Discussion:
slapo-chain + TLS = help
Warren Howard
2012-07-15 21:25:15 UTC
Permalink
Hi,

I'm not able to get slapo-chain + TLS to work. Slapo-chain without TLS
works, syncrepl + TLS works, the ldapclients with TLS works, just
slapo-chain + TLS does not work.

"man slapo-chain" contains no information about the tls options for
slapo-chain, but with I enable "chain-tls start" (as described in the
OpenLDAP Admin Guide) I get the error : TLS negotiation failure.

What TLS options for slapo-chain are available for me to configure to
get this working?

Note : I'm using Ubuntu 12.04 with slapd 2.4.28 provided by the
distribution.


Regards,


Warren.
Andrei BĂNARU
2012-07-16 06:17:16 UTC
Permalink
Hi,

Because you're using chain type referrals you need to "trust" the
certificate from the ldap server you are "referring" to on the LDAP
clients issuing queries.

Andrei BĂNARU
Internal Support
CCNA Security, CCIP
StreamWIDE Romania
Post by Warren Howard
Hi,
I'm not able to get slapo-chain + TLS to work. Slapo-chain without
TLS works, syncrepl + TLS works, the ldapclients with TLS works, just
slapo-chain + TLS does not work.
"man slapo-chain" contains no information about the tls options for
slapo-chain, but with I enable "chain-tls start" (as described in the
OpenLDAP Admin Guide) I get the error : TLS negotiation failure.
What TLS options for slapo-chain are available for me to configure to
get this working?
Note : I'm using Ubuntu 12.04 with slapd 2.4.28 provided by the
distribution.
Regards,
Warren.
Warren Howard
2012-07-16 18:24:17 UTC
Permalink
Dear Andrei,
Post by Andrei BĂNARU
Hi,
Because you're using chain type referrals you need to "trust" the
certificate from the ldap server you are "referring" to on the LDAP
clients issuing queries.
Isn't this done by setting up TLS_CACERT in /etc/ldap/ldap.conf and
TLSCACertificateFile in /etc/ldap/slapd.conf?

In my case, on the slave /etc/ldap.conf contains the line "TLS_CACERT
/etc/ssl/certs/cacert.pem" and /etc/ldap/slapd.conf contains the line
"TLSCACertificateFile /etc/ssl/certs/cacert.pem". cacert.pem is the
self-signed cert from the ca that I used to sign the certificates for
each server. ldap client queries with -Z or -ZZ work fine, syncrepl
(with TLS) works fine. slapo-chain + TLS wont work and each time it
gives a TLS negotiation failure.

In an attempt to understand more I started slapd on the master with
debug -1 and found this error:

TLS: can't accept: A record packet with illegal version was received..
connection_read(16): TLS accept failure error=-1 id=1001, closing

The master runs Ubuntu 10.04.4 LTS and slapd @(#) $OpenLDAP: slapd
2.4.21 (Dec 19 2011 15:18:58) $
***@roseapple:/build/buildd/openldap-2.4.21/debian/build/servers/slapd

I'm wondering do I need to upgrade the master (slave is Ubuntu 12.04),
could this be related to the version of slapd or gnutls?

Regards,


Warren.
Gavin Henry
2012-07-18 21:06:24 UTC
Permalink
Post by Warren Howard
TLS: can't accept: A record packet with illegal version was received..
connection_read(16): TLS accept failure error=-1 id=1001, closing
(Dec 19 2011 15:18:58) $
I'm wondering do I need to upgrade the master (slave is Ubuntu 12.04), could
this be related to the version of slapd or gnutls?
Check out:

man slapd-ldap as slapo-chain uses that which has the same tls
settings as slapd.

Thanks.
--
Kind Regards,

Gavin Henry.
OpenLDAP Engineering Team.

E ***@OpenLDAP.org

Community developed LDAP software.

http://www.openldap.org/project/
Warren Howard
2012-07-19 19:15:25 UTC
Permalink
Post by Gavin Henry
Post by Warren Howard
TLS: can't accept: A record packet with illegal version was received..
connection_read(16): TLS accept failure error=-1 id=1001, closing
(Dec 19 2011 15:18:58) $
I'm wondering do I need to upgrade the master (slave is Ubuntu 12.04), could
this be related to the version of slapd or gnutls?
man slapd-ldap as slapo-chain uses that which has the same tls
settings as slapd.
Thanks.
Thanks for that, in the end I gave up on TLS and just used SSL. Later
when I try again, it'll be after upgrading both the provider and the
consumer to the same versions. For now I'm using:

chain-uri "ldaps://provider.example.com"
.
.
chain-tls ldaps
.
.
.
.
updateref "ldaps://provider.example.com/"


Regards,


Warren.
Gavin Henry
2012-07-19 20:21:08 UTC
Permalink
Thanks for that, in the end I gave up on TLS and just used SSL. Later when I
try again, it'll be after upgrading both the provider and the consumer to
Warren you wimp!!! I understand, but do go back to it as StartTLS is a
standard, LDAP over SSL isn't.

Thanks.
--
Kind Regards,

Gavin Henry.
Managing Director.

T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ***@suretecsystems.com

Open Source. Open Solutions(tm).

http://www.suretecsystems.com/

Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 24 Cormack Park, Rothienorman, Inverurie,
Aberdeenshire, AB51 8GL.

Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html

Do you know we have our own VoIP provider called SureVoIP? See
http://www.surevoip.co.uk

Did you see our API news?
http://www.surevoip.co.uk/news-events/surevoip-launches-innovative-api
Chris Jacobs
2012-07-19 20:54:06 UTC
Permalink
There are some good instances where StartTLS isn't attractive: when the LDAP servers are behind F5 BigIPs for example.
My 2 cents.

- chris

This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Gavin Henry
2012-07-19 21:19:42 UTC
Permalink
Post by Chris Jacobs
There are some good instances where StartTLS isn't attractive: when the LDAP servers are behind F5 BigIPs for example.
My 2 cents.
Yeah, true. Depends on environment and some kit just won't do StartTLS.
Loading...