Results 1 to 5 of 5

Thread: ldap via TLS

  1. #1
    Join Date
    Sep 2009
    Location
    UK
    Posts
    302

    Default ldap via TLS

    Can someone point me to an idiots guide to ldap with TLS
    I am about to throw stuff out of the window....

    I have a Suse 11.1 box with a server certificate - if I enable TLS
    on the ldap server and run the ldap browser on the local machine
    with tls - it works ( if I set the log to pretty much everything I
    get 'tls established' in messages )

    I then exported to a file the server certificate and bunged it
    on a web server and then on my client ( opensuse 11.3 )
    download it and in ldap client specified the file. Now I the ldap
    browser gives me connection error and the log on the server
    says 'tls negotiation failure' - for this tests neither machine
    has a firewall on

    I am obviously doing something stupid ... can someone point
    me in the right direction and put me out of my misery ;-(

    Ta

    M

  2. #2

    Default Re: ldap via TLS

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    I'd be careful with the process you used to "[export] to a file the server
    certificate" since there are multiple certificates. For example, there is
    the one used for encryption which is signed by a trusted root. For each
    there are actually two keys... public and private. Yes, you should be
    exporting a certificate which contains the public key but then which
    certificate (server or trusted root) did you actually get? You can use
    openssl to see which certificate (along with its certificate chain
    usually) is being sent from your LDAP server when your web server connects
    to it as shown below, which MAY help you in verifying the one you have
    exported is correct (assuming port 636 in this case):

    openssl s_client -connect your.box.goes.here:636

    It will send a bunch of data to your screen and then wait for your
    input... just hit Ctrl+C. If you don't get a nastygram before you need to
    cancel out of openssl then your certificate is fine but now we're into
    PKI-land where trusts of certificates come into play, which is probably
    what is causing your web server to be picky.

    SSL/TLS vs. PKI is a difference of trust. Anybody can create a
    certificate that is secure when used, but you need a trusted certificate
    authority to have a certificate that is trusted by web browser and other
    SSL-using clients all over the world (Digicert, Thawte, RapidSSL,
    Verisign). In your case, if you didn't get a "trusted" certificate from
    some public CA then you have your own CA which is not trusted by everybody
    all over the world, but is still valid for your own uses. The hangup is
    that you need to tell your web server (Apache I presume) to trust that CA
    so anything that CA mints (creates) will be trusted as well. Try the
    following and post your output (hit Ctrl+C after each run to get back to a
    prompt again):

    openssl s_client -connect your.box.goes.here:636 -verify 0
    openssl s_client -connect your.box.goes.here:636 -verify 1
    openssl s_client -connect your.box.goes.here:636 -verify 2

    The first one will probably have 'Verify return code: 0 (ok)' at the end,
    and the other two will tell you that you're using a self-signed CA with
    'Verify return code: 19 (self signed certificate in certificate chain)'.
    Anyway, I'm still tinkering to figure out how to do some verification at
    that point (openssl is great, but HUGE) and I'll post back more when I
    have it. Give the above a shot to see if you can narrow down the issue.

    Good luck.






    On 11/12/2010 07:36 AM, interele wrote:
    >
    > Can someone point me to an idiots guide to ldap with TLS
    > I am about to throw stuff out of the window....
    >
    > I have a Suse 11.1 box with a server certificate - if I enable TLS
    > on the ldap server and run the ldap browser on the local machine
    > with tls - it works ( if I set the log to pretty much everything I
    > get 'tls established' in messages )
    >
    > I then exported to a file the server certificate and bunged it
    > on a web server and then on my client ( opensuse 11.3 )
    > download it and in ldap client specified the file. Now I the ldap
    > browser gives me connection error and the log on the server
    > says 'tls negotiation failure' - for this tests neither machine
    > has a firewall on
    >
    > I am obviously doing something stupid ... can someone point
    > me in the right direction and put me out of my misery ;-(
    >
    > Ta
    >
    > M
    >
    >

