ldapsearch reads cert and lies about it, won't connect as a result
Problem is in ldap.conf:
TLS_CACERT /etc/ssl/private/freia_slapd_key.pem
You use the private key where you should have used the root certificate. In general case, replace it with the proper CA certificate(s) - the certificates that ldapsearch can use as trusted "roots" to confirm all of the other ("untrusted") certificates it meets on the way.
If your /etc/ssl/certs/freia_slapd_cert.pem (not /etc/ssl/private/freia_slapd_key.pem) is self-signed, it means it is a root for itself and you can/should use it as TLS_CACERT. But it means it would be never trusted by the general public, which uses known "roots" (CAs like Verisign, etc) instead.
By the way, TLS_KEY and TLS_CERT are (rightfully) ignored when placed in your system-wide ldap.conf. See http://manpages.ubuntu.com/manpages/natty/man5/ldap.conf.5.html
Related videos on Youtube
06 : 40
08 : 10
39 : 35
23 : 43
06 : 44
Henk Kok
Updated on September 18, 2022Comments
-
Henk Kok over 1 year
I'm pulling my hair out over ldap playing well with SSL/TLS. I can confirm that the server is listening AND responding on port 636 to SSL request.
openssl s_client -connect freia.fqdn:636 -showcertsproduces expected output,gnutls-cli-debug -p636 localhostproduces this. The server has been built from source since the version from ubuntu's repositories had some erronous configs and weren't completing installation. Server is being run with the commandslapd -d -1 -h 'ldap:/// ldaps:///'Snipped bootup log here.ldapsearch -H ldap:///also produces expected output.ldapsearch -H ldaps:///returns
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) ldapsearch -Z -H ldaps:///returns
ldap_start_tls: Can't contact LDAP server (-1) ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)The server log says:
TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=0 TLS: can't accept: (unknown)Since it wasn't being sent anything, i checked what ldapsearch was really sending. It says it can't find the pem file
TLS: could not load verify locations (file:`/etc/ssl/private/freia_slapd_key.pem',dir:`').Which is complete nonsense according to
strace ldapsearch -Z -H ldaps:/// -d -1:open("/etc/ssl/private/freia_slapd_key.pem", O_RDONLY|O_LARGEFILE) = 4 fstat64(4, {st_mode=S_IFREG|0440, st_size=883, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb770b000 read(4, "-----BEGIN RSA PRIVATE KEY-----\n"..., 4096) = 883 read(4, "", 4096) = 0 close(4) = 0 munmap(0xb770b000, 4096) = 0 write(2, "TLS: could not load verify locat"..., 91TLS: could not load verify locations (file:`/etc/ssl/private/freia_slapd_key.pem',dir:`').All certs are readable (or should be)
-rw-r--r-- 1 root root 1082 2011-12-26 16:50 /etc/ssl/certs/cacert.pem -rw-r--r-- 1 root root 1013 2011-12-26 16:51 /etc/ssl/certs/freia_slapd_cert.pem -r--r----- 1 root root 883 2011-12-26 16:50 /etc/ssl/private/freia_slapd_key.pemAny ideas at all would be greatly appreciated! Cheers. Slapd.conf and ldap.conf
-
Henk Kok over 12 yearsMade changes accordingly, restarted slapd server, nothing was fixed as far as I could tell :/
-
Henk Kok over 12 yearsSigh. Thank you so much. That solved it upon some further inspection.