Openldap server and TLS

M

manilaboy1vic

I am having trouble getting TLS to work with openldap-server.

Code: 
root@ldap:~ # pkg info | grep ldap
openldap-client-2.4.57         Open source LDAP client implementation
openldap-server-2.4.57         Open source LDAP server implementation

root@ldap:~ # uname -a
FreeBSD ldap.example.org 12.2-RELEASE-p3 FreeBSD 12.2-RELEASE-p3 GENERIC  amd64

I followed the guide in the FreeBSD handbook:

Handbook guide

It seems that everything is working properly except for the TLS part.

Here is a working example from a remote host on the LAN:

Code: 
vic@bleague:~
▶ ldapwhoami -H ldap://192.168.1.3 -x
anonymous

Here is a non-working example from the same LAN host:

Code: 
vic@bleague:~
▶ ldapwhoami -H ldap://192.168.1.3 -x -ZZ -D "uid=vic,ou=users,dc=example,dc=org" -W
ldap_start_tls: Connect error (-11)
        additional info: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)

I have defined the path to the certificates:

Code: 
# Define global ACLs to disable default read access.
#
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
olcTLSCertificateFile: /usr/local/etc/openldap/server.crt
olcTLSCertificateKeyFile: /usr/local/etc/openldap/private/server.key
olcTLSCACertificateFile: /usr/local/etc/openldap/ca.crt
#olcTLSCipherSuite: HIGH
olcTLSProtocolMin: 3.1
olcTLSVerifyClient: never

Any help would be greatly appreciated.
 
I think I got it sorted out. No more error after adding TLS_CACERT /usr/local/etc/openldap/ca.crt to ldap.conf

Code: 
root@ldap:/usr/local/etc/openldap # cat ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-provider.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
TLS_CACERT  /usr/local/etc/openldap/ca.crt

Code: 
root@ldap:/usr/local/etc/openldap # ldapsearch -ZZ
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 3
result: 32 No such object

# numResponses: 1
 
Yes. If you use self-signed certificates you need to tell the client where the CA certificate is. Or else the client is not able to verify the server's certificate.
 
You must log in or register to reply here.
Back
Top