OpenLDAP SSL/TLS problem with pam/nss

  • humbletech99
  • Proficient
  • Proficient
  • User avatar
  • Posts: 300

Post 3+ Months Ago

I have an OpenLDAP server running which I am trying to get to use SSL/TLS. It works without it, but it does not work when I switch on ssl/tls.
Code: [ Select ]
getent passwd

returns nothing from the ldap server, and the logs show:
Code: [ Select ]
Jun 12 13:23:22 myhost getent: nss_ldap: failed to bind to LDAP server ldaps://ldap.mydomain.com/: Can't contact LDAP server
Jun 12 13:23:22 myhost getent: nss_ldap: could not search LDAP server - Server is unavailable
Jun 12 13:23:22 myhost slapd[31771]: conn=9 fd=15 ACCEPT from IP=x.x.x.x:59963 (IP=0.0.0.0:636)
Jun 12 13:23:22 myhost slapd[31771]: conn=9 fd=15 closed (TLS negotiation failure)
  1. Jun 12 13:23:22 myhost getent: nss_ldap: failed to bind to LDAP server ldaps://ldap.mydomain.com/: Can't contact LDAP server
  2. Jun 12 13:23:22 myhost getent: nss_ldap: could not search LDAP server - Server is unavailable
  3. Jun 12 13:23:22 myhost slapd[31771]: conn=9 fd=15 ACCEPT from IP=x.x.x.x:59963 (IP=0.0.0.0:636)
  4. Jun 12 13:23:22 myhost slapd[31771]: conn=9 fd=15 closed (TLS negotiation failure)

I have set these options in ldap.conf for the nss/pam ldap modules
Code: [ Select ]
tls_checkpeer yes
tls_ciphers HIGH
ssl yes
tls_cacert /etc/openldap/cacerts/slapd.cert
  1. tls_checkpeer yes
  2. tls_ciphers HIGH
  3. ssl yes
  4. tls_cacert /etc/openldap/cacerts/slapd.cert

and I have the following options in slapd.conf:
Code: [ Select ]
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/slapd.cert
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
  1. TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
  2. TLSCertificateFile /etc/pki/tls/certs/slapd.cert
  3. TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem


I don't think that increasing debugging in slapd will help as it looks like it's the client nss and pam ldap modules that are failing to verify the certificate. Setting
Code: [ Select ]
tls_checkpeer no
allows the getent to work, but of course this is insecure...

The cert file and pem file are there with the right permissions, and I am testing this from the same server that slapd is running from right now, so the cacert mentioned in the ldap.conf file is there on the local filesystem too and I copied it to the right path...

So my question is, how do I go about debugging this? I cannot see any more logging information or options to increase logging for the pam/nss modules... and I don't know much about openssl in general (I know I should but I've always hated it)
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • Daemonguy
  • Moderator
  • Web Master
  • User avatar
  • Posts: 2700
  • Loc: Somewhere outside the box in Sarasota, FL.

Post 3+ Months Ago

Is it TLS 2.1 or later?

http://www.openldap.org/faq/data/cache/185.html

It's slightly different setup.
  • humbletech99
  • Proficient
  • Proficient
  • User avatar
  • Posts: 300

Post 3+ Months Ago

yeah I think this is the problem, I'll have to do this CA bit. Thanks


EDIT: I've tried the instructions on that page and openssl s_client ... shows
Code: [ Select ]
Verify return code: 0 (ok)

indicating that the CA and slapd cert files are ok, but when doing a getent I still get
Code: [ Select ]
Jun 15 11:20:29 myhost getent: nss_ldap: failed to bind to LDAP server ldaps://ldap.mydomain.com/: Can't contact LDAP server
Jun 15 11:20:29 myhost getent: nss_ldap: could not search LDAP server - Server is unavailable
 
Jun 15 11:20:29 myhost slapd[7523]: conn=3 fd=15 ACCEPT from IP=x.x.x.x:57431 (IP=0.0.0.0:636)
Jun 15 11:20:29 myhost slapd[7523]: conn=3 fd=15 closed (TLS negotiation failure)
  1. Jun 15 11:20:29 myhost getent: nss_ldap: failed to bind to LDAP server ldaps://ldap.mydomain.com/: Can't contact LDAP server
  2. Jun 15 11:20:29 myhost getent: nss_ldap: could not search LDAP server - Server is unavailable
  3.  
  4. Jun 15 11:20:29 myhost slapd[7523]: conn=3 fd=15 ACCEPT from IP=x.x.x.x:57431 (IP=0.0.0.0:636)
  5. Jun 15 11:20:29 myhost slapd[7523]: conn=3 fd=15 closed (TLS negotiation failure)

Even though I have updated my /etc/ldap.conf for pam/nss and slapd.conf with the right paths to the certificates and private key.

I'm at a total loss at this point.

Post Information

  • Total Posts in this topic: 3 posts
  • Users browsing this forum: No registered users and 69 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.