Ssl – LDAP Client Search with SSL – CentOS7


Has anybody got SSL client authentication working with OpenLDAP (on CentOS7 – which is using moznss)?

I've search for the last 2 days trying to get this to work, both with a certutil database and straight PEM configuration, and frustrated that it is not working.

My initial though is the client is not sending the SSL certificate for validation, and I have proved this when using PEM authentication and strace (and there is no open() on the crt file or key).

First, this is RHEL7, and both client and server have the same version of openldap installed:





SSL: My own CA.

Using PEM authentication:

Server (cn=config.ldif):

olcTLSCACertificateFile:  /etc/openldap/tls/ldap-ca.crts
olcTLSCertificateFile:    /etc/openldap/tls/ldap-server.crt
olcTLSCertificateKeyFile: /etc/openldap/tls/ldap-server.key
olcTLSVerifyClient:       hard

Server (/usr/sbin/slapd -u ldap -h "ldapi:/// ldap:/// ldaps:///" -d 1):

55935ff8 slap_listener_activate(10):
55935ff8 >>> slap_listener(ldaps:///)
55935ff8 connection_get(18): got connid=1000
55935ff8 connection_read(18): checking for input on id=1000
TLS: loaded CA certificate file /etc/openldap/tls/ldap-ca.crts.
TLS: error: the certificate '/etc/openldap/tls/ldap-server.crt' could not be found in the database - error -12285:Unable to find the certificate or key necessary for authentication..
TLS: certificate '/etc/openldap/tls/ldap-server.crt' successfully loaded from PEM file.
TLS: no unlocked certificate for certificate 'CN=x.x.x,...,C=AU'.
TLS: certificate [CN=x.x.x,...,C=AU] is valid
55935ff8 connection_get(18): got connid=1000
55935ff8 connection_read(18): checking for input on id=1000
TLS: error: accept - force handshake failure: errno 11 - moznss error -12285
TLS: can't accept: TLS error -12285:Unable to find the certificate or key necessary for authentication..
55935ff8 connection_read(18): TLS accept failure error=-1 id=1000, closing
55935ff8 connection_close: conn=1000 sd=18

Client (/etc/openldap/ldap.conf):

TLS_CACERT                /etc/openldap/tls/ldap-ca.crts
TLS_CERT                  /etc/openldap/tls/ldap-client.crt
TLS_KEY                   /etc/openldap/tls/ldap-client.key
TLS_REQCERT               never

Client (ldapsearch -d1 -H ldaps://x.x.x -b c=AU 'uid=x'):

TLS: loaded CA certificate file /etc/openldap/tls/ldap-ca.crts.
TLS: certificate [CN=x.x.x,...,C=AU] is valid
TLS: error: connect - force handshake failure: errno 21 - moznss error -12271
TLS: can't connect: TLS error -12271:SSL peer cannot verify your certificate..

Client (strace – no presentation of client certificate)

8047  stat("/etc/openldap/tls/ldap-ca.crts", {st_mode=S_IFREG|0644, st_size=5287, ...}) = 0
8047  open("/etc/openldap/tls/ldap-ca.crts", O_RDONLY) = 4

Client connection just using openssl connect works fine:

openssl s_client -connect x.x.x:636 -showcerts -CAfile /etc/openldap/tls/ldap-ca.crts -key /etc/openldap/tls/ldap-client.key -state -cert /etc/openldap/tls/ldap-client.crt

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-SHA
    Session-ID: [long hex value]
    Master-Key: [long hex value]
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1435722028
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

Using certutil (moznss database):

Same problem:

Server (cn=config.ldif):

olcTLSVerifyClient:      hard
olcTLSCertificateFile:   "x.x.x - X"
olcTLSCACertificatePath: /etc/openldap/certs

Server (moznss):

[root@host certs]# certutil -d . -L
Certificate Nickname                          Trust Attributes

x LDAP CA                                     CT,C,C
x.x.x - X                                     u,u,u
x CA                                          CT,C,C
x CA                                          CT,C,C

Server (/usr/sbin/slapd -u ldap -h "ldapi:/// ldap:/// ldaps:///" -d 1):

559363d2 connection_get(18): got connid=1000
559363d2 connection_read(18): checking for input on id=1000
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/openldap/certs prefix .
TLS: certificate 'x.x.x - X' successfully loaded from moznss database.
TLS: no unlocked certificate for certificate 'CN=x.x.x,...,C=AU'.
TLS: certificate [CN=x.x.x,...,C=AU] is valid
559363d2 connection_get(18): got connid=1000
559363d2 connection_read(18): checking for input on id=1000
TLS: error: accept - force handshake failure: errno 11 - moznss error -12285
TLS: can't accept: TLS error -12285:Unable to find the certificate or key necessary for authentication..

