I'm trying to set up SSL with a server running OpenLDAP (and using OpenSSL, not GnuTLS).
The server seems to be working fine: I can authenticate using ldap://
and can also use ldaps://
from Apache Directory Studio. I can use LDAPS from the client as well, as long as I have this setting in /etc/ldap.conf:
tls_checkpeer no
As soon as I try to use tls_checkpeer yes
the SSL connection is refused.
I have the following settings on the server:
olcTLSCACertificateFile /etc/ssl/certs/cacert.pem
olcTLSCertificateFile /etc/ssl/private/newcert.pem
olcTLSCertificateKeyFile /etc/ssl/private/newreq.pem
The client has these related entries:
# ssl on
uri ldaps://192.168.1.15
tls_checkpeer no
# tls_cacertdir /etc/ssl/certs
# tls_cacertfile /etc/ssl/certs/cacert.pem
The file /etc/ssl/certs/cacert.pem is accessible to users for reading. With the above configuration, it works. If I uncomment one of the two commented tls_*
configuration entries and change to tls_checkpeer yes
it fails.
I've tried using both cacert.pem and newcert.pem for the certificate (tls_cacertfile
) and it didn't work. The cacert.pem has a -----BEGIN CERTIFICATE-----
section, as does newcert.pem.
However, the cacert.pem has this under X509v3 extensions
:
X509v3 Basic Constraints:
CA:TRUE
...and the newcert.pem file has this in the same section:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
Other certificates in /etc/ssl/certs have nothing in them except the block marked by BEGIN CERTIFICATE
.
Using this command:
openssl s_client -connect 192.168.6.144:636 -showcerts
I can see the contents of cacert.pem and newcert.pem being used for the session.
I've not made changes to /etc/ldap/ldap.conf on either the client or the server.
Errors from the client include:
Feb 8 14:32:24 foo nscd: nss_ldap: could not connect to any LDAP server as cn=admin,dc=example,dc=com - Can't contact LDAP server
Feb 8 14:32:24 foo nscd: nss_ldap: failed to bind to LDAP server ldaps://bar: Can't contact LDAP server
Feb 8 14:32:24 foo nscd: nss_ldap: could not search LDAP server - Server is unavailable
There's no special log entries on the server. The client is Ubuntu Lucid Lynx 10.04, as is the server. All are using nscd.
Attempting to replicate the problem on a Red Hat Enterprise Linux 5.7 system fails in the opposite direction: something that should probably fail, does not: using tls_checkpeer yes
with an empty tls_cacertdir
directory. I need SSL to work on both systems; we have a mix of both Ubuntu and RHEL.
I restarted nscd after each configuration change.
These are my actual questions:
- How do I get the
tls_checkpeer
option working? (main question) - Does
ssl on
actually do anything on the client?
Thanks.
In both client and server try adding the following to /etc/ldap/ldap.conf
By the way SSL appears to be deprecated in openldap and it's better to use TLS. See http://httpd.apache.org/docs/2.2/mod/mod_ldap.html search for "OpenLDAP SDK". Configuration is the same except you will use port 389 and not use "ldaps://" in the uri.