CentOS Icon CentOS Logo
CentOS Text
   
  
www.centos.org Forum Index
   CentOS 6 - Software Support
  Issues using startTLS with Openldap 2.4.23

 

 Bottom   Previous Topic   Next Topic
  •  Rate Thread
      Rate this Thread
      Excellent
      Good
      Average
      Bad
      Terrible
Poster Thread
  •  dchrist
      dchrist
Issues using startTLS with Openldap 2.4.23
#1
Newbie
Joined: 2011/12/2
From
Posts: 5
Hello,

I am running the latest version of openldap server 2.4.23. When I try to connect to my ldap server using startTLS I get errors. I am able to connect with out using tls.

Here is the out put from ldapsearch.

ldapsearch -LL -d1 -v -x -W -D 'cn=Manager,dc=localdomain,dc=com' -H ldap://localhost -ZZ '(cn=*)'
ldap_url_parse_ext(ldap://localhost)
ldap_initialize( ldap://localhost:389/??base )
ldap_create
ldap_url_parse_ext(ldap://localhost:389/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x24a1320 msgid 1
wait4msg ld 0x24a1320 msgid 1 (infinite timeout)
wait4msg continue ld 0x24a1320 msgid 1 all 1
ld 0x24a1320 Connections:
host: localhost port: 389 (default)
refcnt: 2 status: Connected
last used: Fri Dec 2 23:03:53 2011
ld 0x24a1320 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x24a1320 request count 1 (abandoned 0)
ld 0x24a1320 Response Queue:
Empty
ld 0x24a1320 response count 0
ldap_chkResponseList ld 0x24a1320 msgid 1 all 1
ldap_chkResponseList returns ld 0x24a1320 NULL
ldap_int_select
read1msg: ld 0x24a1320 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x24a1320 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x24a1320 0 new referrals
read1msg: mark request completed, ld 0x24a1320 msgid 1
request done: ld 0x24a1320 msgid 1
res_errno: 0, res_error: , res_matched: 
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS: file ca-bundle.trust.crt does not end in http://.0 - does not appear to be a CA certificate directory file with a properly hashed file name - skipping.
TLS: file ca-bundle.crt does not end in http://.0 - does not appear to be a CA certificate directory file with a properly hashed file name - skipping.
TLS: file cacert.pem.bakup does not end in http://.0 - does not appear to be a CA certificate directory file with a properly hashed file name - skipping.
TLS: file cacert.pem does not end in http://.0 - does not appear to be a CA certificate directory file with a properly hashed file name - skipping.
TLS: did not find any valid CA certificates in /etc/openldap/cacerts
TLS: could not initialize moznss using security dir /etc/openldap/cacerts prefix - error -8174.
TLS: could perform TLS system initialization.
TLS: error: could not initialize moznss security context - error -5939:No more entries in the directory
TLS: can't create ssl handle.
ldap_err2string
ldap_start_tls: Connect error (-11)

I have verified the certs are good using openssl. I've tried using TLS_CACERT in my /etc/openldap/ldap.conf instead of TLS_CACERTDIR, but still have similar issues with not being able to connect. I've seen various post about issues with moznss, but I have yet to see a work around for this issue. Does anyone know how to work around this issue or get TLS working some other way?
Posted on: 2011/12/2 23:37
Create PDF from Post Print
Top
  •  TrevorH
      TrevorH
Re: Issues using startTLS with Openldap 2.4.23
#2
Moderator
Joined: 2009/9/24
From Brighton, UK
Posts: 6310
Use TLS_CACERTDIR and then show the output from `ls -la` of that directory please. If you could wrap that output in [code][/code] tags then that would make it more readable.
_________________
Linux/VoIP Systems Administrator
Posted on: 2011/12/2 23:48
Create PDF from Post Print
Top
  •  dchrist
      dchrist
Re: Issues using startTLS with Openldap 2.4.23
#3
Newbie
Joined: 2011/12/2
From
Posts: 5
Here is the contents of my /etc/openldap/ldap.conf file:

cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
URI ldap://localhost/
BASE dc=localdomain,dc=com
#TLS_CACERT /etc/openldap/cacerts/cacert.pem
TLS_CACERTDIR /etc/openldap/cacerts
#TLS_REQCERT demand
TLS_REQCERT never


Here is the contents of my /etc/openldap/cacerts directory.



/etc/openldap/cacerts
[root@localhost cacerts]# ls -la
total 1252
drwxr-xr-x 2 ldap ldap 4096 Dec 5 15:10 .
drwxr-xr-x 5 ldap ldap 4096 Dec 2 20:44 ..
-rw-r--r-- 1 root root 571410 Dec 2 20:51 ca-bundle.crt
-rw-r--r-- 1 root root 651043 Dec 2 20:51 ca-bundle.trust.crt
-rw-r--r-- 1 root root 4954 Dec 2 20:49 cacert.pem
-rw-r--r-- 1 root root 4951 Dec 2 20:49 cacert.pem.bakup
-rw-r--r-- 1 root root 29836 Dec 5 15:09 log
Posted on: 2011/12/5 15:18
Create PDF from Post Print
Top
  •  TrevorH
      TrevorH
Re: Issues using startTLS with Openldap 2.4.23
#4
Moderator
Joined: 2009/9/24
From Brighton, UK
Posts: 6310
Right. To get your CA cert recognised it has to exist as a filename that is the same as the hash of it! So if you run

/etc/pki/tls/misc/c_hash /etc/openldap/cacerts/cacert.pem


then it should spit out something like

Quote:

69c9c6c4.0 => /etc/openldap/cacerts/cacert.pem


I find the easiest thing to do is to create a symlink

cd /etc/openldap/cacerts
ln -s cacert.pem 69c9c6c4.0


(substituting your hash for the symlink name of course)
_________________
Linux/VoIP Systems Administrator
Posted on: 2011/12/5 15:40
Create PDF from Post Print
Top
  •  dchrist
      dchrist
Re: Issues using startTLS with Openldap 2.4.23
#5
Newbie
Joined: 2011/12/2
From
Posts: 5
Thanks for the tip. I tried what you suggested but it still doesn't work. I checked my cacert with openssl and everything appears to be okay.

