PDA

View Full Version : SLES 12 TLS Settings on LDAP (Authenti.) Server - Self Signed Cert.



shorty67
31-Jan-2016, 20:51
Hi

I canīt start our LDAP Server with TLS Support.

We use SLES12 SP1 and a self signed CA. (root Ca and Intermediate)

The LDAP Server is on Port 389 up and running.

1. I Create the certificate chain an import to the Server:

cat intermediate.cert.pem ca.cert.pem > ca-chain.cert.pem

copy the ca-chain.cert.pem to /etc/pki/trust/anchors on the Server, and with


update-ca-certificates import the ca chain.

I see boot, the root ca and the intermediate now at /etc/ssl/certs (link to /var/lib/ca-certificates/pem)

2. Step: I import the Server Certificate p12 (incl.FQDN - commonName)via Yast and Common Server Certificate - Yast: Certificate has been imported

Now I have at
/etc/ssl/servercerts a servercert.pem and a serverkex.pem file.

3. Step: Config TLS Settings via Yast at the running Server

I use the intermediate ca from

/etc/ssl/certs

and the certificate and the key from

/etc/ssl/servercerts

and finish the TLS Config.

I use "Softerra LDAP Administrator" for LDAP administration. The Connect to the the Server over 389 work fine. over 636 "no server" error

the localmessagelog fom the Server:
2016-01-31T18:31:18.208617+01:00 bis-sl-sles12-01 slapd[1134]: hdb_monitor_db_open: monitoring disabled; configure monitor database to enable
2016-01-31T18:31:18.211024+01:00 bis-sl-sles12-01 slapd[1134]: slapd starting
2016-01-31T18:32:37.689479+01:00 bis-sl-sles12-01 slapd[1054]: @(#) $OpenLDAP: slapd 2.4.41 $#012#011opensuse-buildservice@opensuse.org
2016-01-31T18:32:37.874643+01:00 bis-sl-sles12-01 slapd[1120]: hdb_monitor_db_open: monitoring disabled; configure monitor database to enable
2016-01-31T18:32:37.887186+01:00 bis-sl-sles12-01 slapd[1120]: slapd starting
2016-01-31T19:50:54.471810+01:00 bis-sl-sles12-01 slapd[1120]: conn=1007 op=0 do_extended: unsupported operation "1.3.6.1.4.1.1466.20037"
2016-01-31T20:21:33.142768+01:00 bis-sl-sles12-01 slapd[1120]: daemon: shutdown requested and initiated.
2016-01-31T20:21:33.143144+01:00 bis-sl-sles12-01 slapd[1120]: slapd shutdown: waiting for 0 operations/tasks to finish
2016-01-31T20:21:33.157725+01:00 bis-sl-sles12-01 slapd[1120]: slapd stopped.
2016-01-31T20:21:33.205667+01:00 bis-sl-sles12-01 slapd[6537]: @(#) $OpenLDAP: slapd 2.4.41 $#012#011opensuse-buildservice@opensuse.org
2016-01-31T20:21:33.231214+01:00 bis-sl-sles12-01 slapd[6558]: hdb_monitor_db_open: monitoring disabled; configure monitor database to enable
2016-01-31T20:21:33.231978+01:00 bis-sl-sles12-01 slapd[6558]: slapd starting

At Yast Authentication Server Configuration
Checking LDAP connectivity to the provider failed.

"StartTLS operation failed"
"Connect error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)"

Thats right - it is a self signed certificate installed on /etc/pki/trust/anchors

Where is my fault? What is my fault?
Thanks for your replay

Automatic reply
05-Feb-2016, 06:30
shorty67,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

- Visit http://www.suse.com/support and search the knowledgebase and/or check all
the other support options available.
- Open a service request: https://www.suse.com/support
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.suse.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.suse.com/faq.php

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot..

Good luck!

Your SUSE Forums Team
http://forums.suse.com

jmozdzen
09-Feb-2016, 13:52
Hi shorty67,


Hi

I canīt start our LDAP Server with TLS Support.
[...]
At Yast Authentication Server Configuration
Checking LDAP connectivity to the provider failed.

"StartTLS operation failed"
"Connect error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)"

Thats right - it is a self signed certificate installed on /etc/pki/trust/anchors

the above sounds more like slapd (the LDAP server) is actually started with StartTLS support, and the (local) client doesn't like the self-signed cert.


3. Step: Config TLS Settings via Yast at the running Server
What TLS options have you enabled? Please note that there's a difference between StartTLS and LDAP over SSL/TLS ("ldaps").


I use "Softerra LDAP Administrator" for LDAP administration. The Connect to the the Server over 389 work fine. over 636 "no server" error
Your (remote) client tried ldaps (judging from the port number), while StartTLS would work via the standard port. If nothing else, a network trace could show if the session to your remote client (via port 389) is actually TLS-encrypted. You may need to configure your client to attempted StartTLS, though.

Regards,
Jens