0

I have the following Problem and googled for weeks now. Because I´ve really no clue where the problem is I´m asking my question here with the hope to find some ldap or ssl genius :)

I have a working openLdap Server with a stand alone client maschine (both running Linux Ubuntu 16.04.5). The connection works fine. Now I´d like to secure the conection using ldaps.

First I´ve changed the SLAPD_SERVICES in

/etc/default/slapd

from ldap:/// ldapi:/// to ldap:/// ldaps:/// ldapi:///

Then I´ve created an own CA with a self signed Certificate and an ldap-server key, csr and crt (signed by the CA I´ve built).

I´ve added my own ca.crt to the trusted certs by copying it to

/usr/local/share/ca-certificates/

and executing this command:

sudo update-ca-certificates

I´ve copied the ca.crt, the ldap.key and the ldap.crt to /etc/ldap/ssl/files and make them owned by openldap (chown & chgrp)

after I´ve done this I followed the tutorial (https://www.server-world.info/en/note?os=Debian_9&p=openldap&f=4) to create an mod_ssl.ldif

#

mod_ssl.ldif

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/ssl/files/ca.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ssl/files/ldap.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ssl/files/ldap.key
#

After creating the ldif I´d wanted to add it to my config using this command

ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif

The output of this command is:

root@ldap-server:/etc/ldap/schema# ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config" ldap_result: Can't contact LDAP server (-1)

#

After this command my slapd was dead. (--> Checked open ports bevore executing this command with netstat -tulpan and after executing.)

Restarted slapd with /etc/init.d/slapd restart

I enabled logging of slapd with loglevel -1

For my understanding the logs are totally clean and showing no Issues.

tail -f /var/log/syslog

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on 1 descriptor

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on:

Oct 19 08:59:17 ldap-server slapd[1464]: 

Oct 19 08:59:17 ldap-server slapd[1464]: slap_listener_activate(11):

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=9 active_threads=0 tvp=zero

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=10 active_threads=0 tvp=zero

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=11 busy

Oct 19 08:59:17 ldap-server slapd[1464]: >>> slap_listener(ldapi:///)

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: listen=11, new connection on 16

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on 1 descriptor

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on:

Oct 19 08:59:17 ldap-server slapd[1464]: 

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: added 16r (active) listener=(nil)

Oct 19 08:59:17 ldap-server slapd[1464]: conn=1001 fd=16 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=9 active_threads=0 tvp=zero

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=10 active_threads=0 tvp=zero

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=11 active_threads=0 tvp=zero

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on 2 descriptors

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on:

Oct 19 08:59:17 ldap-server slapd[1464]:  16r

Oct 19 08:59:17 ldap-server slapd[1464]: 

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: read active on 16

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=9 active_threads=0 tvp=zero

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=10 
active_threads=0 tvp=zero

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=11 active_threads=0 tvp=zero

Oct 19 08:59:17 ldap-server slapd[1464]: connection_get(16)

Oct 19 08:59:17 ldap-server slapd[1464]: connection_get(16): got connid=1001

Oct 19 08:59:17 ldap-server slapd[1464]: connection_read(16): checking for input on id=1001

Oct 19 08:59:17 ldap-server slapd[1464]: op tag 0x60, time 1539932357

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on 1 descriptor

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on:

Oct 19 08:59:17 ldap-server slapd[1464]: 

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=9 active_threads=0 tvp=zero

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=10 active_threads=0 tvp=zero

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=11 active_threads=0 tvp=zero

Oct 19 08:59:17 ldap-server slapd[1464]: conn=1001 op=0 do_bind

Oct 19 08:59:17 ldap-server slapd[1464]: >>> dnPrettyNormal: <>

Oct 19 08:59:17 ldap-server slapd[1464]: <<< dnPrettyNormal: <>, <>

Oct 19 08:59:17 ldap-server slapd[1464]: conn=1001 op=0 BIND dn="" method=163

Oct 19 08:59:17 ldap-server slapd[1464]: do_bind: dn () SASL mech EXTERNAL

Oct 19 08:59:17 ldap-server slapd[1464]: ==> sasl_bind: dn="" mech=EXTERNAL datalen=0

