2

I am trying to set up PWM for my OpenLDAP server on Ubuntu 16.04, but it fails to connect to LDAP with error

Can not connect to remote server: 5059 ERROR_CERTIFICATE_ERROR (unable to read server certificates from host=ldap.example.com, port=389 error: Remote host closed connection during handshake)

If I try to connect unencrypted, connection seems to be succesful, but setting up an account for PWM fails with TLS confidentiality required, which is intentional.

Authentication on clients and ldapsearch (with the switch -Z or -ZZ) work.
I have imported the certificate files to the clients and to Java on the server machine, as the certificate is self signed with openssl.

I tried to connect to LDAP with openssl s_client -connect ldap.example:389 -showcerts -state -tls1_2 to check the certificate, but the connection terminates with no error messages and this output: 

CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:unknown state
SSL_connect:failed in unknown state
140394455615128:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:656:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1484029284
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

Connection to port 443 outputs a certificate.
I quite honestly don't know what to do so any help would be appreciated.

Captain George
  • 23
  • 4

1 Answers1

1

389\TCP is not LDAP SSL port by default. Port 636\TCP commonly used for LDAP SSL (ldaps).

On the 389\TCP port can be enabled STARTTLS (ldapsearch with the switch -Z or -ZZ use it). I'm not sure that OpenSSL s_client is able to implement STARTTLS for LDAP protocol.

Slipeer
  • 3,255
  • 2
  • 18
  • 32
  • Yes, I am aware of the ports, but I am using TLS. The problem is not openssl but the PWM-application not being able to establish a TLS-connection. Sorry if the question is formatted unclearly. Is there another tool I could use to test the connectivity? – Captain George Jan 10 '17 at 06:49
  • [TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security) is the successor to SSL. It uses the same port as SSL. – Gerald Schneider Jan 10 '17 at 06:54
  • As I see [here](https://github.com/pwm-project/pwm/wiki/General-Directory-Setup) PWM needs ldap**S** connection, so: 1) Check that you ldap accept SSL connection on 636\TCP; 2) Configure PWM to connect with `ldaps://your.server:636` URI; 3) Import to Java your CA certificate as described in docs – Slipeer Jan 10 '17 at 06:56
  • do not mix two different technologies: TLS and STARTTLS – Slipeer Jan 10 '17 at 06:57
  • Oh, yes that was the problem, thank you very much. I just forgot that I had to enable ldaps in `/etc/default/slapd` – Captain George Jan 10 '17 at 07:22