HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
cancel
Showing results for 
Search instead for 
Did you mean: 

OpenLdap - TSL-SSL

 
KarloChacon
Honored Contributor

OpenLdap - TSL-SSL

hi guys

I configured OpenLdap and now I want to configure it using TLS-SSL

but I cannot get it working with the Linux clients. Enviroment: Centos 5.5

Openldap Server configuration:
1.
cd /etc/openldap/cacerts
openssl req -x509 -nodes -newkey rsa:1024 -days 730 -out slapd.crt -keyout slapd.key
chown ldap.ldap slapd.*
chmod 400 slapd.*

2.
Add lines below to
/etc/openldap/slapd.conf

TLSCACertificateFile /etc/openldap/cacerts/slapd.crt
TLSCertificateFile /etc/openldap/cacerts/slapd.crt
TLSCertificateKeyFile /etc/openldap/cacerts/slapd.key

and that's it
I see it works (or I think since JXplorer connects using SSL-636 port) see attachment

but Centos 5.5 clients don't want to connect

When there is no SSL users can connect normally
but when SSL configure the username is typed but prompt for password never comes up... users just get a session timeout
by the way nothing on messages neither openldap server or client

Client configuration is done via authconfig-tui (included in the attachment)

any idea why is not working guys?
Am I missing something?

thanks a lot
Didn't your momma teach you to say thanks!
4 REPLIES
Marcin Bartoszek
Occasional Advisor

Re: OpenLdap - TSL-SSL

Hi Karlo,

What is your openldap's loglevel?
Can you set full debugging and drop any logs into this thread?

Regards,
M.
KarloChacon
Honored Contributor

Re: OpenLdap - TSL-SSL

it looks like I got it working.....

Now when I configured Centos clients with authconfig-tui to use TLS they connect with an OpenLdap user but in logs says 389... not 636
can be TLS enanbled and still using port 389?
I'm going to include both logs:
Scenario.
Openldap TLS Configured and enabled. OK. In both scenarios client connect with an LDAP user.
1. Client without TLS logs:
[code]Feb 13 08:42:50 masterdns slapd[3911]: conn=2 fd=16 ACCEPT from IP=192.168.2.73:45037 (IP=0.0.0.0:389)
Feb 13 08:42:50 masterdns slapd[3911]: conn=2 op=0 BIND dn="" method=128
Feb 13 08:42:50 masterdns slapd[3911]: conn=2 op=0 RESULT tag=97 err=0 text=
Feb 13 08:42:50 masterdns slapd[3911]: conn=2 op=1 SRCH base="dc=training,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=adri))"
Feb 13 08:42:50 masterdns slapd[3911]: conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Feb 13 08:42:50 masterdns slapd[3911]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb 13 08:42:52 masterdns slapd[3911]: conn=2 op=2 SRCH base="dc=training,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=adri))"
Feb 13 08:42:52 masterdns slapd[3911]: conn=2 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Feb 13 08:42:52 masterdns slapd[3911]: conn=2 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb 13 08:42:52 masterdns slapd[3911]: conn=2 op=3 SRCH base="dc=training,dc=com" scope=2 deref=0 filter="(&(objectClass=shadowAccount)(uid=adri))"
Feb 13 08:42:52 masterdns slapd[3911]: conn=2 op=3 SRCH attr=uid userPassword shadowLastChange shadowMax shadowMin shadowWarning shadowInactive shadowExpire shadowFlag
Feb 13 08:42:52 masterdns slapd[3911]: conn=2 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb 13 08:42:52 masterdns slapd[3911]: conn=2 op=4 SRCH base="dc=training,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=adri))"
Feb 13 08:42:52 masterdns slapd[3911]: conn=2 op=4 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Feb 13 08:42:52 masterdns slapd[3911]: conn=2 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=[/code]

2. Client with TLS enabled Logs
[code]Feb 13 09:41:35 masterdns slapd[4096]: conn=5 fd=15 ACCEPT from IP=192.168.2.74:35441 (IP=0.0.0.0:389)
Feb 13 09:41:35 masterdns slapd[4096]: conn=5 op=0 STARTTLS
Feb 13 09:41:35 masterdns slapd[4096]: conn=5 op=0 RESULT oid= err=0 text=
Feb 13 09:41:35 masterdns slapd[4096]: conn=5 fd=15 TLS established tls_ssf=256 ssf=256
Feb 13 09:41:35 masterdns slapd[4096]: conn=5 op=1 BIND dn="" method=128
Feb 13 09:41:35 masterdns slapd[4096]: conn=5 op=1 RESULT tag=97 err=0 text=
Feb 13 09:41:35 masterdns slapd[4096]: conn=5 op=2 SRCH base="dc=training,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=adri))"
Feb 13 09:41:35 masterdns slapd[4096]: conn=5 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Feb 13 09:41:35 masterdns slapd[4096]: conn=5 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb 13 09:41:38 masterdns slapd[4096]: conn=5 op=3 SRCH base="dc=training,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=adri))"
Feb 13 09:41:38 masterdns slapd[4096]: conn=5 op=3 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Feb 13 09:41:38 masterdns slapd[4096]: conn=5 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb 13 09:41:38 masterdns slapd[4096]: conn=5 op=4 SRCH base="dc=training,dc=com" scope=2 deref=0 filter="(&(objectClass=shadowAccount)(uid=adri))"
Feb 13 09:41:38 masterdns slapd[4096]: conn=5 op=4 SRCH attr=uid userPassword shadowLastChange shadowMax shadowMin shadowWarning shadowInactive shadowExpire shadowFlag
Feb 13 09:41:38 masterdns slapd[4096]: conn=5 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb 13 09:41:38 masterdns slapd[4096]: conn=5 op=5 SRCH base="dc=training,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=adri))"
Feb 13 09:41:38 masterdns slapd[4096]: conn=5 op=5 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Feb 13 09:41:38 masterdns slapd[4096]: conn=5 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text=[/code]

Can be TLS been enabled and TLS configured clients use 389 port? or I am still configuring this TLS incorrectly.

Thanks a lot
Didn't your momma teach you to say thanks!
Matti_Kurkela
Honored Contributor

Re: OpenLdap - TSL-SSL

Yes, it can.

When you're using TLS with LDAP, LDAP client can open a connection using a regular LDAP port, and then perform a StartTLS operation - essentially saying "start encryption now, please."

If the client does not request a StartTLS operation, the connection remains unencrypted. The server can be configured to reject unencrypted connections, or to accept them.

With SSL, the server port is configured to expect a SSL handshake immediately after opening the port. This requires a separate port for SSL traffic only for each service.

TLS is a successor of SSL, and removes the requirement of using a separate port for SSL-secured connections. Of course, most TLS-capable applications can use a different port and connect SSL-style too. This is typically indicated by adding a "s" to the URL scheme name, i.e. "ldaps:" instead of "ldap:".

MK
MK
KarloChacon
Honored Contributor

Re: OpenLdap - TSL-SSL

thanks a lot Matti

well that means I'm OK or protected with TLS and my clients connections are encrypted...
Didn't your momma teach you to say thanks!