Openssl Verify:

openssl verify -CAfile /etc/openldap/cacerts/cacert.pem /etc/pki/tls/certs/slapd.pem
/etc/pki/tls/certs/slapd.pem: OK



/etc/openldap/cacerts
[root@localhost cacerts]# ls -la
total 16
drwxr-xr-x 2 ldap ldap 4096 Dec 5 16:21 .
drwxr-xr-x 5 ldap ldap 4096 Dec 2 20:44 ..
lrwxrwxrwx 1 root root 10 Dec 5 16:19 18945410.0 -> cacert.pem
-rw-r--r-- 1 root root 4954 Dec 2 20:49 cacert.pem


# ldapsearch -LL -d1 -v -x -W -D 'cn=Manager,dc=localdomain,dc=com' -H ldap://localhost -ZZ '(cn=*)'
ldap_url_parse_ext(ldap://localhost)
ldap_initialize( ldap://localhost:389/??base )
ldap_create
ldap_url_parse_ext(ldap://localhost:389/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x15b6320 msgid 1
wait4msg ld 0x15b6320 msgid 1 (infinite timeout)
wait4msg continue ld 0x15b6320 msgid 1 all 1
** ld 0x15b6320 Connections:
* host: localhost port: 389 (default)
refcnt: 2 status: Connected
last used: Mon Dec 5 16:25:18 2011


** ld 0x15b6320 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x15b6320 request count 1 (abandoned 0)
** ld 0x15b6320 Response Queue:
Empty
ld 0x15b6320 response count 0
ldap_chkResponseList ld 0x15b6320 msgid 1 all 1
ldap_chkResponseList returns ld 0x15b6320 NULL
ldap_int_select
read1msg: ld 0x15b6320 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x15b6320 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x15b6320 0 new referrals
read1msg: mark request completed, ld 0x15b6320 msgid 1
request done: ld 0x15b6320 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS: loaded CA certificate file /etc/openldap/cacerts/18945410.0 from CA certificate directory /etc/openldap/cacerts.
TLS: file cacert.pem does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping.
TLS: error: connect - force handshake failure: errno 0 - moznss error -5938
TLS: can't connect: TLS error -5938:Encountered end of file.
ldap_err2string
ldap_start_tls: Connect error (-11)
additional info: TLS error -5938:Encountered end of file

Anyone have any other ideas?

Thanks,

Duain
Posted on: 2011/12/5 16:27
Create PDF from Post Print
Top
  •  TrevorH
      TrevorH
Re: Issues using startTLS with Openldap 2.4.23
#6
Moderator
Joined: 2009/9/24
From Brighton, UK
Posts: 6310
You got an error there with an error code -5938. Googling that takes me to a redhat bugzilla that talks about making sure that your CA cert really is a CA cert by running

openssl x509 -in cacert.pem -text


You might also find it useful to try connecting to port 636 with an ldaps:// address until you get the certificate error out of the way - I think it may give better error messages that way.
_________________
Linux/VoIP Systems Administrator
Posted on: 2011/12/5 17:14
Create PDF from Post Print
Top
  •  dchrist
      dchrist
Re: Issues using startTLS with Openldap 2.4.23
#7
Newbie
Joined: 2011/12/2
From
Posts: 5
I verified my cacert with that command. I believe the relevant part is


X509v3 Basic Constraints:
CA:TRUE


I believe my certificates are fine. I think the issue has something to do with the Moznss vs openssl compatibility issue, but other than running a different version of openldap server I don't see a work around to this issue.
Posted on: 2011/12/5 21:17
Create PDF from Post Print
Top
  •  TrevorH
      TrevorH
Re: Issues using startTLS with Openldap 2.4.23
#8
Moderator
Joined: 2009/9/24
From Brighton, UK
Posts: 6310
You are connecting to ldap://localhost but the certificate belongs to the name of the server which is not localhost. Try talking to ldap://the-name.on.the.certificate
_________________
Linux/VoIP Systems Administrator
Posted on: 2011/12/5 23:36
Create PDF from Post Print
Top
  •  bpowell
      bpowell
Re: Issues using startTLS with Openldap 2.4.23
#9
Newbie
Joined: 2012/2/24
From
Posts: 1
Hi,

I am experiencing the exact same problem, and would be very interested to know if someone has found a solution. I have posted on the OpenLDAP forum here:

http://www.openldap.org/lists/openldap-technical/201202/threads.html#00359

As per the previous suggestion by TrevorH, I am using the CN of the certificate in my ldapsearch bind, as opposed to localhost. This does not make any difference.

Thanks
Posted on: 2012/2/24 17:38
Create PDF from Post Print
Top
 Top   Previous Topic   Next Topic

 

 You cannot start a new topic.
 You can view topic.
 You cannot reply to posts.
 You cannot edit your posts.
 You cannot delete your posts.
 You cannot add new polls.
 You cannot vote in polls.
 You cannot attach files to posts.
 You cannot post without approval.




"Linux" is a registered trademark of Linus Torvalds. | All other trademarks are property of their respective owners. | All other content is Copyright @ 2004-2009 by the CentOS Project or "each individual contributor (forums, comments, etc.) unless otherwise assigned".| Theme based on a theme by 7dana.com