[SOLVED] LDAP - SASL - Kerberos - Certificate problem

[trupoet]

Hey all

I've been trying to setup LDAPS from Linux to AD (Win2k3). LDAP itself works just fine with simple authentication. I have Kerberos installed and have a ticket showing up when I do a klist.

My problem seems to be with my certificate or configuring my certificate. Basically, I've had the Windows Admin export the certificate from the dc server I am querying for LDAP and have put that cert in /etc/ldap/cacerts.

I'm trying to get this to work with PHP eventually but right now, just using ldapsearch to verify first.

Running something like:

ldapsearch -v -H ldaps://serverdc.domain.com -D "CN=user,OU=ou,DC=domain,DC=com" -W -Y GSSAPI

The GSSAPI is what implements Kerberos 5 supposedly. Anyways, it prompts me for the PW and then throws the following error:

ldap_initialize( <DEFAULT> )
Enter LDAP Password:
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Now if I use ldap:// instead of ldaps:// and throw in a -x for simple authentication, it authenticates just fine (just not encrypted obviously).

So I've searched google and also looked at the big long post on AD / Samba / LDAP integration here on the gentoo forums and the situation seems to keep being that you:
1. Create a certificate
2. sign the certificate
3. create a key for it

What I don't get is what am I supposed to do if I didn't create the certificate.....since it's from the AD Domain controller? And how would I get the key and/or CA to go with the cer file? I've looked at the cert itself and it is legitimate, not even self signed.

I've heard a lot of people saying setup ldap.conf with TLS_CERTREQ never but when I do that, I get the following error:


ldap_initialize( <DEFAULT> )
Enter LDAP Password:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Inappropriate authentication (4
additional info: 00002029: LdapErr: DSID-0C09016D, comment: Cannot start kerberos signing/sealing when using TLS/SSL, data 0, vece


So it seems to me that it shouldn't even be erroring on the certificate in the first place if I can't use TLS/SSL while using Kerberos. I've taken all my TLS commands out of /etc/ldap.conf (which is symlinked to /etc/openldap/ldap.conf as well) including the one pointing to the cert and still get the error about certificate verify failing. Yet do I even need a certificate in the first place if I'm using Kerberos?

I think part of my problem is that I dont fully understand how certificates, CAs, keys work fully.

Any help would be appreciated. Thanks

[converter]

openssl is probably rejecting the host cert because it is from an unknown Certificate Authority (CA).

See this page for information on debugging OpenLDAP client SSL/TLS connections:

http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#6.1


You can run ldapsearch with the -d n option, where n is the debug level. I'm not certain which level or combination of levels to use, but they're documented here (slapd and ldapsearch use the same debug options):

http://www.openldap.org/doc/admin21/runningslapd.html
_________________
converter

[trupoet]

Thanks a ton

I've been looking at this all day now and getting farther and farther with it.

Ended up stracing thru and finding that ldapsearch kept wanting to look for an .ldaprc.

So I went thru the process of creating my own CA, Cert, and Key and addressed them in my .ldaprc.

ldapsearch -d for debugging was $$$ thanks a ton for that. I should have looked that up better.


Now I'm finding out by using openssl s_client that its not my certificate thats being screwy...but the Win2k3 AD Server's cert instead.

s_client keeps returning:

verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0
verify error:num=27:certificate not trusted
verify return:1
depth=0
verify error:num=21:unable to verify the first certificate
verify return:1

and then at the very end:

Verify return code: 21 (unable to verify the first certificate)


The weird thing is the server's cert looks legit to me, fully verisigned and all that from what I can tell. Do I need something on my end that knows about the server's CAs still to do a successful SSL handshake or something? Like export the Root Cert from AD and add it to the end of my CAcert on my linux box?

[trupoet]

Ok so I exported the Root Cert from the AD server and added it to my own CA.

Now I'm back to the error saying:


Cannot start kerberos signing/sealing when using TLS/SSL


so basically when any of my TLS commands from my .ldaprc are commented out, it errors saying couldn't verify certificate but when I uncomment them to point to the cert information, it says that kerberos can't be used while using TLS/SSL.

Any ideas?

[trupoet]

Ok I figured out the problem....it's kind of misleading.

The fact is, I didn't even need a certificate.

When doing SASL authentication via LDAP, you do NOT specify an s in ldaps://, it just uses ldap:// and automatically encrypts based on your SASL encryption scheme.....I used GSSAPI (kerberos 5).

Once I took out the S, removed any TLS entries and specified SASL_MECH GSSAPI

it worked perfectly.

I did doublecheck with Ethereal whether the network packets were being encrypted and they were, yay!