I've had a bear of a time getting OpenLDAP to configure for SSL/TLS. I made a couple discoveries today that I want to note.
(Note: this is not a OpenLDAP/TLS HowTo. If you are just starting, please read the OpenLDAP.org docs on configuring TLS)
I was receiving one main error:
no shared cipher
I couldn't figure out whether slapd was configured properly. So first I tested the certs using OpenSSL
--
I ran this in one shell to set up a listner:
openssl s_server
-CAfile /var/data/ca/cacert.pem
-cert /var/data/ca/newcerts/ldap1cert.pem
-key /etc/openldap/ldap1keyclear.txt -accept 99
-cipher DHE-RSA-AES256-SHA
and this in another to connect to the listner:
openssl s_client
-host uslack2.gmartin.org
-port 99
-cipher DHE-RSA-AES256-SHA
-ssl3 (or -tls1)
(note:These commands use your cert files to set up a server and client to exchange data over ssl or tls.)
For me, the connection established and data was exchanged. Thereby proving the certs & CA were correct.
--
Next I ran slapd with -d 255 to enable debugging. What I found was I using an incorrect directive for the TLS options.
I was using:
TLS_CACertificateFile
TLS_CertificateFile
TLSCertificateKeyFile
not:
TLSCACertificateFile
TLSCertificateFile
TLSCertificateKeyFile
Looks as though I confused ldap.conf and slapd.conf directives. Why are they different one wonders?
---
However, I was still receiving "no shared cipher" error. I was using this as a test tool:
To test for SSL on port 636:
ldapsearch -H ldaps://uslack2.gmartin.org
-vvv cn=gmartin -D cn=Manager,dc=gmartin,dc=org
-w password -x
To test for TLS on port 389:
ldapsearch -H ldap://uslack2.gmartin.org
vvv cn=gmartin -D cn=Manager,dc=gmartin,dc=org
-w password -x -ZZ
I had the following in slapd.conf and ldap.conf:
TLSCipherSuite DHE-RSA-AES256-SHA
(which I cut and pasted from 'openssl ciphers')
I replaced it with the following to fix the issue:
TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
It's still not clear to me what the syntax should be - the OpenLDAP docs are poor here IMO. Trying to translate the openssl -v ciphers into what's mentioned in the manpage doesn't help me much. Perhaps I'm dense.
---
So I posted a couple questions to openldap mailing list that don't need answers:
- would there be value in making the slapd.conf and ldap.conf TLS directives align?
- Should slaptest report the bad TLS directives?
And one more. In the man page for slapd, there is this explanation for the -h option:
slapd will by default serve ldap:/// (LDAP over TCP on all interfaces on default
LDAP port). That is, it will bind using INADDR_ANY and port 389. The -h option
may be used to specify LDAP (and other scheme) URLs to serve. For
example, if slapd is given -h "ldap://127.0.0.1:9009/ ldaps:/// ldapi:///",
it will listen on 127.0.0.1:9009 for LDAP, 0.0.0.0:636 for LDAP over TLS,
The last part seems inexact. It says -h ldaps:/// will cause slapd to listen on port 636 for LDAP over TLS. Should that say something like:
"will cause slapd to listen for LDAP over SSL on port 636 and for start_tls on port 389. With properly configured TLS directives, specifying '-h ldap:///' will make available TLS over port 389"
-------
And for posterity, here are the TLS directives from my conf files:
slapd.conf
TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP
TLSCACertificateFile /var/data/ca/cacert.pem
TLSCertificateFile /var/data/ca/newcerts/ldap1cert.pem
TLSCertificateKeyFile /etc/openldap/ldap1keyclear.txt
TLSVerifyClient never
ldap.conf
TLS_CACERT /var/data/ca/cacert.pem
TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP