Can't get SSL working properly with openSUSE LDAP client (works with ldapsearch + SSL though)

Hi,
Hope this is the right mailing list to ask this - the
openldap-software@openldap.org list rejected it as off-topic.

I'm experimenting with my first LDAP server, trying to get an OpenSUSE 10.3
client (noisy.foo.lan IP 192.168.0.10) to authenticate to a FreeBSD 5.5 server
(daemon.foo.lan ip 192.168.0.5) via LDAP and I'm having trouble with SSL.
Hope someone can point me in the right direction...

I have the LDAP server (openldap-server-2.3.38 installed from ports) setup on
the FreeBSD box and have generated certificates. There is no SASL support,
I'm using SSL for encryption.

This is the slapd.conf file (/usr/local/etc/openldap/slapd.conf) on the
server:
        include         /usr/local/etc/openldap/schema/core.schema
        include         /usr/local/etc/openldap/schema/cosine.schema
        include         /usr/local/etc/openldap/schema/dyngroup.schema
        include         /usr/local/etc/openldap/schema/nis.schema
        pidfile         /var/run/openldap/slapd.pid
        argsfile        /var/run/openldap/slapd.args
        modulepath      /usr/local/libexec/openldap
        moduleload      back_bdb
        allow bind_v2 bind_anon_dn
        access to attrs=userPassword
            by self write
            by * auth
        access to dn.base=""
             by * read
        access to * by self write
            by * read
        security ssf=1 update_ssf=112 simple_bind=64
        TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
        TLSCACertificateFile /usr/local/etc/openldap/cacert.pem
        TLSCertificateFile /usr/local/etc/openldap/slapd-cert-ldap1.pem
        TLSCertificateKeyFile /usr/local/etc/openldap/slapd-key-ldap1.pem
        TLSVerifyClient never
        database        bdb
        suffix          "dc=daemon,dc=com"
        rootdn          "cn=admin,dc=daemon,dc=com"
        rootpw  {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxx
        directory       /var/db/openldap-data
        index   objectClass     eq

I've also setup /etc/openldap/ldap.conf on the suse box. Here are contents of
that conf file:
        BASE            dc=daemon,dc=com
        URI             ldaps://daemon.foo.lan
        TLS_CACERT      /etc/openldap/cacert.pem
        TLS_REQCERT never

I can use ldapsearch -x on that box to list the contents of the ldap server.
On the FreeBSD box, slapd is started with the  parameters -h "ldaps:///"

So it appears that SSL works just fine as far as ldapsearch is concerned. I've
even renamed the cacert file to confirm that ldapsearch fails without the
certificate there.

So far so good.

The next step was to get opensuse to authenticate to the ldap server using
PAM. I restarted slapd on the server with the parameters -h "ldaps:///
ldap:///" so it can use SSL or TLS and use this /etc/ldap.conf file on the
suse box:
        bind_policy     soft
        pam_lookup_policy       yes
        pam_password    md5
        nss_initgroups_ignoreusers      root,ldap
        nss_schema      rfc2307bis
        nss_map_attribute       uniqueMember member
        ssl     start_tls
        ldap_version    3
        pam_filter      objectclass=posixAccount
        nss_base_passwd dc=daemon,dc=com
        nss_base_shadow dc=daemon,dc=com
        nss_base_group  dc=daemon,dc=com
        tls_checkpeer   no
        base            dc=daemon,dc=com
        uri             ldap://daemon.foo.lan
        tls_cacert      /etc/openldap/cacert.pem
        tls_reqcert never
        scope sub
        rootbinddn cn=admin,dc=daemon,dc=com

That seems to work just fine, I can login on the suse box using my username &
password for the FBSD box (I haven't got the home dir automounting from the
server yet, that will be my next challenge).

Now the problem comes when I try to get this part working with SLL instead of
TLS. To do this, I've restarted slapd without the ldap:/// parameter and made
2 changes to /etc/ldap.conf:
<ssl start_tls
>#ssl start_tls
<uri ldap://daemon.foo.lan
> uri ldaps://daemon.foo.lan

Now when I try to login, the suse box shows the following
in /var/log/messages:

 Nov  9 21:22:34 noisy nscd: nss_ldap: failed to bind to LDAP server
 ldaps://daemon.foo.lan: Can't contact LDAP server
 Nov  9 21:22:34 noisy nscd: nss_ldap: failed to bind to LDAP server
 ldaps://daemon.foo.lan: Can't contact LDAP server
 Nov  9 21:22:34 noisy nscd: nss_ldap: could not search LDAP server - Server
is unavailable
 Nov  9 21:22:34 noisy login[4196]: Unable to obtain uid (user=imoore) for
audit system
 Nov  9 21:22:34 noisy login[4196]: User not known to the underlying
authentication module

I'm logging in as the user imoore, which in the ldap server is
        # imoore, People, daemon.com
        dn: uid=imoore,ou=People,dc=daemon,dc=com
        uid: imoore
        cn: Ian Moore
        objectClass: account
        objectClass: posixAccount
        objectClass: top
        loginShell: /bin/csh
        uidNumber: 1001
        gidNumber: 1001
        homeDirectory: /home/imoore
        gecos: Ian Moore

On the server's messages log, I get:
Nov  9 20:22:59 daemon kernel: Connection attempt to TCP 192.168.0.5:389 from
192.168.0.10:20576 flags:0x02
Nov  9 20:22:59 daemon kernel: Connection attempt to TCP 192.168.0.5:389 from
192.168.0.10:20577 flags:0x02

That's the firewall (which is set to allow everthing through btw), logging a
connection attempt from the client on 389, despite ldap.conf stating the URI
as ldaps:///daemon.foo.lan, which is odd.

Lastly (sorry this such a long post, but I'm trying to give all the relevant
information), here is the output of slapd with -d1 debugging when I try to
login on the client using SSL:
 >>> slap_listener(ldaps:///)

 connection_get(11): got connid=1
 connection_read(11): checking for input on id=1
 TLS trace: SSL_accept:before/accept initialization
 TLS trace: SSL_accept:SSLv3 read client hello A
 TLS trace: SSL_accept:SSLv3 write server hello A
 TLS trace: SSL_accept:SSLv3 write certificate A
 TLS trace: SSL_accept:SSLv3 write server done A
 TLS trace: SSL_accept:SSLv3 flush data
 TLS trace: SSL_accept:error in SSLv3 read client certificate A
 TLS trace: SSL_accept:error in SSLv3 read client certificate A
 connection_get(11): got connid=1
 connection_read(11): checking for input on id=1
 TLS trace: SSL_accept:SSLv3 read client key exchange A
 TLS trace: SSL_accept:SSLv3 read finished A
 TLS trace: SSL_accept:SSLv3 write change cipher spec A
 TLS trace: SSL_accept:SSLv3 write finished A
 TLS trace: SSL_accept:SSLv3 flush data
 connection_read(11): unable to get TLS client DN, error=49 id=1
 connection_get(11): got connid=1
 connection_read(11): checking for input on id=1
 ber_get_next
 ber_get_next: tag 0x30 len 46 contents:
 ber_get_next
 do_bind
 ber_scanf fmt ({imt) ber:

 ber_scanf fmt (m}) ber:
 >>> dnPrettyNormal: <cn=admin,dc=daemon,dc=com>

 <<< dnPrettyNormal: <cn=admin,dc=daemon,dc=com>,
 <cn=admin,dc=daemon,dc=com> do_bind: version=3
 dn="cn=admin,dc=daemon,dc=com" method=128
 do_bind: v3 bind: "cn=admin,dc=daemon,dc=com" to
 "cn=admin,dc=daemon,dc=com" send_ldap_result: conn=1 op=0 p=3
 send_ldap_response: msgid=1 tag=97 err=0
 ber_flush: 14 bytes to sd 11
 connection_get(11): got connid=1
 connection_read(11): checking for input on id=1
 ber_get_next
 ber_get_next: tag 0x30 len 86 contents:
 ber_get_next
 do_search

 ber_scanf fmt ({miiiib) ber:
 >>> dnPrettyNormal: <dc=daemon,dc=com>

 <<< dnPrettyNormal: <dc=daemon,dc=com>, <dc=daemon,dc=com>
 ber_scanf fmt ({mm}) ber:
 ber_scanf fmt ({mm}) ber:
 ber_scanf fmt ({M}}) ber:
 => bdb_search
 bdb_dn2entry("dc=daemon,dc=com")
 search_candidates: base="dc=daemon,dc=com" (0x00000001) scope=2
 => bdb_dn2idl("dc=daemon,dc=com")
 => bdb_equality_candidates (objectClass)
 => key_read
 <= bdb_index_read: failed (-30989)
 <= bdb_equality_candidates: id=0, first=0, last=0
 => bdb_equality_candidates (objectClass)
 => key_read
 <= bdb_index_read 3 candidates
 <= bdb_equality_candidates: id=3, first=27, last=29
 => bdb_equality_candidates (uid)
 <= bdb_equality_candidates: (uid) not indexed
 bdb_search_candidates: id=-1 first=27 last=29
 bdb_search: 27 does not match filter
 bdb_search: 28 does not match filter
 => send_search_entry: conn 1 dn="uid=imoore,ou=People,dc=daemon,dc=com"
 ber_flush: 319 bytes to sd 11
 <= send_search_entry: conn 1 exit.
 send_ldap_result: conn=1 op=1 p=3
 send_ldap_response: msgid=2 tag=101 err=0
 ber_flush: 14 bytes to sd 11
 connection_get(11): got connid=1
 connection_read(11): checking for input on id=1
 ber_get_next
 ber_get_next: tag 0x30 len 88 contents:
 ber_get_next
 do_bind
 ber_scanf fmt ({imt) ber:
 ber_scanf fmt (m}) ber:
 => get_ctrls
 ber_scanf fmt ({m) ber:
 => get_ctrls: oid="1.3.6.1.4.1.42.2.27.8.5.1" (noncritical)
 <= get_ctrls: n=1 rc=0 err=""

 >>> dnPrettyNormal: <uid=imoore,ou=People,dc=daemon,dc=com>

 <<< dnPrettyNormal: <uid=imoore,ou=People,dc=daemon,dc=com>,
 <uid=imoore,ou=people,dc=daemon,dc=com> do_bind: version=3
 dn="uid=imoore,ou=People,dc=daemon,dc=com" method=128 slap_global_control:
 unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1
 bdb_dn2entry("uid=imoore,ou=people,dc=daemon,dc=com")
 do_bind: v3 bind: "uid=imoore,ou=People,dc=daemon,dc=com" to
 "uid=imoore,ou=People,dc=daemon,dc=com" send_ldap_result: conn=1 op=2 p=3
 send_ldap_response: msgid=3 tag=97 err=0
 ber_flush: 14 bytes to sd 11
 connection_get(11): got connid=1
 connection_read(11): checking for input on id=1
 ber_get_next
 ber_get_next: tag 0x30 len 46 contents:
 ber_get_next
 do_bind
 ber_scanf fmt ({imt) ber:

 ber_scanf fmt (m}) ber:
 >>> dnPrettyNormal: <cn=admin,dc=daemon,dc=com>

 <<< dnPrettyNormal: <cn=admin,dc=daemon,dc=com>,
 <cn=admin,dc=daemon,dc=com> do_bind: version=3
 dn="cn=admin,dc=daemon,dc=com" method=128
 do_bind: v3 bind: "cn=admin,dc=daemon,dc=com" to
 "cn=admin,dc=daemon,dc=com" send_ldap_result: conn=1 op=3 p=3
 send_ldap_response: msgid=4 tag=97 err=0
 ber_flush: 14 bytes to sd 11
 connection_get(11): got connid=1
 connection_read(11): checking for input on id=1
 ber_get_next
 ber_get_next: tag 0x30 len 5 contents:
 ber_get_next
 TLS trace: SSL3 alert read:warning:close notify
 ber_get_next on fd 11 failed errno=0 (Undefined error: 0)
 connection_closing: readying conn=1 sd=11 for close
 connection_close: deferring conn=1 sd=11
 do_unbind
 connection_resched: attempting closing conn=1 sd=11
 connection_close: conn=1 sd=11
 TLS trace: SSL3 alert write:warning:close notify

I've run out of ideas to try, so any suggestions would be welcome!

Cheers,
 
Ian

ian2 skrev, on 12-11-2007 07:49:

To cut out as much as possible of the chaff:

 > nss_map_attribute       uniqueMember member

[...]

Don't do that, it slows down OL e^n degrees. Think of something else.

[...]

> On the server's messages log, I get:
> Nov  9 20:22:59 daemon kernel: Connection attempt to TCP 192.168.0.5:389

Whatever you think you're doing, you're still trying to connect to your
server on its ldap port (389) instead of its ldaps port (636). But you
killed off the ldap port when you reconfigured your server, not?

Your "quoted" /etc/ldap.conf came through all screwed up (heh ... "all
down under") so it's not good to see what relevant parts you changed.

Best,

--Tonni

--
Tony Earnshaw
Email: tonni at hetnet dot nl

On Mon, Nov 12, 2007 at 05:10:17PM +0100, Tony Earnshaw wrote:
> ian2 skrev, on 12-11-2007 07:49:
>
> To cut out as much as possible of the chaff:
>
> > nss_map_attribute       uniqueMember member
>
> [...]
>
> Don't do that, it slows down OL e^n degrees. Think of something else.

Indeed, because of nested groups (see http://bugzilla.padl.com/show_bug.cgi?id=319).
nss_ldap should have a (runtime?) configuration switch to enable or
disable nested groups support.

On Tuesday 13 November 2007 02:40:17 Tony Earnshaw wrote:
> ian2 skrev, on 12-11-2007 07:49:
>
> To cut out as much as possible of the chaff:
>  > nss_map_attribute       uniqueMember member
>
> [...]
>
> Don't do that, it slows down OL e^n degrees. Think of something else.
>

OK, either that was a default setting in the conf file or when I tried to use
YAST to setup the ldap client, it added it. I then hacked the conf file
because yast doesn't provide a way to specify any SSL settings.
I've commented that line out :-)

> so it's not good to see what relevant parts you changed.

You mean the original or the bit where I tried to show the changes I made?
Sorry, I should have explained what I was doing there (it was supposed to
look like a diff file).

Basically, the original was:

 bind_policy     soft
 pam_lookup_policy       yes
 pam_password    md5
 nss_initgroups_ignoreusers      root,ldap
 nss_schema      rfc2307bis
 ssl     start_tls
 ldap_version    3
 pam_filter      objectclass=posixAccount
 nss_base_passwd dc=daemon,dc=com
 nss_base_shadow dc=daemon,dc=com
 nss_base_group  dc=daemon,dc=com
 tls_checkpeer   no
 base            dc=daemon,dc=com
 uri             ldap://daemon.foo.lan
 tls_cacert      /etc/openldap/cacert.pem
 tls_reqcert never
 scope sub
 rootbinddn cn=admin,dc=daemon,dc=com

After the changes for SSL, it looks like:

 bind_policy     soft
 pam_lookup_policy       yes
 pam_password    md5
 nss_initgroups_ignoreusers      root,ldap
 nss_schema      rfc2307bis
 #ssl     start_tls
 ldap_version    3
 pam_filter      objectclass=posixAccount
 nss_base_passwd dc=daemon,dc=com
 nss_base_shadow dc=daemon,dc=com
 nss_base_group  dc=daemon,dc=com
 tls_checkpeer   no
 base            dc=daemon,dc=com
 uri             ldaps://daemon.foo.lan
 tls_cacert      /etc/openldap/cacert.pem
 tls_reqcert never
 scope sub
 rootbinddn cn=admin,dc=daemon,dc=com

IE, I commented out the start_tls line and changed the uri from ldap: to
ldaps:

Will try Wade's suggestions and see how I go.

Thanks,
--
Ian
gpg key: http://home.swiftdsl.com.au/~imoore/no-spam.asc

On Tuesday 13 November 2007 10:57:46 Wade Fitzpatrick wrote: Yippee! It's working :-)
While checking out your very first point, my googling brought back some info
about the nss_ldap package for opensuse. In it was a file listing
with /usr/share/doc/packages/ldap.conf
I had a quick look through that file on my suse box and noticed it seems to be
a padl file, rather than a suse specific file.

In the openldap section, it shows 2 settings:
"ssl     start_tls"  and "ssl     on"
The second setting was in /etc/ldap.conf as a comment, but listed under
a "Netscape SDK LDAPS heading, so I'd not used it. Instead, I  just commented
out the "ssl     start_tls" line.
So, I added  "ssl     on", rebooted and now I can login!!
All I need to do now is read up on configuring automount to mount my home
directory from the FBSD box.

Thanks for pointing me in the right direction.

Cheers,
--
Ian
gpg key: http://home.swiftdsl.com.au/~imoore/no-spam.asc