Oct 19 08:59:17 ldap-server slapd[1464]: SASL Canonicalize [conn=1001]: authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"

Oct 19 08:59:17 ldap-server slapd[1464]: slap_sasl_getdn: conn 1001 id=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth [len=55]

Oct 19 08:59:17 ldap-server slapd[1464]: ==>slap_sasl2dn: converting SASL name gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth to a DN

Oct 19 08:59:17 ldap-server slapd[1464]: <==slap_sasl2dn: Converted SASL name to <nothing>

Oct 19 08:59:17 ldap-server slapd[1464]: SASL Canonicalize [conn=1001]: slapAuthcDN="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"

Oct 19 08:59:17 ldap-server slapd[1464]: SASL proxy authorize [conn=1001]: authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"

Oct 19 08:59:17 ldap-server slapd[1464]: conn=1001 op=0 BIND authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"

Oct 19 08:59:17 ldap-server slapd[1464]: SASL Authorize [conn=1001]:  proxy authorization allowed authzDN=""

Oct 19 08:59:17 ldap-server slapd[1464]: send_ldap_sasl: err=0 len=-1

Oct 19 08:59:17 ldap-server slapd[1464]: conn=1001 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71

Oct 19 08:59:17 ldap-server slapd[1464]: do_bind: SASL/EXTERNAL bind: dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" sasl_ssf=0

Oct 19 08:59:17 ldap-server slapd[1464]: send_ldap_response: msgid=1 tag=97 err=0

Oct 19 08:59:17 ldap-server kernel: [ 1801.480222] slapd[1468]: segfault at 35 ip 00007f1093e55360 sp 00007f104bffc268 error 4 in libgmp.so.10.3.0[7f1093e41000+7f000]

Oct 19 08:59:17 ldap-server slapd[1464]: conn=1001 op=0 RESULT tag=97 err=0 text=

Oct 19 08:59:17 ldap-server slapd[1464]: <== slap_sasl_bind: rc=0

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on 1 descriptor

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on:

Oct 19 08:59:17 ldap-server slapd[1464]:  16r

Oct 19 08:59:17 ldap-server slapd[1464]: 

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: read active on 16

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=9 active_threads=0 tvp=zero

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=10 active_threads=0 tvp=zero

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=11 active_threads=0 tvp=zero

Oct 19 08:59:17 ldap-server slapd[1464]: connection_get(16)

Oct 19 08:59:17 ldap-server slapd[1464]: connection_get(16): got connid=1001

Oct 19 08:59:17 ldap-server slapd[1464]: connection_read(16): checking for input on id=1001

Oct 19 08:59:17 ldap-server slapd[1464]: op tag 0x66, time 1539932357

Oct 19 08:59:17 ldap-server slapd[1464]: conn=1001 op=1 do_modify

Oct 19 08:59:17 ldap-server slapd[1464]: conn=1001 op=1 do_modify: dn (cn=config)

Oct 19 08:59:17 ldap-server slapd[1464]: >>> dnPrettyNormal: <cn=config>

Oct 19 08:59:17 ldap-server slapd[1464]: <<< dnPrettyNormal: <cn=config>, <cn=config>

Oct 19 08:59:17 ldap-server slapd[1464]: conn=1001 op=1 modifications:

Oct 19 08:59:17 ldap-server slapd[1464]: #011add: olcTLSCACertificateFile

Oct 19 08:59:17 ldap-server slapd[1464]: #011#011one value, length 33

Oct 19 08:59:17 ldap-server slapd[1464]: #011replace: olcTLSCertificateFile

Oct 19 08:59:17 ldap-server slapd[1464]: #011#011one value, length 35

Oct 19 08:59:17 ldap-server slapd[1464]: #011replace: olcTLSCertificateKeyFile

Oct 19 08:59:17 ldap-server slapd[1464]: #011#011one value, length 35

Oct 19 08:59:17 ldap-server slapd[1464]: conn=1001 op=1 MOD dn="cn=config"

Oct 19 08:59:17 ldap-server slapd[1464]: conn=1001 op=1 MOD attr=olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile

Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: result not in cache (olcTLSCACertificateFile)

Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: add access to "cn=config" "olcTLSCACertificateFile" requested

Oct 19 08:59:17 ldap-server slapd[1464]: => acl_get: [1] attr olcTLSCACertificateFile

Oct 19 08:59:17 ldap-server slapd[1464]: => acl_mask: access to entry "cn=config", attr "olcTLSCACertificateFile" requested

Oct 19 08:59:17 ldap-server slapd[1464]: => acl_mask: to value by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0)

Oct 19 08:59:17 ldap-server slapd[1464]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

Oct 19 08:59:17 ldap-server slapd[1464]: <= acl_mask: [1] applying manage(=mwrscxd) (stop)

Oct 19 08:59:17 ldap-server slapd[1464]: <= acl_mask: [1] mask: manage(=mwrscxd)

Oct 19 08:59:17 ldap-server slapd[1464]: => slap_access_allowed: add access granted by manage(=mwrscxd)

Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: add access granted by manage(=mwrscxd)

Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: result not in 
cache (olcTLSCertificateFile)

Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: delete access to "cn=config" "olcTLSCertificateFile" requested

Oct 19 08:59:17 ldap-server slapd[1464]: => acl_get: [1] attr olcTLSCertificateFile

Oct 19 08:59:17 ldap-server slapd[1464]: => acl_mask: access to entry "cn=config", attr "olcTLSCertificateFile" requested

Oct 19 08:59:17 ldap-server slapd[1464]: => acl_mask: to all values by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0)

Oct 19 08:59:17 ldap-server slapd[1464]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

Oct 19 08:59:17 ldap-server slapd[1464]: <= acl_mask: [1] applying manage(=mwrscxd) (stop)

Oct 19 08:59:17 ldap-server slapd[1464]: <= acl_mask: [1] mask: manage(=mwrscxd)

Oct 19 08:59:17 ldap-server slapd[1464]: => slap_access_allowed: delete access granted by manage(=mwrscxd)

Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: delete access granted by manage(=mwrscxd)

Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: result not in cache (olcTLSCertificateFile)

Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: add access to "cn=config" "olcTLSCertificateFile" requested

Oct 19 08:59:17 ldap-server slapd[1464]: => acl_get: [1] attr olcTLSCertificateFile

Oct 19 08:59:17 ldap-server slapd[1464]: => acl_mask: access to entry "cn=config", attr "olcTLSCertificateFile" requested

Oct 19 08:59:17 ldap-server slapd[1464]: => acl_mask: to value by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0)

Oct 19 08:59:17 ldap-server slapd[1464]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

Oct 19 08:59:17 ldap-server slapd[1464]: <= acl_mask: [1] applying manage(=mwrscxd) (stop)

Oct 19 08:59:17 ldap-server slapd[1464]: <= acl_mask: [1] mask: manage(=mwrscxd)

Oct 19 08:59:17 ldap-server slapd[1464]: => slap_access_allowed: add access granted by manage(=mwrscxd)

Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: add access granted by manage(=mwrscxd)

Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: result not in cache (olcTLSCertificateKeyFile)

Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: delete access to "cn=config" "olcTLSCertificateKeyFile" requested

Oct 19 08:59:17 ldap-server slapd[1464]: => acl_get: [1] attr olcTLSCertificateKeyFile

Oct 19 08:59:17 ldap-server slapd[1464]: => acl_mask: access to entry "cn=config", attr "olcTLSCertificateKeyFile" requested

Oct 19 08:59:17 ldap-server slapd[1464]: => acl_mask: to all values by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0)

Oct 19 08:59:17 ldap-server slapd[1464]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

Oct 19 08:59:17 ldap-server slapd[1464]: <= acl_mask: [1] applying 
manage(=mwrscxd) (stop)

Oct 19 08:59:17 ldap-server slapd[1464]: <= acl_mask: [1] mask: manage(=mwrscxd)

Oct 19 08:59:17 ldap-server slapd[1464]: => slap_access_allowed: delete access granted by manage(=mwrscxd)

Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: delete access granted by manage(=mwrscxd)

Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: result not in cache (olcTLSCertificateKeyFile)

Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: add access to "cn=config" "olcTLSCertificateKeyFile" requested

Oct 19 08:59:17 ldap-server slapd[1464]: => acl_get: [1] attr olcTLSCertificateKeyFile

Oct 19 08:59:17 ldap-server slapd[1464]: => acl_mask: access to entry "cn=config", attr "olcTLSCertificateKeyFile" requested

Oct 19 08:59:17 ldap-server slapd[1464]: => acl_mask: to value by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0)

Oct 19 08:59:17 ldap-server slapd[1464]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

Oct 19 08:59:17 ldap-server slapd[1464]: <= acl_mask: [1] applying manage(=mwrscxd) (stop)

Oct 19 08:59:17 ldap-server slapd[1464]: <= acl_mask: [1] mask: manage(=mwrscxd)

Oct 19 08:59:17 ldap-server slapd[1464]: => slap_access_allowed: add access granted by manage(=mwrscxd)

Oct 19 08:59:17 ldap-server slapd[1464]: => access_allowed: add access granted by manage(=mwrscxd)

Oct 19 08:59:17 ldap-server slapd[1464]: slap_queue_csn: queueing 0x7f104bffc340 20181019065917.048487Z#000000#000#000000

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_required entry (cn=config), objectClass "olcGlobal"

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "objectClass"

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "cn"

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "olcArgsFile"

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "olcLogLevel"

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type 
"olcPidFile"

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "olcToolThreads"

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "structuralObjectClass"

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "entryUUID"

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "creatorsName"

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "createTimestamp"

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "olcTLSCACertificateFile"

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "olcTLSCertificateFile"

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "olcTLSCertificateKeyFile"

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "entryCSN"

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "modifiersName"

Oct 19 08:59:17 ldap-server slapd[1464]: oc_check_allowed type "modifyTimestamp"

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on 1 descriptor

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: activity on:

Oct 19 08:59:17 ldap-server slapd[1464]: 

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=9 active_threads=0 tvp=zero

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=10 active_threads=0 tvp=zero

Oct 19 08:59:17 ldap-server slapd[1464]: daemon: epoll: listen=11 active_threads=0 tvp=zero

And last but not least.. Here is the output of my

netstat -tulpan

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
992/sshd

tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 1535/slapd

tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1535/slapd

UPDATE: I´ve configured my ldap-client maschine to use ldaps (bevore configuring ldaps everything works fine via ldap :389)

  1. Added the CA.crt from the ldap server and trust this like described above
  2. Chnged the /etc/ldap/ldap.conf and added the path to the new trusted CA.crt
  3. Changed the /etc/ldap.conf to use ldaps and uncommented the line ssl start_tls
  4. changed ldap uri wth executing the command sudo dpkg-reconfigure ldap-auth-config

I´ve restarted the client maschine and opened a tcpdump on my ldap server listening for the ip of the client ans all connections for the portrange 389-636

10:00:27.149772 IP ldap-client.52803 > ldap-server.ldaps: Flags [S], seq 1684570111, win 29200, options [mss 1460,sackOK,TS val 4294902186 ecr 0,nop,wscale 7], length 0

10:00:27.149813 IP ldap-server.ldaps > ldap-client.52803: Flags [S.], seq 3586026827, ack 1684570112, win 28960, options [mss 1460,sackOK,TS val 1292850 ecr 4294902186,nop,wscale 7], length 0

10:00:27.149924 IP ldap-client.52803 > ldap-server.ldaps: Flags [.], ack 1, win 229, options [nop,nop,TS val 4294902186 ecr 1292850], length 0

10:00:27.151549 IP ldap-client.52803 > ldap-server.ldaps: Flags [P.], seq 1:118, ack 1, win 229, options [nop,nop,TS val 4294902186 ecr 1292850], length 117

10:00:27.151567 IP ldap-server.ldaps > ldap-client.52803: Flags [.], ack 118, win 227, options [nop,nop,TS val 1292850 ecr 4294902186], length 0

10:00:27.151949 IP ldap-server.ldaps > ldap-client.52803: Flags [F.], seq 1, ack 118, win 227, options [nop,nop,TS val 1292850 ecr 4294902186], length 0

10:00:27.152095 IP ldap-client.52803 > ldap-server.ldaps: Flags [.], ack 2, win 229, options [nop,nop,TS val 4294902187 ecr 1292850], length 0

10:00:27.152157 IP ldap-client.52803 > ldap-server.ldaps: Flags [F.], seq 118, ack 2, win 229, options [nop,nop,TS val 4294902187 ecr 1292850], length 0

10:00:27.152174 IP ldap-server.ldaps > ldap-client.52803: Flags [.], ack 119, win 227, options [nop,nop,TS val 1292850 ecr 4294902187], length 0

10:00:27.152288 IP ldap-client.52804 > ldap-server.ldaps: Flags [S], seq 1697088540, win 29200, options [mss 1460,sackOK,TS val 4294902187 ecr 0,nop,wscale 7], length 0

10:00:27.152305 IP ldap-server.ldaps > ldap-client.52804: Flags [S.], seq 2792459463, ack 1697088541, win 28960, options [mss 1460,sackOK,TS val 1292850 ecr 4294902187,nop,wscale 7], length 0

10:00:27.152360 IP ldap-client.52804 > ldap-server.ldaps: Flags [.], ack 1, win 229, options [nop,nop,TS val 4294902187 ecr 1292850], length 0

10:00:27.152502 IP ldap-client.52804 > ldap-server.ldaps: Flags [P.], seq 1:118, ack 1, win 229, options [nop,nop,TS val 4294902187 ecr 1292850], length 117

10:00:27.152512 IP ldap-server.ldaps > ldap-client.52804: Flags [.], ack 118, win 227, options [nop,nop,TS val 1292850 ecr 4294902187], length 0

10:00:27.152909 IP ldap-server.ldaps > ldap-client.52804: Flags [F.], seq 1, ack 118, win 227, options [nop,nop,TS val 1292850 ecr 4294902187], length 0

10:00:27.152998 IP ldap-client.52804 > ldap-server.ldaps: Flags [F.], seq 118, ack 2, win 229, options [nop,nop,TS val 4294902187 ecr 1292850], length 0

10:00:27.153010 IP ldap-server.ldaps > ldap-client.52804: Flags [.], ack 119, win 227, options [nop,nop,TS val 1292850 ecr 4294902187], length 0

10:00:28.153396 IP ldap-client.52805 > ldap-server.ldaps: Flags [S], seq 592612370, win 29200, options [mss 1460,sackOK,TS val 4294902437 ecr 0,nop,wscale 7], length 0

10:00:28.153437 IP ldap-server.ldaps > ldap-client.52805: Flags [S.], seq 1983710944, ack 592612371, win 28960, options [mss 1460,sackOK,TS val 1293101 ecr 4294902437,nop,wscale 7], length 0

10:00:28.153580 IP ldap-client.52805 > ldap-server.ldaps: Flags [.], ack 1, win 229, options [nop,nop,TS val 4294902437 ecr 1293101], length 0

10:00:28.153759 IP ldap-client.52805 > ldap-server.ldaps: Flags [P.], seq 1:118, ack 1, win 229, options [nop,nop,TS val 4294902437 ecr 1293101], length 117

10:00:28.153767 IP ldap-server.ldaps > ldap-client.52805: Flags [.], ack 118, win 227, options [nop,nop,TS val 1293101 ecr 4294902437], length 0

10:00:28.154285 IP ldap-server.ldaps > ldap-client.52805: Flags [F.], seq 1, ack 118, win 227, options [nop,nop,TS val 1293101 ecr 4294902437], length 0

10:00:28.154413 IP ldap-client.52805 > ldap-server.ldaps: Flags [F.], seq 118, ack 2, win 229, options [nop,nop,TS val 4294902437 ecr 1293101], length 0

