cancel
Showing results for 
Search instead for 
Did you mean: 

OpenLdap in Tru64 using SSL

Stefano_36
Frequent Advisor

OpenLdap in Tru64 using SSL

Hi I want to use OpenLdap using SSL,
so,i configured ldapcd.conf inserting
the next line :

port: 636
usessl: 1

But starting the client (ldapcd_enable)
there is the error message :

ldap_init: 9500: Tue Dec 19 16:45:00 2006
ldap_open: 9500: Tue Dec 19 16:45:00 2006
Failed to initialize SSL client: 9500: Tue Dec 19 16:45:00 2006
can't get connection!: 9500: Tue Dec 19 16:45:00 2006
doCommand - ldap_setgrent() failed: 9500: Tue Dec 19 16:45:00 2006
doCommand - end: 9500: Tue Dec 19 16:45:00 2006
THREAD 0 exiting: 9500: Tue Dec 19 16:45:00 2006

What cna i check ?
Thanks
3 REPLIES
Ann Majeske
Honored Contributor

Re: OpenLdap in Tru64 using SSL

Hi Stefano,

I forwarded your question to our ldap engineers and just received this response:

Hi Ann,


The OpenLDAP server supports TLS, not SSL, whereas the LDAP Authentication Module, due to its use of the Mozilla LDAP SDK, only support SSL. Therefore it is not possible to enable encrypted communication between the LDAP Authentication Module and an OpenLDAP server. (TLS and SSLv3 are not compatible)

Here are the directions to follow for enabling SSL for the Tru64 LDAP Authentication Module and Netscape/iPlanet Directory Server.

Please consider this procedure a rough guideline.

Prerequistes include CA.sh and openssl from an openSSL kit and certutil from Mozilla.

Create an empty directory to contain the certificate files:

# mkdir my_ca
# cd my_ca

Create a CA certificate. When prompted, use fully qualified hostname as Common Name, e.g. alerce.zk3.dec.com.

# CA.sh -newca

To view the contents of the newly created certificate:

openssl x509 -inform PEM -text < demoCA/cacert.pem

Next, generate a certificate request using the Netscape Directory Server's Admin Console (see server's documentation for more information). Copy the resulting request from '-----BEGIN CERTIFICATE' to 'END CERTIFICATE-----' into file newreq.pem.

To add the cerificate to a cert7.db file, first convert the CA certificate to DER format from PEM format, create a new cert7.db database, insert the certificate, then verify the results.

openssl x509 -inform PEM -outform DER <./demoCA/cacert.pem >./demoCA/cacert.der
mkdir ssl
certutil -N -d ./ssl
certutil -A -n " CA" -t "C,C,C" -i ./demoCA/cacert.der -d ./ssl
certutil -L -d ./ssl

Configure the LDAP Authentication Module to use ssl by editing the /etc/ldapcd.conf configuration file with the following parameters:

port: 636
certdb: /path/to/.../ssl # path to directory containing cert7.db file
usessl: 1

Configure the Directory Server through the Admin Console to:


add demoCA/cacert.pem as a CA cert for the server
add cert.pem as a server certificate
enable SSL connections

You may also want to refer to the following "OpenLDAP SSL/TLS How-To":

http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html

Thanks & regards,
Stefano_36
Frequent Advisor

Re: OpenLdap in Tru64 using SSL

ok thanks
Graham Allan
Advisor

Re: OpenLdap in Tru64 using SSL

I wanted to expand on the reply above...

Openldap can use SSL as well as TLS, so it is possible to use Tru64 ldapcd over SSL with that. We figured out how to do it back in 2004, and recently had to remember the process when our CA certificate expired...

We found that it was critical to use the correct version of the mozilla/netscape nss libraries and certutil, when importing the CA certificate into cert7.db. At first we were using a downloaded version of nss-3.6.1. The SSL connection wouldn't work. When we used nss-3.3.1 (which appears to be the same version Tru64 ships in /usr/shlib), it works.

NSS-3.3.1 and certutil for Tru64 can be downloaded from:

ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_3_1_RTM/OSF1V4.0D_OPT.OBJ/

Graham