Loading...
 

Greg's Tech blog

OpenLDAP & SSL/TLS

Friday 09 of March, 2007

I've had a bear of a time getting OpenLDAP to configure for SSL/TLS. I made a couple discoveries today that I want to note.
(Note: this is not a OpenLDAP/TLS HowTo. If you are just starting, please read the OpenLDAP.org docs on configuring TLS)

I was receiving one main error:

no shared cipher

I couldn't figure out whether slapd was configured properly. So first I tested the certs using OpenSSL
--

I ran this in one shell to set up a listner:
openssl s_server 
    -CAfile /var/data/ca/cacert.pem
    -cert /var/data/ca/newcerts/ldap1cert.pem
    -key /etc/openldap/ldap1keyclear.txt -accept 99
    -cipher DHE-RSA-AES256-SHA
and this in another to connect to the listner:
openssl s_client 
    -host uslack2.gmartin.org 
    -port 99 
    -cipher DHE-RSA-AES256-SHA
    -ssl3 (or -tls1)
(note:These commands use your cert files to set up a server and client to exchange data over ssl or tls.)

For me, the connection established and data was exchanged. Thereby proving the certs & CA were correct.
--
Next I ran slapd with -d 255 to enable debugging. What I found was I using an incorrect directive for the TLS options.

I was using:

TLS_CACertificateFile
TLS_CertificateFile
TLSCertificateKeyFile

not:

TLSCACertificateFile
TLSCertificateFile
TLSCertificateKeyFile

Looks as though I confused ldap.conf and slapd.conf directives. Why are they different one wonders?
---

However, I was still receiving "no shared cipher" error. I was using this as a test tool:

To test for SSL on port 636:
ldapsearch  -H ldaps://uslack2.gmartin.org 
    -vvv cn=gmartin -D cn=Manager,dc=gmartin,dc=org 
    -w password -x
To test for TLS on port 389:
ldapsearch  -H ldap://uslack2.gmartin.org 
    vvv cn=gmartin -D cn=Manager,dc=gmartin,dc=org 
    -w password -x -ZZ


I had the following in slapd.conf and ldap.conf:

TLSCipherSuite DHE-RSA-AES256-SHA

(which I cut and pasted from 'openssl ciphers')

I replaced it with the following to fix the issue:

TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP


It's still not clear to me what the syntax should be - the OpenLDAP docs are poor here IMO. Trying to translate the openssl -v ciphers into what's mentioned in the manpage doesn't help me much. Perhaps I'm dense.

---
So I posted a couple questions to openldap mailing list that don't need answers:
- would there be value in making the slapd.conf and ldap.conf TLS directives align?
- Should slaptest report the bad TLS directives?

And one more. In the man page for slapd, there is this explanation for the -h option:

slapd will by default serve ldap:/// (LDAP over TCP on all interfaces on default
LDAP port).  That is, it will bind using INADDR_ANY and port 389. The -h option 
may be used  to  specify  LDAP  (and  other scheme) URLs  to  serve.   For
example,  if  slapd  is  given -h "ldap://127.0.0.1:9009/ ldaps:/// ldapi:///",
it will listen on 127.0.0.1:9009 for LDAP, 0.0.0.0:636 for LDAP over TLS,

The last part seems inexact. It says -h ldaps:/// will cause slapd to listen on port 636 for LDAP over TLS. Should that say something like:

"will cause slapd to listen for LDAP over SSL on port 636 and for start_tls on port 389. With properly configured TLS directives, specifying '-h ldap:///' will make available TLS over port 389"
-------
And for posterity, here are the TLS directives from my conf files:

slapd.conf
TLSCipherSuite  ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP
TLSCACertificateFile /var/data/ca/cacert.pem
TLSCertificateFile /var/data/ca/newcerts/ldap1cert.pem
TLSCertificateKeyFile /etc/openldap/ldap1keyclear.txt
TLSVerifyClient never

ldap.conf
TLS_CACERT /var/data/ca/cacert.pem
TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP