Linux – Unable to get OpenLDAP with TLS working

linuxopenldaptls

I have an OpenLDAP 2.4.39 server running on a Centos 7 host which is populated with a minimal set of data. It work as expected when TLS is not used. I use this for authentication with dokuwiki today. I have bought an SSL from Namecheap/Comodo and am trying to get this to work as it should.

Example:

root@smtp:~# ldapsearch -h ldap.foo.bar -D cn=Manager,dc=foo,dc=bar -W -LLL -b ou=people,dc=foo,dc=bar "(uid=baz)"
Enter LDAP Password: 
dn: uid=baz,ou=people,dc=foo,dc=bar
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
cn:: SGFucyDDhWdlIE1hcnRpbnNlbg==
displayName:: SGFucyDDhWdlIE1hcnRpbnNlbg==
givenName:: SGFucyDDhWdl
mail: baz@something.fugu
mobile: 12345678
sn: Doe
uid: baz

If I try to force TLS, things change.

root@smtp:~# ldapsearch -h ldap.foo.bar -D cn=Manager,dc=foo,dc=bar -W -LLL -b ou=people,dc=foo,dc=bar -ZZ "(uid=baz)"
ldap_start_tls: Connect error (-11)
    additional info: A TLS packet with unexpected length was received.

root@smtp:~# ldapsearch -h ldap.foo.bar -D cn=Manager,dc=foo,dc=bar -W -LLL -b ou=people,dc=foo,dc=bar -ZZ -d -1 "(uid=baz)"

...
...
TLS: can't connect: A TLS packet with unexpected length was received..
ldap_err2string
ldap_start_tls: Connect error (-11)
    additional info: A TLS packet with unexpected length was received.

The configuration on the LDAP server.

dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
structuralObjectClass: olcGlobal
entryUUID: 5760d8da-0f87-1035-85b1-9b4063f1519b
creatorsName: cn=config
createTimestamp: 20151025171240Z
olcIdleTimeout: 300
olcLogLevel: none
olcTLSCACertificateFile: /etc/openldap/tls/ldap.foo.bar.ca_bundle
olcTLSCertificateFile: /etc/openldap/tls/ldap.foo.bar.crt
olcTLSCertificateKeyFile: /etc/openldap/tls/ldap.foo.bar.key
olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2
entryCSN: 20151025205018.128335Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20151025205018Z

[root@ldap tls]# ls -l
total 16
-rw-r--r-- 1 root root 5630 Oct 25 17:14 ldap.foo.bar.ca_bundle
-rw-r--r-- 1 root root 2240 Oct 25 17:14 ldap.foo.bar.crt
-r-------- 1 root root 3243 Oct 25 17:14 ldap.foo.bar.key
[root@ldap tls]# file ldap.foo.bar.ca_bundle 
ldap.foo.bar.ca_bundle: PEM certificate
[root@ldap tls]# file ldap.foo.bar.crt 
ldap.foo.bar.crt: PEM certificate
[root@ldap tls]# file ldap.foo.bar.key 
ldap.foo.bar.key: PEM RSA private key

The configuration on the client: I have added the CA bundle to the clients ca-certificates. The client is a Debian host where I copied the bundle to /usr/local/share/ca-certificates/ and ran the command update-ca-certificates

From what I can see and read, this should work. But it isn't. It also does not work if I try to run the same search from the ldap server itself. I am struggling to debug this further as I have no idea where to begin. Any suggestions on what I can look into to get this to work? All the configuration files has been manually edited before posting here so I might have made mistakes, but I don't think this is the case.

Added later after getting requests for it.

Oct 25 20:50:54 ldap slapd[21177]: daemon: shutdown requested and initiated.
Oct 25 20:50:54 ldap slapd[21177]: slapd shutdown: waiting for 0 operations/tasks to finish
Oct 25 20:50:54 ldap slapd[21177]: slapd stopped.
Oct 25 20:50:54 ldap slapd[21670]: @(#) $OpenLDAP: slapd 2.4.39 (Sep 29 2015 13:31:12) $
    mockbuild@worker1.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd
Oct 25 20:50:54 ldap slapd[21673]: hdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2).
Expect poor performance for suffix "dc=foo,dc=bar".
Oct 25 20:50:54 ldap slapd[21673]: slapd starting
Oct 25 21:23:19 ldap slapd[21673]: <= bdb_equality_candidates: (uid) not indexed
Oct 25 21:23:19 ldap slapd[21673]: <= bdb_equality_candidates: (gidNumber) not indexed
Oct 25 21:23:19 ldap slapd[21673]: <= bdb_equality_candidates: (memberUid) not indexed
Oct 25 21:23:19 ldap slapd[21673]: <= bdb_equality_candidates: (uid) not indexed
Oct 25 21:23:19 ldap slapd[21673]: <= bdb_equality_candidates: (gidNumber) not indexed
Oct 25 21:23:19 ldap slapd[21673]: <= bdb_equality_candidates: (memberUid) not indexed
Oct 26 07:30:08 ldap slapd[21673]: daemon: shutdown requested and initiated.
Oct 26 07:30:08 ldap slapd[21673]: slapd shutdown: waiting for 0 operations/tasks to finish
Oct 26 07:30:08 ldap slapd[21673]: slapd stopped.
Oct 26 07:30:08 ldap slapd[23274]: @(#) $OpenLDAP: slapd 2.4.39 (Sep 29 2015 13:31:12) $
    mockbuild@worker1.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd
Oct 26 07:30:08 ldap slapd[23275]: slapd starting
[root@ldap log]#

I have after seeing this log added /usr/share/openldap-servers/DB_CONFIG.example to /var/lib/ldap/DB_CONFIG and done a systemctl restart slapd. I have not focused on getting proper indexes up and working since I want the TLS working first.

Best Answer

Generally speaking,

  • TLS/SSL errors can often be diagnosed more easily with help of the SSL Swiss Army Knife openssl command than by the output a full-scale C/S SSL app; here esp openssl's s_client subcommand could have been helpful.
  • olc provides a rich diagnostic output by combining several olcLogLevels; seetable 5.1 of Table 5.1: Debugging Levels of the slapd.conf reference of openldap. If my memory doesn't betray me it's flags numerically less or equal than 'BER' which enable (also) SSL/TLS tracing.

That being said - from above olc listing it appears that 

olcTLSVerifyClient

is not present, let alone set to 'demand' or 'allow'.

MECH_AND_URL="-H ldapi:///" # or whatever your setup needs; your mileage may vary
ldapsearch -b cn=config $MECH_AND_URL "(cn=config)" olcTLSVerifyClient -LLL

If that indeed yields nothing, create and set it:

ldapmodify $MECH_AND_URL <<EOF 
dn: cn=config
changetype: modify
add: olcTLSVerifyClient
olcTLSVerifyClient: allow

-
EOF
Related Topic