Viewing blog post - Greg's Tech blog
OpenLDAP & SSL/TLS
| Posted by gmartin on Fri 09 of March, 2007 23:35 EST |
I've had a bear of a time getting OpenLDAP to configure for SSL/TLS. I made a couple discoveries today that I want to note.
(Note: this is not a OpenLDAP/TLS HowTo. If you are just starting, please read the OpenLDAP.org docs on configuring TLS)
I was receiving one main error:
no shared cipher
I couldn't figure out whether slapd was configured properly. So first I tested the certs
For me, the connection established and data was exchanged. Thereby proving the certs & CA were correct.
Next I ran slapd with -d 255 to enable debugging. What I found was using an incorrect directive for the TLS options.
I was using:
TLS_CACertificateFile
TLS_CertificateFile
TLSCertificateKeyFile
not:
TLSCACertificateFile
TLSCertificateFile
TLSCertificateKeyFile
Looks as though I confuused ldap.conf & slapd.conf directives. Why are they different one wonders?
I was still receiving "no shared cipher" error.I was using this as a test tool:
I had the following in slapd.conf & ldap.conf
TLSCipherSuite DHE-RSA-AES256-SHA
(which I cut & pasted from 'openssl ciphers')
I replaced it with the following:
TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
It's still not clear to me what the syntax should be. Trying to translate the openssl -v ciphers into what's mentioned in the manpage doesn't help me much. But I can be dense.
So I posted a couple questions to openldap mailing list that don't need answers:
- would there be value in making the slapd.conf & ldap.conf TLS directives align?
- Should slaptest report the bad TLS directives?
And one more. In the man page for slapd, there is this explanation for the -h option:
The last part seems inexact. It says -h ldaps:/// will cause slapd to listen on port 636 for LDAP over TLS. Should that say something like:
"will cause slapd to listen for LDAP over SSL on port 636 and for start_tls on port 389. With properly configured TLS directives, specifying '-h ldap:///' will make available TLS over port 389"
And for posterity, here are the TLS directives from my conf files:
(Note: this is not a OpenLDAP/TLS HowTo. If you are just starting, please read the OpenLDAP.org docs on configuring TLS)
I was receiving one main error:
no shared cipher
I couldn't figure out whether slapd was configured properly. So first I tested the certs
I ran this in one shell:
openssl s_server
-CAfile /var/data/ca/cacert.pem
-cert /var/data/ca/newcerts/ldap1cert.pem
-key /etc/openldap/ldap1keyclear.txt -accept 99
-cipher DHE-RSA-AES256-SHAand this in another:
openssl s_client
-host uslack2.gmartin.org
-port 99
-cipher DHE-RSA-AES256-SHA
-ssl3 (or -tls1)(note:These commands use your cert files to set up a server and client to exchange data over ssl or tls.)For me, the connection established and data was exchanged. Thereby proving the certs & CA were correct.
Next I ran slapd with -d 255 to enable debugging. What I found was using an incorrect directive for the TLS options.
I was using:
TLS_CACertificateFile
TLS_CertificateFile
TLSCertificateKeyFile
not:
TLSCACertificateFile
TLSCertificateFile
TLSCertificateKeyFile
Looks as though I confuused ldap.conf & slapd.conf directives. Why are they different one wonders?
I was still receiving "no shared cipher" error.I was using this as a test tool:
To test for SSL on port 636:
ldapsearch -H ldaps://uslack2.gmartin.org
-vvv cn=gmartin -D cn=Manager,dc=gmartin,dc=org
-w password -xTo test for TLS on port 389:
ldapsearch -H ldap://uslack2.gmartin.org
vvv cn=gmartin -D cn=Manager,dc=gmartin,dc=org
-w password -x -ZZI had the following in slapd.conf & ldap.conf
TLSCipherSuite DHE-RSA-AES256-SHA
(which I cut & pasted from 'openssl ciphers')
I replaced it with the following:
TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
It's still not clear to me what the syntax should be. Trying to translate the openssl -v ciphers into what's mentioned in the manpage doesn't help me much. But I can be dense.
So I posted a couple questions to openldap mailing list that don't need answers:
- would there be value in making the slapd.conf & ldap.conf TLS directives align?
- Should slaptest report the bad TLS directives?
And one more. In the man page for slapd, there is this explanation for the -h option:
slapd will by default serve ldap:/// (LDAP over TCP on all interfaces on default LDAP port). That is, it will bind using INADDR_ANY and port 389. The -h option may be used to specify LDAP (and other scheme) URLs to serve. For example, if slapd is given -h "ldap://127.0.0.1:9009/ ldaps:/// ldapi:///", it will listen on 127.0.0.1:9009 for LDAP, 0.0.0.0:636 for LDAP over TLS,
The last part seems inexact. It says -h ldaps:/// will cause slapd to listen on port 636 for LDAP over TLS. Should that say something like:
"will cause slapd to listen for LDAP over SSL on port 636 and for start_tls on port 389. With properly configured TLS directives, specifying '-h ldap:///' will make available TLS over port 389"
And for posterity, here are the TLS directives from my conf files:
slapd.conf TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP TLSCACertificateFile /var/data/ca/cacert.pem TLSCertificateFile /var/data/ca/newcerts/ldap1cert.pem TLSCertificateKeyFile /etc/openldap/ldap1keyclear.txt TLSVerifyClient never
ldap.conf TLS_CACERT /var/data/ca/cacert.pem TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP
| Permalink |
|
![[toggle]](javascript:icntoggle('mod-Image_1r1','module.png');){kind=small}
