Ubuntu – Setting up a Linux client for OpenLDAP over SSL

I'm trying to set up SSL with a server running OpenLDAP (and using OpenSSL, not GnuTLS).

The server seems to be working fine: I can authenticate using ldap:// and can also use ldaps:// from Apache Directory Studio. I can use LDAPS from the client as well, as long as I have this setting in /etc/ldap.conf:

tls_checkpeer no

As soon as I try to use tls_checkpeer yes the SSL connection is refused.

I have the following settings on the server:

olcTLSCACertificateFile  /etc/ssl/certs/cacert.pem
olcTLSCertificateFile    /etc/ssl/private/newcert.pem
olcTLSCertificateKeyFile /etc/ssl/private/newreq.pem

The client has these related entries:

# ssl on
uri ldaps://192.168.1.15
tls_checkpeer no
# tls_cacertdir /etc/ssl/certs
# tls_cacertfile /etc/ssl/certs/cacert.pem

The file /etc/ssl/certs/cacert.pem is accessible to users for reading. With the above configuration, it works. If I uncomment one of the two commented tls_* configuration entries and change to tls_checkpeer yes it fails.

I've tried using both cacert.pem and newcert.pem for the certificate (tls_cacertfile) and it didn't work. The cacert.pem has a -----BEGIN CERTIFICATE----- section, as does newcert.pem.

However, the cacert.pem has this under X509v3 extensions:

X509v3 Basic Constraints: 
    CA:TRUE

…and the newcert.pem file has this in the same section:

X509v3 Basic Constraints: 
    CA:FALSE
Netscape Comment: 
    OpenSSL Generated Certificate

Other certificates in /etc/ssl/certs have nothing in them except the block marked by BEGIN CERTIFICATE.

Using this command:

openssl s_client -connect 192.168.6.144:636 -showcerts

I can see the contents of cacert.pem and newcert.pem being used for the session.

I've not made changes to /etc/ldap/ldap.conf on either the client or the server.

Errors from the client include:

Feb  8 14:32:24 foo nscd: nss_ldap: could not connect to any LDAP server as cn=admin,dc=example,dc=com - Can't contact LDAP server
Feb  8 14:32:24 foo nscd: nss_ldap: failed to bind to LDAP server ldaps://bar: Can't contact LDAP server
Feb  8 14:32:24 foo nscd: nss_ldap: could not search LDAP server - Server is unavailable

There's no special log entries on the server. The client is Ubuntu Lucid Lynx 10.04, as is the server. All are using nscd.

Attempting to replicate the problem on a Red Hat Enterprise Linux 5.7 system fails in the opposite direction: something that should probably fail, does not: using tls_checkpeer yes with an empty tls_cacertdir directory. I need SSL to work on both systems; we have a mix of both Ubuntu and RHEL.

I restarted nscd after each configuration change.

These are my actual questions:

How do I get the tls_checkpeer option working? (main question)
Does ssl on actually do anything on the client?

Thanks.

Best Answer

In both client and server try adding the following to /etc/ldap/ldap.conf

TLS_REQCERT never

By the way SSL appears to be deprecated in openldap and it's better to use TLS. See http://httpd.apache.org/docs/2.2/mod/mod_ldap.html search for "OpenLDAP SDK". Configuration is the same except you will use port 389 and not use "ldaps://" in the uri.

Best Answer

Related Solutions

Debian – OpenLDAP with ldaps support on Debian Lenny

Linux – OpenLDAP SSL error

Related Topic