I've had a bear of a time getting OpenLDAP to configure for SSL/TLS. I made a couple discoveries today that I want to note.
(Note: this is not a OpenLDAP/TLS HowTo. If you are just starting, please read the OpenLDAP.org docs on configuring TLS)
I was receiving one main error:
no shared cipher
I couldn't figure out whether slapd was configured properly. So first I tested the certs using OpenSSL
I ran this in one shell to set up a listner: openssl s_server -CAfile /var/data/ca/cacert.pem -cert /var/data/ca/newcerts/ldap1cert.pem -key /etc/openldap/ldap1keyclear.txt -accept 99 -cipher DHE-RSA-AES256-SHA
and this in another to connect to the listner: openssl s_client -host uslack2.gmartin.org -port 99 -cipher DHE-RSA-AES256-SHA -ssl3 (or -tls1)(note:These commands use your cert files to set up a server and client to exchange data over ssl or tls.)
For me, the connection established and data was exchanged. Thereby proving the certs & CA were correct.
Next I ran slapd with -d 255 to enable debugging. What I found was I using an incorrect directive for the TLS options.
I was using:
TLS_CACertificateFile TLS_CertificateFile TLSCertificateKeyFile
TLSCACertificateFile TLSCertificateFile TLSCertificateKeyFile
Looks as though I confused ldap.conf and slapd.conf directives. Why are they different one wonders?
However, I was still receiving "no shared cipher" error. I was using this as a test tool:
To test for SSL on port 636: ldapsearch -H ldaps://uslack2.gmartin.org -vvv cn=gmartin -D cn=Manager,dc=gmartin,dc=org -w password -x
To test for TLS on port 389: ldapsearch -H ldap://uslack2.gmartin.org vvv cn=gmartin -D cn=Manager,dc=gmartin,dc=org -w password -x -ZZ
I had the following in slapd.conf and ldap.conf:
(which I cut and pasted from 'openssl ciphers')
I replaced it with the following to fix the issue:
It's still not clear to me what the syntax should be - the OpenLDAP docs are poor here IMO. Trying to translate the openssl -v ciphers into what's mentioned in the manpage doesn't help me much. Perhaps I'm dense.
So I posted a couple questions to openldap mailing list that don't need answers:
- would there be value in making the slapd.conf and ldap.conf TLS directives align?
- Should slaptest report the bad TLS directives?
And one more. In the man page for slapd, there is this explanation for the -h option:
slapd will by default serve ldap:/// (LDAP over TCP on all interfaces on default LDAP port). That is, it will bind using INADDR_ANY and port 389. The -h option may be used to specify LDAP (and other scheme) URLs to serve. For example, if slapd is given -h "ldap://127.0.0.1:9009/ ldaps:/// ldapi:///", it will listen on 127.0.0.1:9009 for LDAP, 0.0.0.0:636 for LDAP over TLS,
The last part seems inexact. It says -h ldaps:/// will cause slapd to listen on port 636 for LDAP over TLS. Should that say something like:
"will cause slapd to listen for LDAP over SSL on port 636 and for start_tls on port 389. With properly configured TLS directives, specifying '-h ldap:///' will make available TLS over port 389"
And for posterity, here are the TLS directives from my conf files:
slapd.conf TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP TLSCACertificateFile /var/data/ca/cacert.pem TLSCertificateFile /var/data/ca/newcerts/ldap1cert.pem TLSCertificateKeyFile /etc/openldap/ldap1keyclear.txt TLSVerifyClient never
ldap.conf TLS_CACERT /var/data/ca/cacert.pem TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP