LINUX.ORG.RU
ФорумAdmin

Openldap tls


0

0

Добрый день!

Не удается настроить tls для openldap. Имеем следующую ошибку 

mail:~# openssl s_client -CAfile /etc/ldap/certs/cacert.pem -connect localhost:636
CONNECTED(00000003)
depth=1 /C=RU/ST=Moscow/O=APK/OU=CA/CN=mail.example.com/emailAddress=postmaster@example
.com
verify return:1
depth=0 /C=RU/ST=Moscow/L=Zelenograd/O=APK/OU=Slapd/CN=mail.example.com/emailAddress=po
stmaster@example.com
verify return:1
6677:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1057:SSL alert number 40
6677:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

mail:~# ldapsearch -Z -x -LLL "(mail=bamm@example.com)"
ldap_start_tls: Connect error (-11)
        additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
ldap_result: Can't contact LDAP server (-1)
        additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

mail:~# cat /etc/ldap/ldap.conf
BASE    dc=example, dc=com
URI     ldap://mail.example.com:389 ldaps://mail.example.com:636
TLS_CACERT /etc/ssl/certs/cacert.pem
TLS_CERT /etc/ldap/certs/slapd_public_cert.pem
TLS_KEY /etc/ldap/certs/slapd_private_key.pem
TLS_REQCERT demand

mail:~# cat /etc/ldap/slapd.conf | grep TLS
TLSCACertificateFile /etc/ssl/certs/cacert.pem
TLSCertificateFile /etc/ldap/certs/slapd_public_cert.pem
TLSCertificateKeyFile /etc/ldap/certs/slapd_private_key.pem
TLSVerifyClient demand


Если указываю для s_client параметры cert и key проверка проходит, видимо не подхватюваются значения из ldap.conf. Знаний не хватает :(

anonymous

Re: Openldap tls

Вывод с параметром -state

mail:~# openssl s_client -CAfile /etc/ldap/certs/cacert.pem -connect localhost:636 -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=RU/ST=Moscow/O=APK/OU=CA/CN=mail.example.com/emailAddress=postmaster@example
.com
verify return:1
depth=0 /C=RU/ST=Moscow/L=Zelenograd/O=APK/OU=Slapd/CN=mail.example.com/emailAddress=po
stmaster@example.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL3 alert read:fatal:handshake failure
SSL_connect:failed in SSLv3 read finished A
6762:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1057:SSL alert number 40
6762:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

anonymous ()

Re: Openldap tls

Поместил .ldaprc в домашний каталог пользователся, с параметрами из ldap.conf команда, ldapsearch -Z -x -LLL "(mail=bamm@example.com)" заработала

anonymous ()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.