Discussion:
SSL based ldap server
Aneela Saleem
2015-10-02 08:11:14 UTC
Permalink
Hi all,

I have implemented LDAP over ssl. FQDN of LDAP server is "platalytics.com"
and same is CN in the SSL certificate. But why is it so that when i run
following command it works fine i.e.,

ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldap://
127.0.0.1:389 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'

but in case of ldaps, i have to provide FQDN as the hostname i.e.,

ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldaps://
platalytics.com:636 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'

because following command does not work i.e.,

ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldaps://
127.0.0.1:636 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'
Michael Ströder
2015-10-02 08:18:50 UTC
Permalink
Post by Aneela Saleem
Hi all,
I have implemented LDAP over ssl. FQDN of LDAP server is "platalytics.com"
and same is CN in the SSL certificate. But why is it so that when i run
following command it works fine i.e.,
ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldap://
127.0.0.1:389 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'
but in case of ldaps, i have to provide FQDN as the hostname i.e.,
ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldaps://
platalytics.com:636 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'
because following command does not work i.e.,
ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldaps://
127.0.0.1:636 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'
The mandatory TLS hostname check is a prevention against MITM attacks.

ldaps://127.0.0.1 does not make sense anyway.

And even better you should use ldapi:// [1] for local access.

http://tools.ietf.org/html/draft-chu-ldap-ldapi

Ciao, Michael.
Aneela Saleem
2015-10-02 10:20:05 UTC
Permalink
What if i want to access LDAP from external source? how would it recognize
platalytics.com?
Post by Aneela Saleem
Post by Aneela Saleem
Hi all,
I have implemented LDAP over ssl. FQDN of LDAP server is "
platalytics.com"
Post by Aneela Saleem
and same is CN in the SSL certificate. But why is it so that when i run
following command it works fine i.e.,
ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldap://
127.0.0.1:389 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'
but in case of ldaps, i have to provide FQDN as the hostname i.e.,
ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H
ldaps://
Post by Aneela Saleem
platalytics.com:636 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'
because following command does not work i.e.,
ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H
ldaps://
Post by Aneela Saleem
127.0.0.1:636 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'
The mandatory TLS hostname check is a prevention against MITM attacks.
ldaps://127.0.0.1 does not make sense anyway.
And even better you should use ldapi:// [1] for local access.
http://tools.ietf.org/html/draft-chu-ldap-ldapi
Ciao, Michael.
Michael Ströder
2015-10-02 11:10:49 UTC
Permalink
Post by Aneela Saleem
What if i want to access LDAP from external source? how would it recognize
platalytics.com?
Hope fully the client perfoms the TLS hostname check as defined in RFC 6125.

All hostnames and IP addresses used by clients have to be listed in the
subjectAltName extension.

Ciao, Michael.
Aneela Saleem
2015-10-02 12:35:39 UTC
Permalink
Hi Michael,

Thanks for explaining. I just so far performed server side validation using
the link <http://www.openldap.org/faq/data/cache/185.html>

Can you please guide me how can we perform client side verification? Means
how to set subjectAltName extension?
Post by Aneela Saleem
Post by Aneela Saleem
What if i want to access LDAP from external source? how would it
recognize
Post by Aneela Saleem
platalytics.com?
Hope fully the client perfoms the TLS hostname check as defined in RFC 6125.
All hostnames and IP addresses used by clients have to be listed in the
subjectAltName extension.
Ciao, Michael.
Aneela Saleem
2015-10-04 14:18:19 UTC
Permalink
I have followed this link
<http://stackoverflow.com/questions/21488845/how-can-i-generate-a-self-signed-certificate-with-subjectaltname-using-openssl>.
I update openssl.cnf file manually and added the ip address of other client
machine. Then i generated ssl certificate. Now accessing ldaps://
platalytics.com:636 from other client machine (i also have added
platalytics.com in /etc/hosts file) but unable to access it from external
ip address. What i'm missing now?
Post by Aneela Saleem
Hi Michael,
Thanks for explaining. I just so far performed server side validation
using the link <http://www.openldap.org/faq/data/cache/185.html>
Can you please guide me how can we perform client side verification? Means
how to set subjectAltName extension?
Post by Aneela Saleem
Post by Aneela Saleem
What if i want to access LDAP from external source? how would it
recognize
Post by Aneela Saleem
platalytics.com?
Hope fully the client perfoms the TLS hostname check as defined in RFC 6125.
All hostnames and IP addresses used by clients have to be listed in the
subjectAltName extension.
Ciao, Michael.
Dieter Klünter
2015-10-04 16:00:49 UTC
Permalink
I have followed this link > <http://stackoverflow.com/questions/21488845/how-can-i-generate-a-self-signed-certificate-with-subjectaltname-using-openssl>.
I update openssl.cnf file manually and added the ip address of other >
client machine. Then i generated ssl certificate. Now accessing > ldaps://
platalytics.com:636 from other client machine (i also have > added platalytics.com
in /etc/hosts file) but unable to access it > from external ip address. What
i'm missing now? [...]