Client (/etc/openldap/ldap.conf):

TLS_CACERTDIR   /etc/openldap/certs
TLS_CERT        "x - X"
TLS_REQCERT     never

Client (moznss):

[root@client certs]# certutil -d  . -L

Certificate Nickname                          Trust Attributes

X LDAP CA                                     CT,C,C
x - X                                         u,u,u
X Root CA                                     CT,C,C
X CA                                          CT,,

Client (ldapsearch -d1 -H ldaps://x.x.x -b c=AU 'uid=x'):

TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/openldap/certs prefix .
TLS: certificate [CN=x.x.x,...,C=AU] is valid
TLS: error: connect - force handshake failure: errno 21 - moznss error -12271
TLS: can't connect: TLS error -12271:SSL peer cannot verify your certificate..

Using this method openssl test works fine, however, ldapsearch fails with the same error. strace doesnt help, but does show opening the database files for the certificates.

Client (strace):

8075  stat("/etc/openldap/certs/cert8.db", {st_mode=S_IFREG|0644, st_size=65536, ...}) = 0
8075  open("/etc/openldap/certs/cert8.db", O_RDONLY) = 4
8075  stat("/etc/openldap/certs/key3.db", {st_mode=S_IFREG|0644, st_size=16384, ...}) = 0
8075  open("/etc/openldap/certs/key3.db", O_RDONLY) = 5

Anybody got any hints? (frustrated – I know I had this working on older versions of CentOS)

Best Answer

The following is taken from a working CentOS7 ldap server, and should cover the key aspects of SASL/EXTERNAL(TLS) authentication.
Minors notes:
- The server is also acting as the client in this example.
- This example makes use of ~/.ldaprc rather than /etc/openldap/ldap.conf
- This example uses olcTLSVerifyClient: verify rather than hard because the server is supporting other authentication types in addition to SASL/EXTERNAL(TLS) authentication.


[root@ldap ~]# ldapsearch cn=config olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
# extended LDIF
# LDAPv3
# base <cn=config> (default) with scope subtree
# filter: cn=config
# requesting: olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient 

# config
dn: cn=config
olcTLSCACertificateFile: /etc/pki/tls/certs/ldap.example.com_CA.crt
olcTLSCertificateFile: /etc/pki/tls/certs/
olcTLSCertificateKeyFile: /etc/pki/tls/private/
olcTLSVerifyClient: try

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

certificate key permissions

[root@ldap ~]# ls -lZ /etc/pki/tls/private/
-rw-r-----+ root root unconfined_u:object_r:cert_t:s0  /etc/pki/tls/private/

[root@ldap ~]# getfacl /etc/pki/tls/private/
getfacl: Removing leading '/' from absolute path names
# file: etc/pki/tls/private/
# owner: root
# group: root

sasl configuration

[root@ldap ~]# cat /etc/sasl2/slapd.conf 
mech_list: external gssapi plain
pwcheck_method: saslauthd

ldap client settings

[root@ldap ~]# cat .ldaprc
URI ldapi:///
BASE cn=config
SASL_MECH external
#TLS_CACERT /etc/ssl/certs/ca-bundle.crt
TLS_CACERT /etc/pki/tls/certs/ldap.example.com_CA.crt
TLS_CERT /etc/pki/tls/certs/
TLS_KEY /etc/pki/tls/private/

successful SASL/EXTERNAL(TLS) bind

[root@ldap ~]# ldapwhoami -ZZ -h
SASL/EXTERNAL authentication started
SASL username:,<cert locality info>
SASL SSF: 0,<cert locality info>
[root@ldap ~]# ldapwhoami -H ldaps://
SASL/EXTERNAL authentication started
SASL username:,<cert locality info>