Discussion:
SSL based LDAP client verification
Aneela Saleem
2015-10-06 21:13:38 UTC
Permalink
Hi all,

I have followed this link <http://www.openldap.org/faq/data/cache/185.html> to
generate self-signed certificates. I have successfully performed server
side validation. What if i want to access LDAPS:// from other client. I
have copied servercrt.pem and serverkey.pem file on client machine, also
added servercrt.pem file to client trust store. I'm using LDAPjs client for
authentication. I have provided trust store path and serverkey.pem file in
the code, but i still get the following error:

crypto.js:104
if (options.cert) c.context.setCert(options.cert);
^
Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
at Object.exports.createCredentials (crypto.js:104:31)
at Object.exports.connect (tls.js:1334:27)
at Client._connect
(/home/aneela/node_modules/ldapjs/lib/client/client.js:736:18)
at new Client
(/home/aneela/node_modules/ldapjs/lib/client/client.js:247:22)
at Object.createClient
(/home/aneela/node_modules/ldapjs/lib/client/index.js:60:12)
at authDN (/home/aneela/client-ldapjs/app.js:15:21)
at Object.<anonymous> (/home/aneela/client-ldapjs/app.js:90:1)
at Module._compile (module.js:456:26)
at Object.Module._extensions..js (module.js:474:10)
at Module.load (module.js:356:32)

Please guide me if i'm doing something wrong. Which PEM files need to be
copied on client machine? Or i need to create client side certificates
separately as well?
Andrew Findlay
2015-10-08 09:56:09 UTC
Permalink
I have followed this link to generate self-signed certificates. I have
successfully performed server side validation. I assume that means that
you have made an SSL or TLS connection to the server and done an LDAP operation,
so this operation should succeed: [...]

Content analysis details: (-4.2 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
trust
[194.106.223.201 listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: openldap.org]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
-0.0 SPF_PASS SPF: sender matches SPF record
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
I have followed this link to generate self-signed certificates. I have
successfully performed server side validation.
I assume that means that you have made an SSL or TLS connection to the server
and done an LDAP operation, so this operation should succeed:

ldapwhoami -x -H ldap://my.server.com/ -ZZ

If it does not, you may need to specify the TLS_CACERT location in
/etc/openldap/ldap.conf or temporarily provide the cert location in the
environment:

LDAPTLS_CACERT=/path/to/ca.crt ldapwhoami -x -H ldap://my.server.com/ -ZZ

Don't start trying to use any other clients until you have the command-line
ones working properly.
What if i want to access LDAPS:/
/ from other client. I have copied servercrt.pem and serverkey.pem file on
client machine, also added servercrt.pem file to client trust store. I'm using
NO! Don't ever give clients the secret key.

Assuming you followed http://www.openldap.org/faq/data/cache/185.html fully you
created two certificates: a master CA cert and a server-specific cert. You can
use the CA cert to create as many server certs as you like, and client machines
only need a copy of the CA cert to verify trust.

Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
Loading...