Content analysis details: (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: platalytics.com]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]

Am Sun, 4 Oct 2015 19:18:19 +0500
I have followed this link
<http://stackoverflow.com/questions/21488845/how-can-i-generate-a-self-signed-certificate-with-subjectaltname-using-openssl>.
I update openssl.cnf file manually and added the ip address of other
client machine. Then i generated ssl certificate. Now accessing
ldaps:// platalytics.com:636 from other client machine (i also have
added platalytics.com in /etc/hosts file) but unable to access it
from external ip address. What i'm missing now?
Domain Name Service? Firewall? Routing Tables?

-Dieter
Post by Aneela Saleem
Hi Michael,
Thanks for explaining. I just so far performed server side
validation using the link
<http://www.openldap.org/faq/data/cache/185.html>
Can you please guide me how can we perform client side
verification? Means how to set subjectAltName extension?
On Fri, Oct 2, 2015 at 4:10 PM, Michael Ströder
Post by Aneela Saleem
Post by Aneela Saleem
What if i want to access LDAP from external source? how would it
recognize
Post by Aneela Saleem
platalytics.com?
Hope fully the client perfoms the TLS hostname check as defined in RFC 6125.
All hostnames and IP addresses used by clients have to be listed
in the subjectAltName extension.
Ciao, Michael.
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
Aneela Saleem
2015-10-05 19:00:43 UTC
Permalink
Do we need to have CA certificate/server key on other client machine as
well? If yes, then how can we achieve that?
Post by Dieter Klünter
Am Sun, 4 Oct 2015 19:18:19 +0500
Post by Aneela Saleem
I have followed this link
<
http://stackoverflow.com/questions/21488845/how-can-i-generate-a-self-signed-certificate-with-subjectaltname-using-openssl
Post by Aneela Saleem
.
I update openssl.cnf file manually and added the ip address of other
client machine. Then i generated ssl certificate. Now accessing
ldaps:// platalytics.com:636 from other client machine (i also have
added platalytics.com in /etc/hosts file) but unable to access it
from external ip address. What i'm missing now?
Domain Name Service? Firewall? Routing Tables?
-Dieter
Post by Aneela Saleem
Post by Aneela Saleem
Hi Michael,
Thanks for explaining. I just so far performed server side
validation using the link
<http://www.openldap.org/faq/data/cache/185.html>
Can you please guide me how can we perform client side
verification? Means how to set subjectAltName extension?
On Fri, Oct 2, 2015 at 4:10 PM, Michael Ströder
Post by Aneela Saleem
Post by Aneela Saleem
What if i want to access LDAP from external source? how would it
recognize
Post by Aneela Saleem
platalytics.com?
Hope fully the client perfoms the TLS hostname check as defined in RFC 6125.
All hostnames and IP addresses used by clients have to be listed
in the subjectAltName extension.
Ciao, Michael.
--
Dieter KlÃŒnter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
Dieter Klünter
2015-10-06 06:35:40 UTC
Permalink
Do we need to have CA certificate/server key on other client machine >
as well? If yes, then how can we achieve that? [...]

Content analysis details: (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: platalytics.com]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]

Am Tue, 6 Oct 2015 00:00:43 +0500
Do we need to have CA certificate/server key on other client machine
as well? If yes, then how can we achieve that?
Yes, you have to install a CA certificate on all hosts that want to
access a ldap server, and the client application on remote hosts need
to know the place ot this CA, usually that is configured in
ldap.conf(5), but it depends on the clients ability.

-Dieter
Post by Dieter Klünter
Am Sun, 4 Oct 2015 19:18:19 +0500
Post by Aneela Saleem
I have followed this link
<
http://stackoverflow.com/questions/21488845/how-can-i-generate-a-self-signed-certificate-with-subjectaltname-using-openssl
Post by Aneela Saleem
.
I update openssl.cnf file manually and added the ip address of
other client machine. Then i generated ssl certificate. Now
accessing ldaps:// platalytics.com:636 from other client machine
(i also have added platalytics.com in /etc/hosts file) but unable
to access it from external ip address. What i'm missing now?
Domain Name Service? Firewall? Routing Tables?
-Dieter
Post by Aneela Saleem
On Fri, Oct 2, 2015 at 5:35 PM, Aneela Saleem
Post by Aneela Saleem
Hi Michael,
Thanks for explaining. I just so far performed server side
validation using the link
<http://www.openldap.org/faq/data/cache/185.html>
Can you please guide me how can we perform client side
verification? Means how to set subjectAltName extension?
On Fri, Oct 2, 2015 at 4:10 PM, Michael Ströder
Post by Aneela Saleem
Post by Aneela Saleem
What if i want to access LDAP from external source? how would it
recognize
Post by Aneela Saleem
platalytics.com?
Hope fully the client perfoms the TLS hostname check as
defined in RFC 6125.
All hostnames and IP addresses used by clients have to be
listed in the subjectAltName extension.
Ciao, Michael.
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
Chris Jacobs
2015-10-06 22:00:27 UTC
Permalink
That is different per OS and application implementation. Search for "update CA certificates [your os or app name]"

We only use our LDAP for auth(n/z) so we tell PAM or SSSD (depending on OS version) to use the CA cert we push onto those nodes using our configuration management system (e.g.: puppet, chef) – without having to modify our CA bundles. We DO have an internal CA that java apps must support, as well as some system level apps: on those nodes we update the system as needed (CentOS or Java).

Good luck,
- chris

From: openldap-technical [mailto:openldap-technical-***@openldap.org] On Behalf Of Aneela Saleem
Sent: Monday, October 05, 2015 12:01 PM
To: Dieter KlÃŒnter <***@dkluenter.de>
Cc: openldap-***@openldap.org
Subject: Re: SSL based ldap server

Do we need to have CA certificate/server key on other client machine as well? If yes, then how can we achieve that?

On Sun, Oct 4, 2015 at 9:00 PM, Dieter KlÃŒnter <***@dkluenter.de<mailto:***@dkluenter.de>> wrote:
Am Sun, 4 Oct 2015 19:18:19 +0500
Post by Aneela Saleem
I have followed this link
<http://stackoverflow.com/questions/21488845/how-can-i-generate-a-self-signed-certificate-with-subjectaltname-using-openssl>.
I update openssl.cnf file manually and added the ip address of other
client machine. Then i generated ssl certificate. Now accessing
ldaps:// platalytics.com:636<http://platalytics.com:636> from other client machine (i also have
added platalytics.com<http://platalytics.com> in /etc/hosts file) but unable to access it
from external ip address. What i'm missing now?
Domain Name Service? Firewall? Routing Tables?

-Dieter
Post by Aneela Saleem
Post by Aneela Saleem
Hi Michael,
Thanks for explaining. I just so far performed server side
validation using the link
<http://www.openldap.org/faq/data/cache/185.html>
Can you please guide me how can we perform client side
verification? Means how to set subjectAltName extension?
On Fri, Oct 2, 2015 at 4:10 PM, Michael Ströder
Post by Aneela Saleem
Post by Aneela Saleem
What if i want to access LDAP from external source? how would it
recognize
Post by Aneela Saleem
platalytics.com<http://platalytics.com>?
Hope fully the client perfoms the TLS hostname check as defined in RFC 6125.
All hostnames and IP addresses used by clients have to be listed
in the subjectAltName extension.
Ciao, Michael.
--
Dieter KlÃŒnter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
Loading...