I have an Ubuntu 12.04 server, and I'm trying to set up Apache to authenticate using LDAPS. I ran into some problems–see my previous question, where I concluded that the certificate on the LDAP server was expired.
So my boss got a "real" certificate from DigiCert and installed it on myldap.xyz.edu. And I went to myserver.xyz.edu and tried openssl s_client -connect myldap.xyz.edu:636 -showcerts. Here's what it gives me:
CONNECTED(00000003)
140075639178912:error:1408F092:SSL routines:SSL3_GET_RECORD:data length too long:s3_pkt.c:504:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 16731 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1340655299
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
…And it puts me back at the command prompt.
I looked up this "data length too long" error online, but the explanations were largely Greek to me. Is this a problem with the client or the server? Does it have to do with the certificate or something else? What can I do about it? Thanks!
Edit: Did some more poking around and found this Microsoft tutorial on enabling LDAP over SSL in Active Directory (I should mention that our LDAP server is Windows Server 2003 w/ SP2 running AD). It gave me the following steps to test whether LDAPS is enabled:
- Start the Active Directory Administration Tool (Ldp.exe).
- On the Connection menu, click Connect.
- Type the name of the domain controller to which you want to connect.
- Type 636 as the port number.
- Click OK.
RootDSE information should print in the right pane, indicating a successful connection.
I remote-desktopped into myldap.xyz.edu and tried it. Here's the output I got in the right pane:
ld = ldap_open("myldap.xyz.edu", 636);
Established connection to myldap.xyz.edu.
Retrieving base DSA information...
Result <0>: (null)
Matched DNs:
Getting 1 entries:
>> Dn:
1> currentTime: 06/25/2012 16:57:13 Central Standard Time Central Daylight Time;
1> subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=xyz,DC=edu;
1> dsServiceName: CN=NTDS Settings,CN=MYLDAP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xyz,DC=edu;
5> namingContexts: DC=xyz,DC=edu; CN=Configuration,DC=xyz,DC=edu; CN=Schema,CN=Configuration,DC=xyz,DC=edu; DC=DomainDnsZones,DC=xyz,DC=edu; DC=ForestDnsZones,DC=xyz,DC=edu;
1> defaultNamingContext: DC=xyz,DC=edu;
1> schemaNamingContext: CN=Schema,CN=Configuration,DC=xyz,DC=edu;
1> configurationNamingContext: CN=Configuration,DC=xyz,DC=edu;
1> rootDomainNamingContext: DC=xyz,DC=edu;
23> supportedControl: 1.2.840.113556.1.4.319; 1.2.840.113556.1.4.801; 1.2.840.113556.1.4.473; 1.2.840.113556.1.4.528; 1.2.840.113556.1.4.417; 1.2.840.113556.1.4.619; 1.2.840.113556.1.4.841; 1.2.840.113556.1.4.529; 1.2.840.113556.1.4.805; 1.2.840.113556.1.4.521; 1.2.840.113556.1.4.970; 1.2.840.113556.1.4.1338; 1.2.840.113556.1.4.474; 1.2.840.113556.1.4.1339; 1.2.840.113556.1.4.1340; 1.2.840.113556.1.4.1413; 2.16.840.1.113730.3.4.9; 2.16.840.1.113730.3.4.10; 1.2.840.113556.1.4.1504; 1.2.840.113556.1.4.1852; 1.2.840.113556.1.4.802; 1.2.840.113556.1.4.1907; 1.2.840.113556.1.4.1948;
2> supportedLDAPVersion: 3; 2;
12> supportedLDAPPolicies: MaxPoolThreads; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MaxNotificationPerConn; MaxValRange;
1> highestCommittedUSN: 13287969;
4> supportedSASLMechanisms: GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;
1> dnsHostName: MYLDAP.xyz.edu;
1> ldapServiceName: xyz.edu:myldap$@XYZ.EDU;
1> serverName: CN=MYLDAP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xyz,DC=edu;
3> supportedCapabilities: 1.2.840.113556.1.4.800; 1.2.840.113556.1.4.1670; 1.2.840.113556.1.4.1791;
1> isSynchronized: TRUE;
1> isGlobalCatalogReady: TRUE;
1> domainFunctionality: 2 = ( DS_BEHAVIOR_WIN2003 );
1> forestFunctionality: 2 = ( DS_BEHAVIOR_WIN2003 );
1> domainControllerFunctionality: 2 = ( DS_BEHAVIOR_WIN2003 );
-----------
Looks like it worked, so I'm guessing Active Directory is LDAPS-ready.
Edit 2: Per @SilverbackNet's suggestion, I tried the openssl s_client command with the -debug option. Here is the (redacted) output:
CONNECTED(00000003)
write to 0x24f3470 [0x24f34f0] (226 bytes => 226 (0xE2))
0000 - 16 03 01 00 dd 01 00 00-d9 03 02 4f f3 5a 5b 38 ...........O.Z[8
[...]
00e0 - 01 01 ..
read from 0x24f3470 [0x24f8a50] (7 bytes => 7 (0x7))
0000 - 16 03 01 40 b9 02 ...@..
0007 - <SPACES/NULS>
read from 0x24f3470 [0x24f8a5a] (16567 bytes => 2889 (0xB49))
0000 - 00 4d 03 01 4f f3 5a 5b-46 43 f0 02 76 34 1c d5 .M..O.Z[FC..v4..
[...]
0b40 - 70 3a 2f 2f 63 72 6c 33-2e p://crl3.
read from 0x24f3470 [0x24f95a3] (13678 bytes => 13678 (0x356E))
0000 - 64 69 67 69 63 65 72 74-2e 63 6f 6d 2f 44 69 67 digicert.com/Dig
[...]
3560 - 65 72 20 52 6f 6f 74 20-43 41 0e er Root CA.
356e - <SPACES/NULS>
write to 0x24f3470 [0x25027e0] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 16 .......
---
no peer certificate available
[...]
From there it's the same as above. I can also post the full output from the right-hand column if that would be helpful.
Edit 3: We've decided to give up on this temporarily and use the Apache option LDAPVerifyServerCert off with the old expired certificate for the time being. :^( FWIW, my boss is now thinking that one needs to get a special, short (1024-byte, I think he said) certificate to do LDAP server verification. He knows the particulars better than I do, but this makes sense to me because the error message is saying something's too big. If/when we resolve the problem, I'll try to post the answer.
Best Answer
Usually this means that you're talking SSL to a non-SSL server. Check over the configuration work on the LDAP server; the new certificate doesn't seem to be working yet.