Help about openldap ssl
Aldyth Maharsha
demhyt at gmail.com
Fri Jun 17 12:54:47 UTC 2011
Hi list, i'm have trouble with setup openldap ssl in my ubuntu server 11.04
2.6.38-8-server
I'm can setup ldap without ssl perfectly with samba PDC at different
server(ldap server and samba server in another machine). I'm using guide
from https://help.ubuntu.com/11.04/serverguide/C/openldap-server.html for
setup ldaps but it is failed.
My /etc/ldap/ldap.conf :
root at sunko02:/etc/ssl# cat /etc/ldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=sunko,dc=local
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
URI ldap://10.1.0.2
TLS_REQCERT allow
TLS_CACERT /etc/ssl/certs/cacert.pem
ssl start_tls
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
I'm checking TLS configuration like that :
root at sunko02:/etc/ssl# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config
| grep TLS
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
olcTLSCertificateFile: /etc/ssl/certs/sunko02_slapd_cert.pem
olcTLSCertificateKeyFile: /etc/ssl/private/sunko02_slapd_key.pem
olcAttributeTypes: ( OLcfgGlAt:68 NAME 'olcTLSCACertificateFile' SYNTAX
OMsDir
olcAttributeTypes: ( OLcfgGlAt:69 NAME 'olcTLSCACertificatePath' SYNTAX
OMsDir
olcAttributeTypes: ( OLcfgGlAt:70 NAME 'olcTLSCertificateFile' SYNTAX
OMsDirec
olcAttributeTypes: ( OLcfgGlAt:71 NAME 'olcTLSCertificateKeyFile' SYNTAX
OMsDi
olcAttributeTypes: ( OLcfgGlAt:72 NAME 'olcTLSCipherSuite' SYNTAX
OMsDirectory
...........................................................................................................................
And if i'm searching records into ldap server, like that :
root at sunko02:/etc/ssl# ldapsearch -xLLL -d1 -b "dc=sunko,dc=local" -H
ldaps://localhost ou=ktm
ldap_url_parse_ext(ldaps://localhost)
ldap_create
ldap_url_parse_ext(ldaps://localhost:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
.............................................................................................................................
When i'm check with openssl like that :
root at sunko02:/etc/ssl# openssl s_client -connect localhost:636 -showcerts
CONNECTED(00000003)
depth=1 /CN=sunko.local
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/O=sunko.local/CN=sunko02.sunko.local
i:/CN=sunko.local
-----BEGIN CERTIFICATE-----
MIIDODCCAiKgAwIBAgIETfsLTDALBgkqhkiG9w0BAQUwFjEUMBIGA1UEAxMLc3Vu
a28ubG9jYWwwHhcNMTEwNjE3MDgwNzQwWhcNMTIwNjE2MDgwNzQwWjA0MRQwEgYD
VQQKEwtzdW5rby5sb2NhbDEcMBoGA1UEAxMTc3Vua28wMi5zdW5rby5sb2NhbDCC
ASAwCwYJKoZIhvcNAQEBA4IBDwAwggEKAoIBAQDQCpCzwdF3ZQtWrPhXIXNSv6VG
Jts1ljGAwKXp691ImNNFawwMQ1uGIqIQvTeavGLicaFmPdgMWOf7KyFYS/KkOnzK
+klZ6+B3xTmYcY+HBkvIHQMZkgs8F27OI4v2sKH7MvozOR1IZcv9FyGQzvpyEdm+
WGvckNrh0bwhcB2yET/HVndDly3BT5I64jxQdhW5DijjKBXIKptS06u0afqzoDey
iXG2ycxBW2BcwJV6TOuRQkGw3Z3N9gybD6a5zF5M5dXEv5Da98oiSFMmSTF4cN+6
QJtOxxJi3OcwulCKfeC/7ddYdpiOEtg1KxG0Pwykj42+IWWECS7FN1IiMzT3AgMB
AAGjdjB0MAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0P
AQH/BAUDAwegADAdBgNVHQ4EFgQUkMQMR0ovnpt0ZQM+oxjRyGAdZMAwHwYDVR0j
BBgwFoAUpvHIAJKiXXZTvev7NkqeQHB/Z+IwCwYJKoZIhvcNAQEFA4IBAQCV1q+p
6yiAVhcdT5to4nZmrFVrz+GimI58+teEqYvjHz/waWHXl1tFblb9Ub2u6gKDJlKv
xsMWOC2ORmgVeBlDzFsGzsMRrtUjF4VeenJpp9r3vEwY/P785v2OOzLbVKonLhgS
DG+78iAo6RIxzPbBcWHsULYd9uqPd7PRKYF9Nw048Iy9aemnsS+9sbkW3qO/A8DU
ebQPNRh1um1hJQx3r04TIY4L0f4xYSrwMdhkvIBWxEB95DtAfqQQYh/ZdPHlo/7F
M6E1FpwT1txS8UlGCJ8ySI8eekM06Pg7OKjhkwmf5t40VjtQspLqSLyGpgvbfsab
GcsNgTgUpY5/a4KD
-----END CERTIFICATE-----
1 s:/CN=sunko.local
i:/CN=sunko.local
-----BEGIN CERTIFICATE-----
MIIC5zCCAdGgAwIBAgIETfsK9jALBgkqhkiG9w0BAQUwFjEUMBIGA1UEAxMLc3Vu
a28ubG9jYWwwHhcNMTEwNjE3MDgwNjE0WhcNMTIwNjE2MDgwNjE0WjAWMRQwEgYD
VQQDEwtzdW5rby5sb2NhbDCCASAwCwYJKoZIhvcNAQEBA4IBDwAwggEKAoIBAQDM
Pnnzbbg1tACaFBM63ZYFrVxiyIdk46CuvXWe1WZ/XEJFzLovQztkvZmHDw23jk8w
dcTAP0IMXwN/MbjF4tkMqziOeteNGS8pkn5QS9tPRalnGN9cjQfCixtFwxJwJd91
GyaWqy8lHQorY4alBDnpyBxRpAZgY7/CjYkS3TvIN+MM+//ffzBsgiQNxKnzBas3
N7BVSjYGJKB3ei9Jmo/eI6JkWUSP07Ob9bVvNK5BOFlH6B2L+MhE7n0LVRRD41Ls
LXP3A9/F8czmZp8yAPiAaKtwaRK+ka3C7Z6HoOoY+evmcZqAuAwvoZnh3U27sjtl
pV1o4wzNkVL7yMxwfQxPAgMBAAGjQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0P
AQH/BAUDAwcEADAdBgNVHQ4EFgQUpvHIAJKiXXZTvev7NkqeQHB/Z+IwCwYJKoZI
hvcNAQEFA4IBAQCkNZARxGtbuSa2yHkJF9e0GdSxr/+P8bFkxXD/js+oSEUYfNzu
It4Ub8LFPmNNqiAQt3TCw7eJr/fM0HEcpq7G1CHsg8M00dG5qX794jGnEqv8aoGI
SzRvLiH5YyUdTPjdYlF+CUQAjgz2lyMdv5XSu+SdhVYInMAQ47Bl2lOo8Q3daumV
HsAxk7ososnuLqgXm1gLL6aOwpJhuljxJhywq8Bt7wnovBDHvWco+gH5wudWXHbV
ik62Iuzos2H+EcZFWmYW6Y/ELbfdAv3ITTiEKFkgir0cXDXVs26wy8BSIp0bgN+w
Oc2WXFRkANeiW/SrARXCIuSBsdGkqYm7xbJe
-----END CERTIFICATE-----
---
Server certificate
subject=/O=sunko.local/CN=sunko02.sunko.local
issuer=/CN=sunko.local
---
No client certificate CA names sent
---
SSL handshake has read 1756 bytes and written 421 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
9DEEFB20AE5ADC9DBDC614E097F34180F98A3017FB483BB2DBD95B0E43F1C57F
Session-ID-ctx:
Master-Key:
D8F5A6A0A091E004F4D6AF4A42F651419BCFCDE76CD839FB9E658A83B5805489CE33216C67A9A60E66265C15A9878FEA
Key-Arg : None
Start Time: 1308308316
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
And i'm try to checking the certificate from ldap client :
root at sunko08:/etc# gnutls-cli --print-cert -p 636 sunko02.sunko.local
Resolving 'sunko02.sunko.local'...
Connecting to '10.1.0.2:636'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- subject `O=sunko.local,CN=sunko02.sunko.local', issuer `CN=sunko.local',
RSA key 2048 bits, signed using RSA-SHA, activated `2011-06-17 08:07:40
UTC', expires `2012-06-16 08:07:40 UTC', SHA-1 fingerprint
`f649580f9a039ae3356c80fc5a9786606a94892f'
-----BEGIN CERTIFICATE-----
MIIDODCCAiKgAwIBAgIETfsLTDALBgkqhkiG9w0BAQUwFjEUMBIGA1UEAxMLc3Vu
a28ubG9jYWwwHhcNMTEwNjE3MDgwNzQwWhcNMTIwNjE2MDgwNzQwWjA0MRQwEgYD
VQQKEwtzdW5rby5sb2NhbDEcMBoGA1UEAxMTc3Vua28wMi5zdW5rby5sb2NhbDCC
ASAwCwYJKoZIhvcNAQEBA4IBDwAwggEKAoIBAQDQCpCzwdF3ZQtWrPhXIXNSv6VG
Jts1ljGAwKXp691ImNNFawwMQ1uGIqIQvTeavGLicaFmPdgMWOf7KyFYS/KkOnzK
+klZ6+B3xTmYcY+HBkvIHQMZkgs8F27OI4v2sKH7MvozOR1IZcv9FyGQzvpyEdm+
WGvckNrh0bwhcB2yET/HVndDly3BT5I64jxQdhW5DijjKBXIKptS06u0afqzoDey
iXG2ycxBW2BcwJV6TOuRQkGw3Z3N9gybD6a5zF5M5dXEv5Da98oiSFMmSTF4cN+6
QJtOxxJi3OcwulCKfeC/7ddYdpiOEtg1KxG0Pwykj42+IWWECS7FN1IiMzT3AgMB
AAGjdjB0MAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0P
AQH/BAUDAwegADAdBgNVHQ4EFgQUkMQMR0ovnpt0ZQM+oxjRyGAdZMAwHwYDVR0j
BBgwFoAUpvHIAJKiXXZTvev7NkqeQHB/Z+IwCwYJKoZIhvcNAQEFA4IBAQCV1q+p
6yiAVhcdT5to4nZmrFVrz+GimI58+teEqYvjHz/waWHXl1tFblb9Ub2u6gKDJlKv
xsMWOC2ORmgVeBlDzFsGzsMRrtUjF4VeenJpp9r3vEwY/P785v2OOzLbVKonLhgS
DG+78iAo6RIxzPbBcWHsULYd9uqPd7PRKYF9Nw048Iy9aemnsS+9sbkW3qO/A8DU
ebQPNRh1um1hJQx3r04TIY4L0f4xYSrwMdhkvIBWxEB95DtAfqQQYh/ZdPHlo/7F
M6E1FpwT1txS8UlGCJ8ySI8eekM06Pg7OKjhkwmf5t40VjtQspLqSLyGpgvbfsab
GcsNgTgUpY5/a4KD
-----END CERTIFICATE-----
- Certificate[1] info:
- subject `CN=sunko.local', issuer `CN=sunko.local', RSA key 2048 bits,
signed using RSA-SHA, activated `2011-06-17 08:06:14 UTC', expires
`2012-06-16 08:06:14 UTC', SHA-1 fingerprint
`8fa7124b92ee007fcec09bca618c2fa2100dbe5c'
-----BEGIN CERTIFICATE-----
MIIC5zCCAdGgAwIBAgIETfsK9jALBgkqhkiG9w0BAQUwFjEUMBIGA1UEAxMLc3Vu
a28ubG9jYWwwHhcNMTEwNjE3MDgwNjE0WhcNMTIwNjE2MDgwNjE0WjAWMRQwEgYD
VQQDEwtzdW5rby5sb2NhbDCCASAwCwYJKoZIhvcNAQEBA4IBDwAwggEKAoIBAQDM
Pnnzbbg1tACaFBM63ZYFrVxiyIdk46CuvXWe1WZ/XEJFzLovQztkvZmHDw23jk8w
dcTAP0IMXwN/MbjF4tkMqziOeteNGS8pkn5QS9tPRalnGN9cjQfCixtFwxJwJd91
GyaWqy8lHQorY4alBDnpyBxRpAZgY7/CjYkS3TvIN+MM+//ffzBsgiQNxKnzBas3
N7BVSjYGJKB3ei9Jmo/eI6JkWUSP07Ob9bVvNK5BOFlH6B2L+MhE7n0LVRRD41Ls
LXP3A9/F8czmZp8yAPiAaKtwaRK+ka3C7Z6HoOoY+evmcZqAuAwvoZnh3U27sjtl
pV1o4wzNkVL7yMxwfQxPAgMBAAGjQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0P
AQH/BAUDAwcEADAdBgNVHQ4EFgQUpvHIAJKiXXZTvev7NkqeQHB/Z+IwCwYJKoZI
hvcNAQEFA4IBAQCkNZARxGtbuSa2yHkJF9e0GdSxr/+P8bFkxXD/js+oSEUYfNzu
It4Ub8LFPmNNqiAQt3TCw7eJr/fM0HEcpq7G1CHsg8M00dG5qX794jGnEqv8aoGI
SzRvLiH5YyUdTPjdYlF+CUQAjgz2lyMdv5XSu+SdhVYInMAQ47Bl2lOo8Q3daumV
HsAxk7ososnuLqgXm1gLL6aOwpJhuljxJhywq8Bt7wnovBDHvWco+gH5wudWXHbV
ik62Iuzos2H+EcZFWmYW6Y/ELbfdAv3ITTiEKFkgir0cXDXVs26wy8BSIp0bgN+w
Oc2WXFRkANeiW/SrARXCIuSBsdGkqYm7xbJe
-----END CERTIFICATE-----
- The hostname in the certificate matches 'sunko02.sunko.local'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.1
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed
- Simple Client Mode:
It is can handshake but peer's certificate not trusted, it is seem like a
"bug" or i must using certificate from ssl certificate company?...
Any idea?
Best Regards,
Aldyth M
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-server/attachments/20110617/5edb2b7b/attachment.html>
More information about the ubuntu-server
mailing list