Linux – OpenLDAP SSL error

debianlinuxopenldapopensslssl

I did setup an OpenLDAP server with PAM authentication against it.
In clear text, it works very well but when I try to add SSL it always faill.

I'm following that guide to get it working :
http://kidrek.fr/blog/?p=30

I'm doing that on a Debian lenny system.
In my logs I can see :
Sep 9 17:00:48 Hostname slapd[3231]: connection_read(13): checking for input on id=14
Sep 9 17:00:48 Hostname slapd[3231]: connection_read(13): unable to get TLS client DN, error=49 id=14
Sep 9 17:00:48 Hostname slapd[3231]: connection_get(13): got connid=14
Sep 9 17:00:48 Hostname slapd[3231]: connection_read(13): checking for input on id=14
Sep 9 17:00:48 Hostname slapd[3231]: ber_get_next on fd 13 failed errno=0 (Success)
Sep 9 17:00:48 Hostname slapd[3231]: connection_closing: readying conn=14 sd=13 for close
Sep 9 17:00:48 Hostname slapd[3231]: connection_close: conn=14 sd=13

On the client side :
Sep 9 17:00:47 Hostname id: nss_ldap: could not search LDAP server – Server is unavailable
Sep 9 17:00:47 Hostname id: nss_ldap: could not connect to any LDAP server as cn=admin,dc=company,dc=local – Can't contact LDAP server
Sep 9 17:00:47 Hostname id: nss_ldap: failed to bind to LDAP server ldaps://brublunm13.company.local/: Can't contact LDAP server
Sep 9 17:00:47 Hostname id: nss_ldap: reconnecting to LDAP server…
Sep 9 17:00:47 Hostname id: nss_ldap: could not connect to any LDAP server as cn=admin,dc=company,dc=local – Can't contact LDAP server
Sep 9 17:00:47 Hostname id: nss_ldap: failed to bind to LDAP server ldaps://brublunm13.company.local/: Can't contact LDAP server
Sep 9 17:00:47 Hostname id: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)…
Sep 9 17:00:48 Hostname id: nss_ldap: could not connect to any LDAP server as cn=admin,dc=company,dc=local – Can't contact LDAP server
Sep 9 17:00:48 Hostname id: nss_ldap: failed to bind to LDAP server ldaps://brublunm13.company.local/: Can't contact LDAP server
Sep 9 17:00:48 Hostname id: nss_ldap: could not search LDAP server – Server is unavailable

Also, in my slapd.conf I got :
TLSVerifyClient never

Any idea on this ?

Thanks in advance,

Best Answer

It seems you're trying to use client-side SSL instead of server-side; the client identifies itself using a certificate rather than a password.

Do note that the OpenLDAP SSL implementation is rather tricky - it took me quite a while to figure out that it reads it's SSL certs AFTER it drops privileges, so the SSL-certs need to have read-permissions for the OpenLDAP-user...

Related Topic