LDAP Client refise to use TLS, but ldapsearch is working...

vincentvije · June 25, 2014, 9:57am

Hello,

LDAP server :
I’ve to connect to a Debian LDAP server to authenticate users.
I made on it a CA certificate and with it I signed a Server Certificate, and a Client one.
It needs clients to use ldaps !

LDAP client not working :
I’ve as always an OpenSuSE server, 13.1 this time.
I user Yast LDAP Client to use LDAP for User Authentication.
I imported from the LDAP server the CA certificate and gave it to Yast LDAP Client module, in the SSL/TLS Configuration pane.
I celected “Use TLS for Identity Resolve” but need SSL (ldaps).

But when I click OK to save my configuration, I get this error :
“error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate)”
If I made a CA certificate on Debian, that signed a Server Certificate used by Debian LDAP server, why does it say “self signed certificate” ?

ldapsearch :
So I searched Internet during hours.

I put in /etc/openldap/ldap.conf “TLS_REQCERT never”.
I’d like not to do this, but because of the “self signed certificate” error, I need to do it to get ldapsearch working.
Again I don’t undestand why it’s “self signed certificate”.
I tried : ldapsearch -H ldaps://xxxxxxxxxxx -D “uid=xxxxxxxxxxxxxxxx,o=xxxxxxxxx” -W -d 1
And it exits with success !

Errors :
But Yast LDAP Client TLS certificates make this error (“error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate)”).
And tring to connect why ssh and a LDAP account give me :
2014-06-24T10:36:31.217794+02:00 vijet sshd[32403]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.0.42 user=vincent.marechal
2014-06-24T10:36:31.218378+02:00 vijet sshd[32403]: pam_sss(sshd:auth): received for user vincent.marechal: 10 (User not known to the underlying authentication module)
2014-06-24T10:36:33.760763+02:00 vijet sshd[32401]: error: PAM: User not known to the underlying authentication module for illegal user vincent.marechal from 172.16.0.42
2014-06-24T10:36:33.761517+02:00 vijet sshd[32401]: Failed keyboard-interactive/pam for invalid user vincent.marechal from 172.16.0.42 port 49791 ssh2

I can use my Debian LDAP server from other server with pam_ldap, and connect then to it with ssh.
I my openSuSE, I can make a ldapsearch, but needs “TLS_REQCERT never”
But openSuSE uses pam sssd module and I can’t get it to work.

**I’m lost, and it was the last point to configure to have my whole server and services to work for my school.
I hope someone can help me.

Thanks in advance,

Vincent MARECHAL**

Miuku · June 25, 2014, 10:30am

Shouldn’t you have “TLS_REQCERT allow” instead of never if you’re using self-signed certificates?

vincentvije · June 25, 2014, 11:07am

Hello Miuku,

Thanks a lot for your reply.
Well, I did not have “TLS_REQCERT” in the ldap.conf and ldapsearch wasn"t working, giving the self-signed error.

Then I put this : “TLS_REQCERT never” and it worked…
But if I should put “TLS_REQCERT allow”, I put it, as I saw in a novell page.

ldapsearch is working.
But it’s this Yast LDAP Client that is giving me problems. It installs sssd.
I use LDAP for User Authentication and select “Use TLS for Identity Resolve”.
But when clicking OK, I get “error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate)”.

And I don’t understand, if I made a CA certificate on my Debian, and then made a signed Server certificate, and used it in my slapd, why I get this self-signed error on the Yast LDAP Client on my suse… ?

Thanks again.
Kind regards,

Vincent MARECHAL

Miuku · June 25, 2014, 12:01pm

You should place the certificate in the trusted store, take a looksee here for instructions/hints:

https://forums.opensuse.org/showthread.php/460597-LDAP-Client-TLS-certificate-verify-failed-self-signed
and
https://forums.opensuse.org/showthread.php/456222-opensuse-11-4-mail-server-ldap

vincentvije · June 25, 2014, 12:35pm

Hello Miuku,

I found these two pages, tested all what I found (well, I think so).
I tried the post 9 of the second one, as offered in the first page.

Without success.

I passed a lot of hours searching.
It’s all working with ldapsearch, and with other serveurs and client softwares.

But openSuSE LDAP Client is the only one using sssd, and I don’t know if it is connected.

Thanks again.
Kind regards,

Vincent MARECHAL

vincentvije · June 25, 2014, 11:29pm

Hello,

I made again all configs in a new 13.1
I made new CA, and server certificates in my debian LDAP server.

In 13.1, in Yast LDAP Client, I keep getting :
“error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate)”

I searched the Internet a lot more.
I tried a lot of things.
Nothing gave me the solution.

I put TLS_REQCERT allow in /etc/openldap/ldap.conf
no matter, I have the same error.

Please help.
Thanks,

Vincent