after opening the port. This requires a separate port for SSL traffic only for each service.

TLS is a successor of SSL, and removes the requirement of using a separate port for SSL-secured connections. Of course, most TLS-capable applications can use a different port and connect SSL-style too. This is typically indicated by adding a "s" to the URL scheme name, i.e. "ldaps:" instead of "ldap:".

MK

Re: OpenLdap - TSL-SSL

KarloChacon — Mon, 14 Feb 2011 15:49:22 GMT

thanks a lot Matti

well that means I'm OK or protected with TLS and my clients connections are encrypted...