Primarily:
PAM/NSS/OpenLDAP can connect to a LDAP server unencrypted (usually on 389), encrypted via SSL/TLS (usually on 636) and, even better, encrypted "using certificates".
TLS is the successor to SSL --- there is a mechanism within TLS to "back down" to SSL v3.0.
The use of certificates is not necessary with SSL/TLS, but does help prevent man-in-the-middle attacks.
Certificates are used to help prevent man-in-the-middle attacks.
When a secure connection is requested by an LDAP client, a certificate is sent from the LDAP server to the client --- this identifies the server and contains the signature of the Certificate Authority. The client already has a certificate from the CA. The client compares its certificates with that from the LDAP server. If they "agree" then secure communication can begin; if they do not, an the client typically dishes out an error message like Can't contact LDAP server --- see below.
openssl :
To get this to configure (with --with-tls) needed to install OpenSSL:
pkgadd -d openssl-0.9.7a-sol7-sparc-local
and put in some sym-links:
cd /usr/local/include
ln -s ../ssl/include/openssl/ssl.h ssl.h
cd /usr/local/lib
ln -s ../ssl/lib ssl
alternatively:
cd /usr/local/include
ln -s ../ssl/include/openssl openssl
ln -s ../ssl/lib openssl
cd /usr/lib
ln -s /usr/local/ssl/lib/libssl.so libssl.so
ln -s /usr/local/ssl/lib/libcrypto.so libcrypto.so
openldap :
./configure --with-tls --enable-bdb=no --enable-slapd=no
make depend
make
make install
pam_ldap :
./configure --enable-ssl --with-ldap-dir=/usr/local --with-ldap-lib=openldap
make
make install
nss_ldap :
./configure --with-ldap-lib=openldap --with-ldap-dir=/usr/local --enable-ssl
make
make install
The LDAP client is configured by ldap.conf; OpenLDAP, pam_ldap and nss_ldap all come with a default file, but these are usually installed in different places --- determining which library/utility is using which copy of ldap.conf can be infuriating.
OpenLDAP apparently likes to install /etc/openldap/ldap.conf; the others go for /etc/ldap.conf. My OpenLDAP installation is in /usr/local/ssl with /usr/local/ssl/etc/ldap.conf; I mved this to ldap.conf.install and s-linked the /etc/ldap.conf into /usr/local/ssl/etc.
If the certificate chain is rejected for any reason the error message will be
ldap_bind: Can't contact LDAP server
In order for the SSL handshake to work properly, the given hostname and
that set in the LDAP certificate (as Common Name --- cn) must match;
If they do not...see error message above.
To find out which hostname/cn a certificate is created for, you can use a web browser and point it to (in the above example) https://ldap.example.com:636. Find the CN in the certificate info provided. Use the hostname in the CN when connecting. If the hostname does not exist, which is the case with for example some Novell eDirectory installations, add the non-existing hostname to /etc/hosts together with the correct IP address. This should allow you to use the hostname from the CN when connecting over SSL.
A first diagnostic, use:
/usr/local/ssl/bin/openssl s_client -port <PORT> -host <HOST_IP>
or, if certificates are being used (ldap.conf::tls_checkpeer yes) then:
/usr/local/ssl/bin/openssl s_client \
-CAfile <CACERT_PEM_FILE> -port 636 -host 130.88.229.74
As a second diagnostic, use ldapsearch. Solaris comes with its own ldapsearch client, /usr/bin/ldapsearch. Don't use it! Use that which came with OpenLDAP, in my case,
<openldap-build-dir>/clients/tools/ldapsearch
To test LDAP over SSL connectivity, execute the following command:
ldapsearch -x -D uid=adam,ou=People,dc=example,dc=com' -W \
-H ldaps://ldap.example.com ou=People,dc=example,dc=com uid=adam
or similar (ldaps, not ldap).
/etc/pam.conf:
/etc/nsswitch.conf:
ldap.conf:
host 130.88.229.74
base o=ac,c=uk
binddn cn=ldapuser,ou=metadir,ou=man,o=ac,c=uk
bindpw
port 636
scope sub
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_password nds
# -- default is to _not_ check cert :
ssl off
ldap.conf:
host 130.88.229.74
base o=ac,c=uk
binddn cn=ldapuser,ou=metadir,ou=man,o=ac,c=uk
bindpw
port 636
scope sub
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_password nds
# -- default is to _not_ check cert :
ssl on
#tls_cacertfile /usr/local/ssl/certs/sarah.ca.cert
tls_reqcert never
#tls_checkpeer yes
#tls_cacertdir /usr/local/ssl/certs
On my Solaris test machine with certificate checking OFF (may need to set tls_reqcert never to force ldapsearch to ignore certificates :
ldapsearch -x -W -H ldaps://www.clip.man.ac.uk -s sub -b "o=ac,c=uk" \
-D "cn=ldapuser,ou=metadir,ou=man,o=ac,c=uk" "uid=mpciish2"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <o=ac,c=uk> with scope sub
# filter: uid=mpciish2
# requesting: ALL
#
# mpciish2, mc, admin, uman, ac, uk
dn: cn=mpciish2,ou=mc,ou=admin,ou=uman,o=ac,c=uk
homeDirectory: \\this\is\a\test
gidNumber: 88888
uidNumber: 77777
uniqueID: mpciish2
givenName: Simon
sn: Hood
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: Person
objectClass: ndsLoginProperties
objectClass: Top
objectClass: posixAccount
cn: mpciish2
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
And authentication works fine --- tcpdump confirms that all data between the Solaris box and the LDAP server goes over port 636 (i.e., is encrypted).
ldap.conf:
##host 130.88.229.74
##host www.clip.man.ac.uk
host metafs2.man.ac.uk
base o=ac,c=uk
binddn cn=ldapuser,ou=metadir,ou=man,o=ac,c=uk
bindpw
port 636
scope sub
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_password nds
# -- this time we "checkpeer"'s cert :
ssl on
#tls_reqcert never
tls_checkpeer yes
#tls_cacertfile /usr/local/ssl/certs/sarah.ca.cert
#tls_cacertfile /home/simonh/etc_csr_cert_sarah_3/RootCert.pem
#tls_cacert /home/simonh/etc_csr_cert_sarah_3/RootCert.pem
TLS_CACERT /home/simonh/etc_csr_cert_sarah_3/RootCert.pem
#tls_cacertdir /home/simonh/etc_csr_cert_sarah_3
Initial attempts to use certificates in the SSL/TLS handshake between Solaris 7 client and NDS LDAP server (ldap.conf::tls_checkpeer yes) failed. /var/adm/messages contains
Can't contact LDAP server
And:
ldapsearch -x -W -H ldaps://www.clip.man.ac.uk -s sub -b "o=ac,c=uk" \
-D "cn=ldapuser,ou=metadir,ou=man,o=ac,c=uk" "uid=mpciish2"
Enter LDAP Password:
ldap_bind: Can't contact LDAP server (81)
additional info: error:14090086:SSL \
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Pointing Mozilla/Firefox at
https://www.clip.man.ac.uk:636
and examining the certificate shows
Common Name (CN): metafs2.man.ac.uk
NOT what expected!!! And, for what its worth, with certificate checking OFF
(tls_reqcert never):
ldapsearch -x -W -H ldaps://metafs2.man.ac.uk -s sub -b "o=ac,c=uk" \
-D "cn=ldapuser,ou=metadir,ou=man,o=ac,c=uk" "uid=mpciish2"
Enter LDAP Password:
ldap_bind: Can't contact LDAP server (81)
...but then:
/usr/sbin/nslookup metafs2.man.ac.uk
Server: woody.umist.ac.uk
Address: 130.88.120.67
*** woody.umist.ac.uk can't find metafs2.man.ac.uk: Non-existent host/domain
Adding 130.88.229.74 metafs2.man.ac.uk to /etc/hosts (with
cert-checking still OFF):
ldapsearch -x -W -H ldaps://metafs2.man.ac.uk -s sub -b "o=ac,c=uk" \
-D "cn=ldapuser,ou=metadir,ou=man,o=ac,c=uk" "uid=mpciish2"
Enter LDAP Password:
# extended LDIF
.
# mpciish2, mc, admin, uman, ac, uk
dn: cn=mpciish2,ou=mc,ou=admin,ou=uman,o=ac,c=uk
homeDirectory: \\this\is\a\test
.
.
Progress!
Next up, try
/usr/local/ssl/bin/openssl s_client -port 636 -host 130.88.229.74
CONNECTED(00000003)
depth=1 /OU=Organizational CA/O=UK-AC-MAN-METADIR
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/CN=metafs2.man.ac.uk/O=.UK-AC-MAN-METADIR.
i:/OU=Organizational CA/O=UK-AC-MAN-METADIR
1 s:/OU=Organizational CA/O=UK-AC-MAN-METADIR
i:/OU=Organizational CA/O=UK-AC-MAN-METADIR
2 s:/OU=Organizational CA/O=UK-AC-MAN-METADIR
i:/OU=Organizational CA/O=UK-AC-MAN-METADIR
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFljCCBH6gAwIBAgIhAhwFYuVd+FhhjF7KrTeNkFPiRsthd5DYovd+5pZ9AgEW
.
.
Ya64ixA4yjlpThe+4Fde41LJows5b1TLRlr4ePoxgM3qV/EcDSxPKMm4
-----END CERTIFICATE-----
subject=/CN=metafs2.man.ac.uk/O=.UK-AC-MAN-METADIR.
issuer=/OU=Organizational CA/O=UK-AC-MAN-METADIR
---
No client certificate CA names sent
---
SSL handshake has read 4290 bytes and written 474 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 24B23BC1...
Session-ID-ctx:
Master-Key: 0F181BF4...
Key-Arg : None
Start Time: 1089029447
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
0$x
1.3.6.1.4.1.1466.20036closed
Bad! Have a duff certificate.
Get the right one (see A Wrong Route, below) --- I need a Certificate Authority certificate, only (see http://research.imb.uq.edu.au/~l.rathbone/ldap/tls.shtml):
-- I need a "CA.cert"; I don't need to do no CSR;
-- got CA.cert (actually RootCert.der) in binary (DER) format, but openssl
requires PEM (Base 64 encoded, cf mime) :
/usr/local/ssl/bin/openssl x509 -inform DER -outform PEM \
-in RootCert.der -out RootCert.pem
-- check with :
/usr/local/ssl/bin/openssl x509 -inform DER -in RootCert.der -noout -text
/usr/local/ssl/bin/openssl x509 -inform PEM -in RootCert.pem -noout -text
each of which dumps a human-readable form;
-- first client diagnostic :
/usr/local/ssl/bin/openssl s_client \
-CAfile /home/simonh/etc_csr_cert_sarah_3/RootCert.pem \
-port 636 -host 130.88.229.74
CONNECTED(00000003)
depth=1 /OU=Organizational CA/O=UK-AC-MAN-METADIR
verify return:1
depth=0 /CN=metafs2.man.ac.uk/O=.UK-AC-MAN-METADIR.
verify return:1
---
Certificate chain
0 s:/CN=metafs2.man.ac.uk/O=.UK-AC-MAN-METADIR.
i:/OU=Organizational CA/O=UK-AC-MAN-METADIR
1 s:/OU=Organizational CA/O=UK-AC-MAN-METADIR
i:/OU=Organizational CA/O=UK-AC-MAN-METADIR
2 s:/OU=Organizational CA/O=UK-AC-MAN-METADIR
i:/OU=Organizational CA/O=UK-AC-MAN-METADIR
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFljCCBH6gAwIBAgIhAhwFYuVd+FhhjF7KrTeNkFPiRsthd5DYovd+5pZ9AgEW
.
.
Ya64ixA4yjlpThe+4Fde41LJows5b1TLRlr4ePoxgM3qV/EcDSxPKMm4
-----END CERTIFICATE-----
subject=/CN=metafs2.man.ac.uk/O=.UK-AC-MAN-METADIR.
issuer=/OU=Organizational CA/O=UK-AC-MAN-METADIR
---
No client certificate CA names sent
---
SSL handshake has read 4290 bytes and written 474 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 2F1EFC89...
Session-ID-ctx:
Master-Key: BA26DE5C...
Key-Arg : None
Start Time: 1089029917
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
0$x
1.3.6.1.4.1.1466.20036closed
-- use second client dianosic:
openldap-with-tls/clients/tools/ldapsearch -Z -d 65535 -x -W \
-H ldaps://metafs2.man.ac.uk -s sub -b "o=ac,c=uk" \
-D "cn=ldapuser,ou=metadir,ou=man,o=ac,c=uk" "uid=mpciish2"
[ or -d 16 ]
TLS certificate verification: Error, self signed certificate in
certificate chain
TLS: can't connect.
ldap_start_tls: Can't contact LDAP server (81)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Enter LDAP Password:
ldap_bind: Can't contact LDAP server (81)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
-- so, add the reference to the PEM (CA.cert) in ldap.conf:
ssl on
#tls_reqcert never
tls_checkpeer yes
#tls_cacertfile /usr/local/ssl/certs/sarah.ca.cert
#tls_cacertfile /home/simonh/etc_csr_cert_sarah_3/RootCert.pem
#tls_cacert /home/simonh/etc_csr_cert_sarah_3/RootCert.pem
TLS_CACERT /home/simonh/etc_csr_cert_sarah_3/RootCert.pem
#tls_cacertdir /home/simonh/etc_csr_cert_sarah_3
and
./ldapsearch -Z -x -W -H ldaps://metafs2.man.ac.uk -s sub -b "o=ac,c=uk" \
-D "cn=ldapuser,ou=metadir,ou=man,o=ac,c=uk" "uid=mpciish2"
ldap_start_tls: Operations error (1)
additional info: TLS is is already established
Enter LDAP Password:
# extended LDIF
.
.
# mpciish2, mc, admin, uman, ac, uk
dn: cn=mpciish2,ou=mc,ou=admin,ou=uman,o=ac,c=uk
homeDirectory: \\this\is\a\test
gidNumber: 88888
.
.
objectClass: posixAccount
cn: mpciish2
# search result
search: 3
result: 0 Success
.
-- BUT, authentication still doesn't work...
...recall that hostnames must match, change IP address to DNS entry
ldap.conf:
##host 130.88.229.74
host metafs2.man.ac.uk
and all is well.
| ...previous | cont's... |