trouble integrating TLS in OpenLDAP

bluethundr · Sep 13, 2010

Hey FreeBSD

I'm building out my lovely FreeBSD box into an OpenLDAP server. So far, it seems to be working fine and I am populating the directory with data. And all the slap and ldap toos (like ldapvi and others) are working.

However, when I try to integrate TLS security slapd won't restart.

Here's the relevant part of my slapd.conf that deals with TLS. Let me know if you would like to see more of it, but really this only stops working when I uncomment these lines relating to TLS:

Code:

## Added logging parameters

loglevel        296
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

## TLS options for slapd
TLSCipherSuite   HIGH
TLSCertificateFile  /etc/local/slapd-cert.pem
TLSCertificateKeyFile /etc/local/slapd-key.pem

As far as I know, my keys seem ok with appropriate permissions:

Code:

[root@LBSD2:/etc/local]#ls -al
total 10
drwxr-xr-x   2 root  wheel   512 Sep 13 04:44 .
drwxr-xr-x  21 root  wheel  2560 Sep 13 04:41 ..
-rw-------   1 root  wheel  1371 Sep 13 04:44 slapd-cert.pem
-rw-------   1 root  wheel   887 Sep 13 01:31 slapd-key.pem

And when I go to restart slapd this is what happens...

Code:

[root@LBSD2:/usr/local/etc/openldap]#/usr/local/etc/rc.d/slapd restart
Stopping slapd.
Waiting for PIDS: 11015.
Starting slapd.
/usr/local/etc/rc.d/slapd: WARNING: failed to start slapd

And this happens in /var/log/messages:

Code:

Sep 13 21:26:07 LBSD2 su: bluethundr to root on /dev/pts/4
Sep 13 21:29:35 LBSD2 bluethundr: /usr/local/etc/rc.d/slapd: WARNING: failed to start slapd

And it looks like I had compiled with Cyrus SASL support.

Code:

                                               â”Œâ”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”
                                               â”‚             Options for openldap-sasl-server 2.4.23                â”‚  
                                               â”‚ â”Œâ”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â” â”‚  
                                               â”‚ â”‚ [X] SASL              With (Cyrus) SASL2 support               â”‚ â”‚  
                                               â”‚ â”‚ [X] FETCH             Enable fetch(3) support                  â”‚ â”‚  
                                               â”‚ â”‚ [ ] DYNACL            Run-time loadable ACL (experimental)     â”‚ â”‚  
                                               â”‚ â”‚ [ ] ACI               Per-object ACI (experimental)            â”‚ â”‚  
                                               â”‚ â”‚ [X] DNSSRV            With Dnssrv backend                      â”‚ â”‚  
                                               â”‚ â”‚ [ ] PASSWD            With Passwd backend                      â”‚ â”‚  
                                               â”‚ â”‚ [X] PERL              With Perl backend                        â”‚ â”‚  
                                               â”‚ â”‚ [ ] RELAY             With Relay backend                       â”‚ â”‚  
                                               â”‚ â”‚ [ ] SHELL             With Shell backend (disables threading)  â”‚ â”‚  
                                               â”‚ â”‚ [ ] SOCK              With Sock backend                        â”‚ â”‚  
                                               â”‚ â”‚ [ ] ODBC              With SQL backend                         â”‚ â”‚  
                                               â”‚ â”‚ [ ] RLOOKUPS          With reverse lookups of client hostnames â”‚ â”‚  
                                               â”‚ â”‚ [ ] SLP               With SLPv2 (RFC 2608) support            â”‚ â”‚  
                                               â”‚ â”‚ [ ] SLAPI             With Netscape SLAPI plugin API           â”‚ â”‚  
                                               â”‚ â”‚ [X] TCP_WRAPPERS      With tcp wrapper support                 â”‚ â”‚  
                                               â”œâ”€â””â”€â”€â”€â”€â”€v(+)â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”˜â”€â”¤  
                                               â”‚                       [  OK  ]       Cancel                        â”‚  
                                               â””â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”˜

All it takes to get this to work again is to comment out the lines relating to TLS in my slapd.conf

Code:

## Added logging parameters

loglevel        296
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

## TLS options for slapd
#TLSCipherSuite   HIGH
#TLSCertificateFile  /etc/local/slapd-cert.pem
#TLSCertificateKeyFile /etc/local/slapd-key.pem

As you can see:

Code:

[root@LBSD2:/usr/local/etc/openldap]#/usr/local/etc/rc.d/slapd start 
Starting slapd.
[root@LBSD2:/usr/local/etc/openldap]#/usr/local/etc/rc.d/slapd status
slapd is running as pid 13617.

OpenLDAP is perfectly happy as long as TLS encryption is not enabled.

Does anyone have any experience and insight to offer in getting this to work?

Thanks!

aragon · Sep 13, 2010

Code:

cd /etc/local && chgrp slapd slapd*.pem && chmod g+r slapd*.pem

bluethundr · Sep 14, 2010

TLS slapd still not starting

Hi and thanks for your input.

Well I tried to add those files to the slapd group, however I found that the group didn't exist.

so I:

Code:

pw groupadd slapd

And then I changed the modes and added the files to the slapd group with the command that you suggested.

Now the directory looks like this:

Code:

[root@LBSD2:/etc/local]#ls -lah
total 20
drwxr-xr-x   2 root  wheel   512B Sep 13 04:44 .
drwxr-xr-x  21 root  wheel   2.5K Sep 14 01:21 ..
-rw-r-----   1 root  slapd   1.3K Sep 13 04:44 slapd-cert.pem
-rw-r-----   1 root  slapd   887B Sep 13 01:31 slapd-key.pem

But slapd still fails to start with TLS enabled:

Code:

[root@LBSD2:/etc/local]#/usr/local/etc/rc.d/slapd start
Starting slapd.
/usr/local/etc/rc.d/slapd: WARNING: failed to start slapd

x(

With the TLS options commented out like before, slapd starts:

Code:

## TLS options for slapd
#TLSCipherSuite   HIGH
#TLSCertificateFile  /etc/local/slapd-cert.pem
#TLSCertificateKeyFile /etc/local/slapd-key.pem

## Misc Security Settings
"slapd.conf" 84 lines, 2822 characters written
[root@LBSD2:/usr/local/etc/openldap]#/usr/local/etc/rc.d/slapd start
Starting slapd.

Again, I appreciate the suggestion, but I am afraid that TLS is still not happening.

aragon · Sep 14, 2010

bluethundr said:
Well I tried to add those files to the slapd group, however I found that the group didn't exist.

The OpenLDAP port is supposed to create that and the slapd user when you install it. Better check why that's not the case, and check what user openldap is running as...

trouble integrating TLS in OpenLDAP

bluethundr

aragon

bluethundr

aragon