10:00:28.154423 IP ldap-server.ldaps > ldap-client.52805: Flags [.], ack 119, win 227, options [nop,nop,TS val 1293101 ecr 4294902437], length 0

^C

513 packets captured
513 packets received by filter
0 packets dropped by kernel
61 packets dropped by interface

I hope someone knows my problem and can help me :) Kind Regards Tabby

dsh
  • 303
  • 1
  • 6
Tabby
  • 21
  • 2
  • 5
  • Perhaps a problem with the ldapi connection. What if you try : ls -la /var/run/ldapi Is the socket present ? – MR RsO Oct 19 '18 at 08:07
  • on my Ldap-Server: `ls -la /var/run/ldapi` Output: `lrwxrwxrwx 1 root root 11 Okt 19 08:29 /var/run/ldapi -> slapd/ldapi` – Tabby Oct 19 '18 at 08:29

2 Answers2

0

This is not a real answer, but I'm missing the 50 reputation points to add a comment:

You may gain insight on the error if you debug from a client perspective using:

ldapsearch -x -LLL -ZZ -d 1

This may reveal information about certificate errors which I suspect. Also, since you're using Ubuntu, make sure that AppArmor is not blocking access to the certificate by adding the following to your /etc/ldap/ssl/files at the end:

  /etc/ldap/ssl/files/ r,
  /etc/ldap/ssl/files/* r,

You can check for AppArmor errors via journalctl -xaeu apparmor.

You can check whether the openldap user really can read files needed for authentication by issueing:

sudo -u openldap head -1 /etc/ldap/ssl/files/*

Also you should never use LDAPS, but LDAP+STARTTLS as described in Best Practices in LDAP Security by Andrew Findlay.

Also please try to make your post more readable by adding 4 spaces in front of text that is intended to be displayed as monospace.

Felix
  • 101
  • 1
  • 6
  • `ldapsearch -x -LLL -ZZ -d 1` brings `ldap_start_tls: Can't contact LDAP server (-1)` and my openldap user has correct permissions to read all needed files – Tabby Oct 19 '18 at 11:34
  • This is a sign, that the `uri` variable is incorrectly set in either of the files `/etc/ldap.conf` or `/etc/nslcd.conf`. – Felix Oct 19 '18 at 14:18
  • 1
    There's nothing wrong with using LDAPS on separate port. IMO it is even better than using StartTLS ext.op because you can mandate the use of TLS-protected connection. The considerations in [appendix A in RFC 8314](https://tools.ietf.org/html/rfc8314#appendix-A) also apply to LDAP. – Michael Ströder Oct 20 '18 at 12:29
  • @feliks: I´ve checked the uri in every config file but therer is nothing wrong – Tabby Oct 22 '18 at 05:26
  • @Tabby Sorry, but I don't have any other idea what it might be then. You could try `ldapsearch -H ldapi:// -Y EXTERNAL -v -d1` or `ldapsearch -x ...` or `... -ZZ ...` and other variations. Also you could try your luck by connecting via [Apache Directory Studio](https://directory.apache.org/studio/). – Felix Oct 22 '18 at 11:28
0

Finally I got it working. I found the answer in this blog https://web.archive.org/web/20150530064010/http://rogermoffatt.com/2011/08/24/ubuntu-openldap-with-ssltls/

After creating those 2 .pem files for key and certificate I´ve followed the blog, changed the ownership of the .pem files and created the ldif file.

additionally I´ve added the certificate to the trusted certs and added the path to /etc/ldap/ldap.conf with the new line TLS_REQCERT never.

On the client side I´ve copied the certificate.pem and converted it to a .crt file Then I´ve added bpth files to the trusted certs and updated them

I´ve uncommented the lines ssl start_tls ssl on from /etc/ldap.conf and set the uri from ldap:// to ldaps:// in the same file

For those using an ssh script to fetch ssh keys from ldap server need to adjust the uri in the script

Thats it!

Tabby
  • 21
  • 2
  • 5