Hi,
I have configured open ldap server and client with TLS enabled.
LDAP have a user "ldapuser" which is getting display with ldapsearch on both with and without TLS option.
But when we login with "ldapuser" on ldapclient it is not working with TLS it gets failed that no user "ldapuser".
[root@ldapclient ~]# ldapsearch -x -D "cn=Manager, dc=ceylonlinux,dc=com" -H ldaps://ldapserver:636 -W|grep ldapuser
Enter LDAP Password:
# ldapuser, People, ceylonlinux.com
dn: uid=ldapuser,ou=People,dc=ceylonlinux,dc=com
uid: ldapuser
cn: ldapuser
homeDirectory: /home/ldapuser
[root@ldapclient ~]# openssl s_client -connect ldapserver:636 -showcerts
CONNECTED(00000003)
depth=1 /C=In/ST=Maharastra/O=Persistent/OU=Platform/CN=ldapserver/emailAddress=ashwani_28@yahoo.co.in
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=In/ST=Maharastra/L=Nagpur/O=Persistent/OU=Platform/CN=ldapserver/emailAddress=ashwani_28@yahoo.co.in
i:/C=In/ST=Maharastra/O=Persistent/OU=Platform/CN=ldapserver/emailAddress=ashwani_28@yahoo.co.in
-----BEGIN CERTIFICATE-----
MIIDJjCCAo+gAwIBAgIJAOKq2vlJXRUxMA0GCSqGSIb3DQEBBQ UAMIGNMQswCQYD
VQQGEwJJbjETMBEGA1UECBMKTWFoYXJhc3RyYTETMBEGA1UECh MKUGVyc2lzdGVu
dDERMA8GA1UECxMIUGxhdGZvcm0xEjAQBgNVBAMTCXNjMTQzNS 0wNzEtMCsGCSqG
SIb3DQEJARYeYXNod2FuaV9zaW5naEBwZXJzaXN0ZW50LmNvLm luMB4XDTA4MDMy
JZnt341HpIvByUg8V+r3PrVpaF2deOkUwM12nLpdN+gFkwu23W 8/y4NGcgpaaxOZ
PUlOBpRGrKlAi6CtEejsYIYHEW60HUkzKM1N3XYCDJ1thO717W rG4Hpn
-----END CERTIFICATE-----
1 s:/C=In/ST=Maharastra/O=Persistent/OU=Platform/CN=ldapserver/emailAddress=ashwani_28@yahoo.co.in
i:/C=In/ST=Maharastra/O=Persistent/OU=Platform/CN=ldapserver/emailAddress=ashwani_28@yahoo.co.in
-----BEGIN CERTIFICATE-----
MIIDkDCCAvmgAwIBAgIJAOKq2vlJXRUwMA0GCSqGSIb3DQEBBQ UAMIGNMQswCQYD
VQQGEwJJbjETMBEGA1UECBMKTWFoYXJhc3RyYTETMBEGA1UECh MKUGVyc2lzdGVu
dDERMA8GA1UECxMIUGxhdGZvcm0xEjAQBgNVBAMTCXNjMTQzNS 0wNzEtMCsGCSqG
SIb3DQEJARYeYXNod2FuaV9zaW5naEBwZXJzaXN0ZW50LmNvLm luMB4XDTA4MDMy
NzEzMTExM1oXDTExMDMyNzEzMTExM1owgY0xCzAJBgNVBAYTAk luMRMwEQYDVQQI
MrUkExW8rDjoE2u3uTwgPEQGpudsW+GE4a3hYiouUQ5t2d6BRF Ks47LvF6toMNlq
EfMQ74dkYUBl/Nrt2gaOaWy0hRbXB6Bx6UMoXE2DcUr3C+q/G5vxBY1vMZ75VsTP
/iqltQ==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=In/ST=Maharastra/L=Nagpur/O=Persistent/OU=Platform/CN=ldapserver/emailAddress=ashwani_28@yahoo.co.in
issuer=/C=In/ST=Maharastra/O=Persistent/OU=Platform/CN=ldapserver/emailAddress=ashwani_28@yahoo.co.in
---
Acceptable client certificate CA names
/C=In/ST=Maharastra/O=Persistent/OU=Platform/CN=ldapserver/emailAddress=ashwani_28@yahoo.co.in
/C=In/ST=Maharastra/L=Nagpur/O=Persistent/OU=Platform/CN=ldapserver/emailAddress=ashwani_28@yahoo.co.in
---
SSL handshake has read 2209 bytes and written 352 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 8DA9C3C1040FBB1DB7125068EFBA0B47363C777442D3BDB0A3 AE417CA393CED5
Session-ID-ctx:
Master-Key: 1C54F6ADB913D69CD81AE57A0D43C792382C360641901E64A8 E03B7D5EB2ED8BD710AEFDBEC2F4874E469AB39749D41D
Key-Arg : None
Krb5 Principal: None
Start Time: 1206654805
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
At LDAP Server
# /etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
TLSCertificateFile /etc/openldap/cacerts/slapd-cert.pem
TLSCertificateKeyFile /etc/openldap/cacerts/slapd-key.pem
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSVerifyClient allow
#access to *
#by * read
#by anonymous auth
################################################## #####################
# ldbm and/or bdb database definitions
################################################## #####################
database bdb
suffix "dc=ceylonlinux,dc=com"
rootdn "cn=Manager,dc=ceylonlinux,dc=com"
rootpw {SSHA}zuGMUo2xBjoC0T3EfOH8zfBOAfUH6a37
directory /var/lib/ldap/ceylonlinux.com
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
At LDAP Client
# /etc/ldap.conf
host 192.11.0.117
base dc=ceylonlinux,dc=com
timelimit 120
bind_timelimit 120
idle_timelimit 3600
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
pam_password md5
Posting Permissions
Reply With Quote
Bookmarks