Cannot get OpenLDAP working with SSL to save my life - Openssl

This is a discussion on Cannot get OpenLDAP working with SSL to save my life - Openssl ; I have been beating my head against this for says. I've followed a dozen HOWTOs and blogs I've found. Nothing is working. I'm looking for a simple HOWTO that includes all of the little details that nobody ever includes, because ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Cannot get OpenLDAP working with SSL to save my life

  1. Cannot get OpenLDAP working with SSL to save my life

    I have been beating my head against this for says. I've followed a
    dozen HOWTOs and blogs I've found. Nothing is working.

    I'm looking for a simple HOWTO that includes all of the little details
    that nobody ever includes, because once you know them they're just too
    painfully obvious :-) This file must be chowned to these permissions,
    that file must be owned by this owner, etc.

    To add to my frustration, I made this work twice! Yes! I had created a
    simple self-signed certificate, nothing fancy. It works on one of my
    servers. It's just another that I cannot get working. I'm sure that
    part of my problem is I just don't know how to troubleshoot this... I
    get very generic error messages like
    "routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed" and
    "ldap_bind: Can't contact LDAP server" that probably have deeper
    meanings.

    Part of my problem is, this is working with a self-signed certificate on
    one server. I did not need to copy a CA to clients. I can copy an
    ldap.conf and an nsswitch.conf to a new client, and it just works. I'd
    really like to do the same thing (yes, even though everyone is hollering
    about how that's a terrible idea, it can't possibly work, I'm a complete
    idiot for wanting to do it, etc.) on the other server... I want them to
    be as similar as possible, so if one breaks, I don't have to remember
    all of the differences between the two.

    If I can get to the point of being able to get certificates working
    "correctly", with a CA and all, great... but I have to be able to get
    back to a working config instantly if that fails, and right now, since I
    haven't the faintest idea in the world why one server works perfectly
    and the other has resisted every one of dozens of attempts, I'm honestly
    afraid to mess with the working one.

    --
    ************************************************** *********************
    * John Oliver http://www.john-oliver.net/ *
    * *
    ************************************************** *********************
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  2. Re: Cannot get OpenLDAP working with SSL to save my life

    'certificate verify failed' means that the certificate received from
    the remote side cannot be verified locally. This is usually because
    it's self-signed and not locally cached as a trusted certificate, but
    more generically means that it's not signed by a trusted CA.
    'ldap_bind: Can't contact LDAP server' means that the connection was
    closed before LDAP could actually talk to the server to get the LDAP
    stuff. This logically follows from the 'certificate verify failed'
    error, because when the verification fails the client closes the
    connection.

    What is your client? Where is it configured to look for its trusted
    certificates? Once you know that, you will also know where to put the
    self-signed certificate from the server to make it work.

    -Kyle H

    On Mon, Jul 28, 2008 at 3:19 PM, John Oliver wrote:
    > I have been beating my head against this for says. I've followed a
    > dozen HOWTOs and blogs I've found. Nothing is working.
    >
    > I'm looking for a simple HOWTO that includes all of the little details
    > that nobody ever includes, because once you know them they're just too
    > painfully obvious :-) This file must be chowned to these permissions,
    > that file must be owned by this owner, etc.
    >
    > To add to my frustration, I made this work twice! Yes! I had created a
    > simple self-signed certificate, nothing fancy. It works on one of my
    > servers. It's just another that I cannot get working. I'm sure that
    > part of my problem is I just don't know how to troubleshoot this... I
    > get very generic error messages like
    > "routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed" and
    > "ldap_bind: Can't contact LDAP server" that probably have deeper
    > meanings.
    >
    > Part of my problem is, this is working with a self-signed certificate on
    > one server. I did not need to copy a CA to clients. I can copy an
    > ldap.conf and an nsswitch.conf to a new client, and it just works. I'd
    > really like to do the same thing (yes, even though everyone is hollering
    > about how that's a terrible idea, it can't possibly work, I'm a complete
    > idiot for wanting to do it, etc.) on the other server... I want them to
    > be as similar as possible, so if one breaks, I don't have to remember
    > all of the differences between the two.
    >
    > If I can get to the point of being able to get certificates working
    > "correctly", with a CA and all, great... but I have to be able to get
    > back to a working config instantly if that fails, and right now, since I
    > haven't the faintest idea in the world why one server works perfectly
    > and the other has resisted every one of dozens of attempts, I'm honestly
    > afraid to mess with the working one.
    >
    > --
    > ************************************************** *********************
    > * John Oliver http://www.john-oliver.net/ *
    > * *
    > ************************************************** *********************
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org
    >

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  3. Re: Cannot get OpenLDAP working with SSL to save my life

    On Jul 28, 9:22*pm, aerow...@gmail.com ("Kyle Hamilton") wrote:
    > 'certificate verify failed' means that the certificate received from
    > the remote side cannot be verified locally. *This is usually because
    > it's self-signed and not locally cached as a trusted certificate, but


    ...

    I was having the same problem. I am :
    - using a windows 2003 box (Active Directory server)
    - trying to modify passwords in the AD via a Python-LDAP script from
    a Red Hat Linux box

    No problem connecting and viewing/modifying info from Linux to AD when
    connecting via the default ldap port (389), but I couldn't modify
    passwords (I found out that you must have a secure connection to
    update passwords).

    I tried for hours to get a TLS or SSL connection. I finally came up
    with the solution for my problem. On the Linux box, Python-LDAP is
    using openldap. I quered the OPT_X_TLS_CACERTDIR option to find the
    configuration file for openldap (in my case /etc/openldap/ldap.conf).

    Adding the option "TLS_REQCERT allow" to my ldap.conf file fixed my
    problem. I am now able to connect securely either :
    - through ldap://xxxx:389. (After I initialized the connection, a
    call to "start_tls_s" to connect securely via TLS
    - through ldaps://xxxx:636 (no need to issue a "start_tls_s"
    connection)

    I hope this helps...

+ Reply to Thread