0

I have an OpenLDAP 2.4.39 server running on a Centos 7 host which is populated with a minimal set of data. It work as expected when TLS is not used. I use this for authentication with dokuwiki today. I have bought an SSL from Namecheap/Comodo and am trying to get this to work as it should.

Example:

root@smtp:~# ldapsearch -h ldap.foo.bar -D cn=Manager,dc=foo,dc=bar -W -LLL -b ou=people,dc=foo,dc=bar "(uid=baz)"
Enter LDAP Password: 
dn: uid=baz,ou=people,dc=foo,dc=bar
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
cn:: SGFucyDDhWdlIE1hcnRpbnNlbg==
displayName:: SGFucyDDhWdlIE1hcnRpbnNlbg==
givenName:: SGFucyDDhWdl
mail: baz@something.fugu
mobile: 12345678
sn: Doe
uid: baz

If I try to force TLS, things change.

root@smtp:~# ldapsearch -h ldap.foo.bar -D cn=Manager,dc=foo,dc=bar -W -LLL -b ou=people,dc=foo,dc=bar -ZZ "(uid=baz)"
ldap_start_tls: Connect error (-11)
    additional info: A TLS packet with unexpected length was received.

root@smtp:~# ldapsearch -h ldap.foo.bar -D cn=Manager,dc=foo,dc=bar -W -LLL -b ou=people,dc=foo,dc=bar -ZZ -d -1 "(uid=baz)"

...
...
TLS: can't connect: A TLS packet with unexpected length was received..
ldap_err2string
ldap_start_tls: Connect error (-11)
    additional info: A TLS packet with unexpected length was received.

The configuration on the LDAP server.

dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
structuralObjectClass: olcGlobal
entryUUID: 5760d8da-0f87-1035-85b1-9b4063f1519b
creatorsName: cn=config
createTimestamp: 20151025171240Z
olcIdleTimeout: 300
olcLogLevel: none
olcTLSCACertificateFile: /etc/openldap/tls/ldap.foo.bar.ca_bundle
olcTLSCertificateFile: /etc/openldap/tls/ldap.foo.bar.crt
olcTLSCertificateKeyFile: /etc/openldap/tls/ldap.foo.bar.key
olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2
entryCSN: 20151025205018.128335Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20151025205018Z

[root@ldap tls]# ls -l
total 16
-rw-r--r-- 1 root root 5630 Oct 25 17:14 ldap.foo.bar.ca_bundle
-rw-r--r-- 1 root root 2240 Oct 25 17:14 ldap.foo.bar.crt
-r-------- 1 root root 3243 Oct 25 17:14 ldap.foo.bar.key
[root@ldap tls]# file ldap.foo.bar.ca_bundle 
ldap.foo.bar.ca_bundle: PEM certificate
[root@ldap tls]# file ldap.foo.bar.crt 
ldap.foo.bar.crt: PEM certificate
[root@ldap tls]# file ldap.foo.bar.key 
ldap.foo.bar.key: PEM RSA private key

The configuration on the client: I have added the CA bundle to the clients ca-certificates. The client is a Debian host where I copied the bundle to /usr/local/share/ca-certificates/ and ran the command update-ca-certificates

From what I can see and read, this should work. But it isn't. It also does not work if I try to run the same search from the ldap server itself. I am struggling to debug this further as I have no idea where to begin. Any suggestions on what I can look into to get this to work? All the configuration files has been manually edited before posting here so I might have made mistakes, but I don't think this is the case.

Added later after getting requests for it.

Oct 25 20:50:54 ldap slapd[21177]: daemon: shutdown requested and initiated.
Oct 25 20:50:54 ldap slapd[21177]: slapd shutdown: waiting for 0 operations/tasks to finish
Oct 25 20:50:54 ldap slapd[21177]: slapd stopped.
Oct 25 20:50:54 ldap slapd[21670]: @(#) $OpenLDAP: slapd 2.4.39 (Sep 29 2015 13:31:12) $
    mockbuild@worker1.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd
Oct 25 20:50:54 ldap slapd[21673]: hdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2).
Expect poor performance for suffix "dc=foo,dc=bar".
Oct 25 20:50:54 ldap slapd[21673]: slapd starting
Oct 25 21:23:19 ldap slapd[21673]: <= bdb_equality_candidates: (uid) not indexed
Oct 25 21:23:19 ldap slapd[21673]: <= bdb_equality_candidates: (gidNumber) not indexed
Oct 25 21:23:19 ldap slapd[21673]: <= bdb_equality_candidates: (memberUid) not indexed
Oct 25 21:23:19 ldap slapd[21673]: <= bdb_equality_candidates: (uid) not indexed
Oct 25 21:23:19 ldap slapd[21673]: <= bdb_equality_candidates: (gidNumber) not indexed
Oct 25 21:23:19 ldap slapd[21673]: <= bdb_equality_candidates: (memberUid) not indexed
Oct 26 07:30:08 ldap slapd[21673]: daemon: shutdown requested and initiated.
Oct 26 07:30:08 ldap slapd[21673]: slapd shutdown: waiting for 0 operations/tasks to finish
Oct 26 07:30:08 ldap slapd[21673]: slapd stopped.
Oct 26 07:30:08 ldap slapd[23274]: @(#) $OpenLDAP: slapd 2.4.39 (Sep 29 2015 13:31:12) $
    mockbuild@worker1.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd
Oct 26 07:30:08 ldap slapd[23275]: slapd starting
[root@ldap log]#

I have after seeing this log added /usr/share/openldap-servers/DB_CONFIG.example to /var/lib/ldap/DB_CONFIG and done a systemctl restart slapd. I have not focused on getting proper indexes up and working since I want the TLS working first.

Mogget
  • 101
  • 1
  • 7
  • IMaybe you need to edit the permissions for the certificate files. I guess they should be readable by the openldap user. You also need to configure ldaps in `/etc/sysconfig/`. You should use `netstat` to check if `openldap` is listening to the ldaps port (636). You might want to enable logging for further debugging. See [this question](http://serverfault.com/questions/324608/how-do-i-get-openldap-on-centos-6-to-write-anything-to-its-log-files) for instructions. – Henrik Pingel Oct 26 '15 at 06:48
  • Can you please share also the slapd logs? I think they are not going to be enlightening, but just to be sure we have all the details. – Francesco Malvezzi Oct 26 '15 at 07:15
  • @knowhy Isn't TLS suppose to work on port 389 alongside non TLS/SSL? All the documentation for OpenLDAP 2.4 on their site refer to TLS running on 389 and old style SSL on 636. I cehcked the slapd file in /etc/sysconfig and it has the following set SLAPD_URLS="ldapi:/// ldap:///". – Mogget Oct 26 '15 at 07:26
  • @FrancescoMalvezzi I allready have logging working through rsyslog. I will add what you asked for in the text itself. – Mogget Oct 26 '15 at 07:32
  • 2
    @Mogget sorry I don't anything specific about OpenLDAP 2.4. Did you take a look at [Debian Wiki Openldap page](https://wiki.debian.org/LDAP/OpenLDAPSetup). They have instructions for your error message. – Henrik Pingel Oct 26 '15 at 07:39
  • @knowhy I did create my key and csr using OpenSSL, so I'll check if that can fix my problem. :) – Mogget Oct 26 '15 at 07:45
  • I think it's easier to recompile OpenLDAP from source with --with-openldap – Francesco Malvezzi Oct 26 '15 at 10:20

2 Answers2

1

Generally speaking,

  • TLS/SSL errors can often be diagnosed more easily with help of the SSL Swiss Army Knife openssl command than by the output a full-scale C/S SSL app; here esp openssl's s_client subcommand could have been helpful.
  • olc provides a rich diagnostic output by combining several olcLogLevels; seetable 5.1 of Table 5.1: Debugging Levels of the slapd.conf reference of openldap. If my memory doesn't betray me it's flags numerically less or equal than 'BER' which enable (also) SSL/TLS tracing.

That being said - from above olc listing it appears that 

olcTLSVerifyClient

is not present, let alone set to 'demand' or 'allow'.

MECH_AND_URL="-H ldapi:///" # or whatever your setup needs; your mileage may vary
ldapsearch -b cn=config $MECH_AND_URL "(cn=config)" olcTLSVerifyClient -LLL

If that indeed yields nothing, create and set it:

ldapmodify $MECH_AND_URL <<EOF 
dn: cn=config
changetype: modify
add: olcTLSVerifyClient
olcTLSVerifyClient: allow

-
EOF
decltype_auto
  • 129
  • 7
  • Thank you for the suggestions. I tried your suggestions without a lot of successfull or helpfull information. The solution was simpler than I thought. I simply hadn't enabled TLS in config. – Mogget Oct 27 '15 at 20:19
0

The answer to my question was simpler than first thought. In my previous configuration I had the following set.

olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2

As you can see, it does not explicitly allow TLS. I reconfigured with this setting and it now work flawless.

olcTLSCipherSuite: HIGH:+SSLv3:+TLSv1:MEDIUM:+SSLv2:@STRENGTH:+SHA:+MD5:!NULL

I might remove the SSLv2 and MD5 at a later time. I can't decide if having them there atleast give them a measure of usefulness in case the client does not support anything else.

Mogget
  • 101
  • 1
  • 7