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.15 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

    iQIcBAEBAgAGBQJM3WJsAAoJEF+XTK08PnB5LKkQALNN6LhLBE/DMHx/HiblL0vn
    bImf60HDtyVy3NaM78npXK40zNCH1GlwBc74AW++ipR93YdX/M3bxsPeituoSNQ3
    YnQuYU/cmi1nB+Dz5Oo1ooxMFdjnMb65/vruh4g+f4FxeFN7Jbu4rpgCmMLDKecU
    S8wK0wndZ3NNqbEQiOmBDjMj+Q1USoaGlnYWcIOi0QpAAioFlYhTa3kHnnAC944r
    XfbSLFlcKH6P9slxg5WU4qQyo03HvYOpB3oNHZ5A5fJKfmPTBGZoRacf0fF8AkWT
    WwgpuLnM+BOVoM+oGQeeHBiUUL/ovBP0SzBmyiin8iGnDsrg+wiz++HJk1ulAGsv
    1NATRU+LLp9WXPLvEsbFQVExIGxw+AjtIP9mVHFVc1rqBP17DkH37XmsNpEgFIOF
    qTPy9wGlntTIox0D4R//QfQr9MGM81B3XGY3byrlFHCeltv3NEU3qQFqDog3Rmnn
    uvgyiizRowLUEyUcYSp/e9Y5OysS4ivWKxAHdd9cuiOrrrAMw6kF//Kx9ixteiGG
    4zO/2YF0addGEMLJH/ZQcddA2eey0BfbqF4DHFc4NT38imd6J3LUlTdaTtimRcXD
    SEDrjigK0jkcsUD6qvykVF2+O+k1Y+4sbJDrB5QF/Qe6D5NiedLs8xnH0dScjiHp
    scNhKFCMyu471t8WpIrJ
    =qOqp
    -----END PGP SIGNATURE-----

  3. #3
    Join Date
    Sep 2009
    Location
    UK
    Posts
    302

    Default Re: ldap via TLS

    Thanks for getting back... I've gone home now as my brains were
    coming out of my ears trying to get this to work.. I have a perfectly
    working set up using ( non tls) ldap to do logins and autofs (via nfs4)
    stuff for opensuse clients and a suse login/file server... but I thought
    using tls would be more secure although within a school environment
    it's probably overkill but I would like to get it working.

    Incidentally you might be interested in the background to this. We have
    been testing an opensuse/suse client/server setup as opposed to our
    current XP/2003 setup
    1. the time from starting a PC to login to getting one app running - the linux setup beats MS by a long, long way
    2. the students love linux
    ... I am optimistic .. :-)

    M

  4. #4
    Join Date
    Sep 2009
    Location
    UK
    Posts
    302

    Default Re: ldap via TLS

    I think I might have finally got somewhere
    I used GQ as a ldap browser and it barfs with
    'self signed certificate in certificate chain' which
    is a little more helpful ..... :-(

    M

  5. #5
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,706
    Blog Entries
    2

    Default Re: ldap via TLS

    Just some thoughts...
    Where are you using TLS? - Typically TLS is implemented server<>server, much less commonly server<>client.
    SSL is used commonly both server<>server and server<>client.
    TLS is probably a bit more secure than SSL.
    When setting up TLS, because it's used rather infrequently, it's common to use one machine to generate the pair of files (so that they share the same CA root authority), transfer one of the files to the other machine in any way possible, install in the local store, then setup your TLS connection. Should be very simple and straightforward.

    Note that setting up any encrypted network connection(LDAP does not matter) does not actually require setting up a CA, certificate hierarchies, etc, you only need the two machines to each use certificates which are trusted by the other machine. A CA is recommended when you need to manage large numbers of certificates within an organization.

    SSL connections are bit different depending on whether you're setting up one way authentication (eg what you typically see on the Internet) or mutual authentication. Again, usually the key to avoiding invalid certificate errors is to generate all certificates using the same application on the same machine in your network (Treat your CA like another Domain Controller). The first Server certificate generated by your CA can and in a private network is self-signed. Every other certificate it generates for Servers and Clients in your network should not be self-signed, they should reference your CA (which will prove itself with its own certificate).

    if you want some help configuring LDAP, one good resource I'd recommend is the OpenLDAP website. It's very long but very good. Take your time going through it. Another thing you'll probably need to do is to describe at least the main pieces of your LDAP configuration, LDAP is only a distributed lookup directory, nothing more... You also need to specify exactly what you're configuring to provide Authentication and Authorization Services, eg Kerberos. I assume that you already have the other required pieces in place like integrated DNS and DHCP Servers that support LDAP and you've configured those LDAP objects already.

    I agree if your clients are entirely within a protected LAN that Client encrypted network connections are overkill. Just encrypt your Server connections. So, if this is the case I'd recommend you re-direct your efforts to securing the network and if necessary any wireless, that's the usual approach.

    HTH and IMO,
    Tony

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •