| View previous topic :: View next topic |
| Author |
Message |
fmouse
Tux's lil' helper
Joined: 28 Jul 2003
Posts: 101
|
 Posted: Tue Jan 06, 2004 6:44 am Post subject: Problem with openldap and self-signed x509 certs |
 |
|
This looks like a bug....
I followed the directions on <http://www.gentoo.org/doc/en/ldap-howto.xml> to configure ldap, however it looks as if the instructions create a self-signed x509 cert which openldap won't accept.
| Code: |
# ldapsearch -D "cn=Manager,dc=genfic,dc=com" -W -d 255
ldap_create
Enter LDAP Password:
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP vishnu.fmp.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.1.16:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_int_sasl_open: host=vishnu.fmp.com
TLS trace: SSL_connect:before/connect initialization
tls_write: want=148, written=148
0000: 80 92 01 03 01 00 69 00 00 00 20 00 00 39 00 00 ......i... ..9..
0010: 38 00 00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 8..5............
0020: 00 00 33 00 00 32 00 00 2f 00 00 07 05 00 80 03 ..3..2../.......
0030: 00 80 00 00 66 00 00 05 00 00 04 01 00 80 08 00 ....f...........
0040: 80 00 00 63 00 00 62 00 00 61 00 00 15 00 00 12 ...c..b..a......
0050: 00 00 09 06 00 40 00 00 65 00 00 64 00 00 60 00 .....@..e..d..`.
0060: 00 14 00 00 11 00 00 08 00 00 06 04 00 80 00 00 ................
0070: 03 02 00 80 7e 3a 0e 54 e9 c6 01 5f 72 9f c7 70 ....~:.T..._r..p
0080: ce e4 ac 11 4a 8b 3d e2 0c 25 b2 1a cd 11 8d 4d ....J.=..%.....M
0090: c1 9a 47 8a ..G.
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=7
0000: 16 03 01 00 4a 02 00 ....J..
tls_read: want=72, got=72
0000: 00 46 03 01 3f fa 58 2d bd e6 cb 47 c2 e0 86 01 .F..?.X-...G....
0010: ad 25 a0 8d b1 62 15 c3 92 0e a5 b1 b9 aa fc fe .%...b..........
0020: be 4a 05 56 20 50 73 77 7a 10 cc a2 98 09 b4 98 .J.V Pswz.......
0030: 93 f1 fe de be 6e 88 f2 a0 22 96 b4 26 cd a5 a1 .....n..."..&...
0040: 3b 31 ec aa 90 00 35 00 ;1....5.
TLS trace: SSL_connect:SSLv3 read server hello A
tls_read: want=5, got=5
0000: 16 03 01 03 c1 .....
tls_read: want=961, got=961
0000: 0b 00 03 bd 00 03 ba 00 03 b7 30 82 03 b3 30 82 ..........0...0.
[snip, snap]
TLS certificate verification: depth: 0, err: 18, subject: /C=US/ST=TX/L=Leander/O=FMP Computer Services/OU=office/CN=vishnu.fmp.com/emailAddress=fmouse-nofilter@fmp.com, issuer: /C=US/ST=TX/L=Leander/O=FMP Computer Services/OU=office/CN=vishnu.fmp.com/emailAddress=fmouse-nofilter@fmp.com
TLS certificate verification: Error, self signed certificate
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30 ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_sasl_interactive_bind_s: Can't contact LDAP server (81)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
|
All I really want to do is get samba running. Samba demands that I use openldap, and openldap demands that I use SSL, and SSL doesn't work. Help! |
|
| Back to top |
|
 |
MrPyro
Tux's lil' helper
Joined: 14 Aug 2003
Posts: 121
Location: Sheffield, England
|
| Posted: Tue Jan 06, 2004 11:14 am Post subject: |
|
|
Try adding to your /etc/openldap/ldap.conf file the line
This is the advice from another forum, which mentions the main user manual's TLS page at http://www.openldap.org/doc/admin21/tls.html
Hope this helps
_________________
Back off man, I'm a computer scientist |
|
| Back to top |
|
|
Jacobs
Apprentice
Joined: 29 Apr 2003
Posts: 174
Location: Czech republic
|
| Posted: Sat Aug 07, 2004 7:35 pm Post subject: |
|
|
I don't think that solves the issue. It just makes the TLS certificate check optional:
| Quote: | | With a setting of 'allow' the client will ask for a server certificate; if none is provided the session proceeds normally. |
|
|
| Back to top |
|
|
DawgG
l33t
Joined: 17 Sep 2003
Posts: 878
|
| Posted: Fri Sep 17, 2004 3:12 pm Post subject: ldap not necessary for running samba |
|
|
hello,
i read your post because i really need openldap, but i just want to tell you that you really don't need openldap for samba.
just re-emerge samba and put
in the use-flags.
( in fact i think openldap makes samba a little harder to use if you just want basic windoze-networking) |
|
| Back to top |
|
|
DawgG
l33t
Joined: 17 Sep 2003
Posts: 878
|
| Posted: Fri Sep 17, 2004 5:07 pm Post subject: OPENSSL self-signed CERT problems persist PLS HELP |
|
|
i need openldap and installed it following the gentoo howto.
it doesn't work because the self-signed certs are just not accepted and the howto does not tell me anything about the openssl-configuration that is necessary or what certs or CAs must exist on the system.
more or less i always get
| Code: |
error 18 at 0 depth lookup:self signed certificate
|
when i do ldapsearch or openssl verify on the ldap-keyfile.pem
i followed instructions to get a self-signed CACert (it worked), but when i use the same mechanisms for the ldap-key.pem (hashes as symlinks to the .pem-files) slapd won't start, even though
| Code: |
openssl verify <hash>.0
|
says OK. <hash>.0 is the hash of the ldap-key.pem as symlink to ldap-key.pem
how do you manage your self-signed certs for ldap?
has anybody gotten ldap to work WITH ssl using this howto?
PLS HELP |
|
| Back to top |
|
|
Jacobs
Apprentice
Joined: 29 Apr 2003
Posts: 174
Location: Czech republic
|
| Posted: Fri Sep 17, 2004 6:24 pm Post subject: |
|
|
Hi sorry for not fully answering your questions.
I just want to tell you that just following that gentoo howto won't make it work. I've been there and if the howto wasn't changed in the last month you'll have to search also on some other places. I've manged to make it work after about a day of googling and searching gentoo forums, but I don't remember what exactly was the problem.
But in general you'll find a lot of posts about non working ssl - it's a common problem. |
|
| Back to top |
|
|
dennis_demarco
n00b
Joined: 06 Oct 2004
Posts: 6
|
| Posted: Wed Oct 06, 2004 6:35 pm Post subject: Self signed certs |
|
|
Self signed certs no long work in LDAP 2.1
http://www.openldap.org/faq/data/cache/185.html
You need to put the
tls_cacert /etc/openldap/ssl/cacert.pem
in both /etc/ldap.conf
AND
/etc/openldap/ldap.conf
There is a difference between the two files.
the LDAP FAQ is very out of date and will not work if you follow it |
|
| Back to top |
|
|
|
Networking & Security
