Openldap server and TLS

manilaboy1vic

Member

Reaction score: 3
Messages: 66

I am having trouble getting TLS to work with openldap-server.

Code:
root@ldap:~ # pkg info | grep ldap
openldap-client-2.4.57         Open source LDAP client implementation
openldap-server-2.4.57         Open source LDAP server implementation

root@ldap:~ # uname -a
FreeBSD ldap.example.org 12.2-RELEASE-p3 FreeBSD 12.2-RELEASE-p3 GENERIC  amd64


I followed the guide in the FreeBSD handbook:

Handbook guide

It seems that everything is working properly except for the TLS part.

Here is a working example from a remote host on the LAN:

Code:
vic@bleague:~
▶ ldapwhoami -H ldap://192.168.1.3 -x
anonymous



Here is a non-working example from the same LAN host:

Code:
vic@bleague:~
▶ ldapwhoami -H ldap://192.168.1.3 -x -ZZ -D "uid=vic,ou=users,dc=example,dc=org" -W
ldap_start_tls: Connect error (-11)
        additional info: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)


I have defined the path to the certificates:

Code:
# Define global ACLs to disable default read access.
#
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
olcTLSCertificateFile: /usr/local/etc/openldap/server.crt
olcTLSCertificateKeyFile: /usr/local/etc/openldap/private/server.key
olcTLSCACertificateFile: /usr/local/etc/openldap/ca.crt
#olcTLSCipherSuite: HIGH
olcTLSProtocolMin: 3.1
olcTLSVerifyClient: never


Any help would be greatly appreciated.
 
OP
M

manilaboy1vic

Member

Reaction score: 3
Messages: 66

I think I got it sorted out. No more error after adding TLS_CACERT /usr/local/etc/openldap/ca.crt to ldap.conf

Code:
root@ldap:/usr/local/etc/openldap # cat ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-provider.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
TLS_CACERT  /usr/local/etc/openldap/ca.crt


Code:
root@ldap:/usr/local/etc/openldap # ldapsearch -ZZ
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 3
result: 32 No such object

# numResponses: 1
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 10,164
Messages: 35,668

Yes. If you use self-signed certificates you need to tell the client where the CA certificate is. Or else the client is not able to verify the server's certificate.
 
Top