Discussion:
configuring ldap-client to use TLS (Certificate not found in database)
Sridhar Acharya Malkaram
2015-10-21 01:24:23 UTC
Permalink
I am a novice to linux administration. Recently I had to configure a system to authenticate using LDAP with TLS. I have read guides from several websites. But I still could configure it. There seem to be several reasons for the failure. I tried many suggestions, but with no success. I don’t have access to the LDAP server. So I have been just playing with config on the client.
The LDAP server is sso.abcdef.edu <http://sso.abcdef.edu/>
My ldap.conf content is below

BASE dc=abcdef,dc=edu
TLS_REQCERT allow
TLS_CACERT /etc/openldap/cacerts/sso.abcdef.edu.crt
uri ldap://sso.abcdef.edu <ldap://sso.abcdef.edu>
TLS_CACERTDIR /etc/openldap/cacerts

I could issue a ldapsearch -x which returns several entries. However, when I couldn’t do using TLS. The following command shows some errors. Could you suggest me possible directions to resolve this. The directory /etc/openldap/cacerts/ contains the server certificate sso.abcdef.edu <http://sso.abcdef.edu/>.crt. I also made a copy of it with name sso.abcdef.edu <http://sso.abcdef.edu/>.pem. I am not sure whether this pem file should be that of the server or the client.
Another question, should the client also have a ca (or self-signed ) certificate and it whether it should be uploaded onto the LDAP server?
Could anyone please describe the basic essential steps in configuring LDAP client with TLS (without necessarily including the commands). (Several guides suggest changing configs at several places (like, pam_ldap.con, auth.conf) etc. But centOS documentation on LDAP describes configuration only for the ldap.conf (which I couldn’t follow completely).)

/etc/openldap/cacerts ***@wserver[0.5]5019 > ldapsearch -ZZZ -h sso.abcdef.edu <http://sso.abcdef.edu/> -d -1

ldap_create
ldap_url_parse_ext(ldap://sso.abcdef.edu <ldap://sso.abcdef.edu>)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP sso.abcdef.edu <http://sso.abcdef.edu/>:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.71.31.15:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x15ea5b0 ptr=0x15ea5b0 end=0x15ea5cf len=31
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ber_scanf fmt ({) ber:
ber_dump: buf=0x15ea5b0 ptr=0x15ea5b5 end=0x15ea5cf len=26
0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1.
0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037
ber_flush2: 31 bytes to sd 3
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ldap_write: want=31, written=31
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ldap_result ld 0x15e1090 msgid 1
wait4msg ld 0x15e1090 msgid 1 (infinite timeout)
wait4msg continue ld 0x15e1090 msgid 1 all 1
** ld 0x15e1090 Connections:
* host: sso.abcdef.edu <http://sso.abcdef.edu/> port: 389 (default)
refcnt: 2 status: Connected
last used: Tue Oct 20 20:50:52 2015


** ld 0x15e1090 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x15e1090 request count 1 (abandoned 0)
** ld 0x15e1090 Response Queue:
Empty
ld 0x15e1090 response count 0
ldap_chkResponseList ld 0x15e1090 msgid 1 all 1
ldap_chkResponseList returns ld 0x15e1090 NULL
ldap_int_select
read1msg: ld 0x15e1090 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=8
0000: 30 0c 02 01 01 78 07 0a 0....x..
ldap_read: want=6, got=6
0000: 01 00 04 00 04 00 ......
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x15eba20 ptr=0x15eba20 end=0x15eba2c len=12
0000: 02 01 01 78 07 0a 01 00 04 00 04 00 ...x........
read1msg: ld 0x15e1090 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x15eba20 ptr=0x15eba23 end=0x15eba2c len=9
0000: 78 07 0a 01 00 04 00 04 00 x........
read1msg: ld 0x15e1090 0 new referrals
read1msg: mark request completed, ld 0x15e1090 msgid 1
request done: ld 0x15e1090 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x15eba20 ptr=0x15eba23 end=0x15eba2c len=9
0000: 78 07 0a 01 00 04 00 04 00 x........
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_dump: buf=0x15eba20 ptr=0x15eba23 end=0x15eba2c len=9
0000: 78 07 0a 01 00 04 00 04 00 x........
ber_scanf fmt (}) ber:
ber_dump: buf=0x15eba20 ptr=0x15eba2c end=0x15eba2c len=0

ldap_msgfree
TLS: loaded CA certificate file /etc/openldap/cacerts/sso.abcdef.edu.crt.
TLS: error: the certificate '/etc/openldap/cacerts/sso.abcdef.edu.pem' could not be found in the database - error -12285:Unable to find the certificate or key necessary for authentication..
TLS: certificate '/etc/openldap/cacerts/sso.abcdef.edu.pem' successfully loaded from PEM file.
TLS: could not add the private key '/etc/openldap/cacerts/sso.abcdef.edu.pem' - error -8018:Unknown PKCS #11 error..
TLS: error: could not initialize moznss security context - error -8018:Unknown PKCS #11 error.
TLS: can't create ssl handle.
ldap_err2string
ldap_start_tls: Connect error (-11)
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
0000: 30 05 02 01 02 42 00 0....B.
ldap_write: want=7, written=7
0000: 30 05 02 01 02 42 00 0....B.
ldap_free_connection: actually freed
Dan White
2015-10-21 18:35:04 UTC
Permalink
I am a novice to linux administration. Recently I had to configure a >system
to authenticate using LDAP with TLS. I have read guides from >several websites.
But I still could configure it. There seem to be several >reasons for the
failure. I tried many suggestions, but with no success. I >don’t have access
to the LDAP server. So I have been just playing with >config on the client.
The LDAP server is sso.abcdef.edu > >My ldap.conf content is below > >BASE
dc=abcdef,dc=edu >TLS_REQCERT allow >TLS_CACERT /etc/openldap/cacerts/sso.abcdef.edu.crt
uri ldap://sso.abcdef.edu >TLS_CACERTDIR /etc/openldap/cacerts [...]
Content analysis details: (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: openldap.org]
0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL
was blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[67.217.151.180 listed in list.dnswl.org]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
Cc: openldap-***@openldap.org
X-BeenThere: openldap-***@openldap.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OpenLDAP Technical Discussion list <openldap-technical.openldap.org>
List-Unsubscribe: <http://www.openldap.org/lists/mm/options/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=unsubscribe>
List-Archive: <http://www.openldap.org/lists/openldap-technical/>
List-Post: <mailto:openldap-***@openldap.org>
List-Help: <mailto:openldap-technical-***@openldap.org?subject=help>
List-Subscribe: <http://www.openldap.org/lists/mm/listinfo/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=subscribe>
Errors-To: openldap-technical-***@openldap.org
Sender: "openldap-technical" <openldap-technical-***@openldap.org>
X-Spam-Score: -1.9 (-)
X-Spam-Report: Spam detection software, running on the system "gauss.openldap.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
I am a novice to linux administration. Recently I had to configure a >system
to authenticate using LDAP with TLS. I have read guides from >several websites.
But I still could configure it. There seem to be several >reasons for the
failure. I tried many suggestions, but with no success. I >don’t have access
to the LDAP server. So I have been just playing with >config on the client.
The LDAP server is sso.abcdef.edu > >My ldap.conf content is below > >BASE
dc=abcdef,dc=edu >TLS_REQCERT allow >TLS_CACERT /etc/openldap/cacerts/sso.abcdef.edu.crt
uri ldap://sso.abcdef.edu >TLS_CACERTDIR /etc/openldap/cacerts [...]
Content analysis details: (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL
was blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[67.217.151.180 listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: openldap.org]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
I am a novice to linux administration. Recently I had to configure a
system to authenticate using LDAP with TLS. I have read guides from
several websites. But I still could configure it. There seem to be several
reasons for the failure. I tried many suggestions, but with no success. I
don’t have access to the LDAP server. So I have been just playing with
config on the client.
The LDAP server is sso.abcdef.edu
My ldap.conf content is below
BASE dc=abcdef,dc=edu
TLS_REQCERT allow
TLS_CACERT /etc/openldap/cacerts/sso.abcdef.edu.crt
uri ldap://sso.abcdef.edu
TLS_CACERTDIR /etc/openldap/cacerts
You output below says your local ldap libraries are linked against moznss.
See:

http://www.openldap.org/faq/data/cache/1514.html

and the ldap.conf manpage. More comments below.
I could issue a ldapsearch -x which returns several entries. However, when
I couldn’t do using TLS. The following command shows some errors. Could
you suggest me possible directions to resolve this. The directory
/etc/openldap/cacerts/ contains the server certificate
sso.abcdef.edu.crt. I also made a copy of it with name sso.abcdef.edu.pem.
I am not sure whether this pem file should be that of the server or the
client.
Another question, should the client also have a ca (or self-signed )
certificate and it whether it should be uploaded onto the LDAP server?
The depends on the security needs of your network.

If the server is configured to require client certificates, then you'll
need to specify a TLS_CERT and TLS_KEY (again, see ldap.conf(5)).
ldap_msgfree
TLS: loaded CA certificate file /etc/openldap/cacerts/sso.abcdef.edu.crt.
TLS: error: the certificate '/etc/openldap/cacerts/sso.abcdef.edu.pem' could not be found in the database - error -12285:Unable to find the certificate or key necessary for authentication..
TLS: certificate '/etc/openldap/cacerts/sso.abcdef.edu.pem' successfully loaded from PEM file.
TLS: could not add the private key '/etc/openldap/cacerts/sso.abcdef.edu.pem' - error -8018:Unknown PKCS #11 error..
TLS: error: could not initialize moznss security context - error -8018:Unknown PKCS #11 error.
TLS: can't create ssl handle.
ldap_err2string
ldap_start_tls: Connect error (-11)
Does /etc/openldap/cacerts/sso.abcdef.edu.pem exist? If so, moznss will
attempt to open it as a database. It should not exist if you wish to use
the collective cert files within /etc/openldap/cacerts/ as your cacerts.
You should not specify TLS_CACERT in that case either.
--
Dan White
Loading...