TLS Settings on LDAP (Authenti.) Server - Self Signed Cert.

Wolfgang_Bleim · January 31, 2016, 9:51pm

Hi

I canÂ´t start our LDAP Server with TLS Support.

We use SLES12 SP1 and a self signed CA. (root Ca and Intermediate)

The LDAP Server is on Port 389 up and running.

I Create the certificate chain an import to the Server:

cat intermediate.cert.pem ca.cert.pem > ca-chain.cert.pem

copy the ca-chain.cert.pem to /etc/pki/trust/anchors on the Server, and with

update-ca-certificates import the ca chain.

I see boot, the root ca and the intermediate now at /etc/ssl/certs (link to /var/lib/ca-certificates/pem)

Step: I import the Server Certificate p12 (incl.FQDN - commonName)via Yast and Common Server Certificate - Yast: Certificate has been imported

Now I have at /etc/ssl/servercerts a servercert.pem and a serverkex.pem file.

Step: Config TLS Settings via Yast at the running Server

I use the intermediate ca from

/etc/ssl/certs

and the certificate and the key from

/etc/ssl/servercerts

and finish the TLS Config.

I use “Softerra LDAP Administrator” for LDAP administration. The Connect to the the Server over 389 work fine. over 636 “no server” error

the localmessagelog fom the Server:
2016-01-31T18:31:18.208617+01:00 bis-sl-sles12-01 slapd[1134]: hdb_monitor_db_open: monitoring disabled; configure monitor database to enable
2016-01-31T18:31:18.211024+01:00 bis-sl-sles12-01 slapd[1134]: slapd starting
2016-01-31T18:32:37.689479+01:00 bis-sl-sles12-01 slapd[1054]: @(#) $OpenLDAP: slapd 2.4.41 $#012#011opensuse-buildservice@opensuse.org
2016-01-31T18:32:37.874643+01:00 bis-sl-sles12-01 slapd[1120]: hdb_monitor_db_open: monitoring disabled; configure monitor database to enable
2016-01-31T18:32:37.887186+01:00 bis-sl-sles12-01 slapd[1120]: slapd starting
2016-01-31T19:50:54.471810+01:00 bis-sl-sles12-01 slapd[1120]: conn=1007 op=0 do_extended: unsupported operation “1.3.6.1.4.1.1466.20037”
2016-01-31T20:21:33.142768+01:00 bis-sl-sles12-01 slapd[1120]: daemon: shutdown requested and initiated.
2016-01-31T20:21:33.143144+01:00 bis-sl-sles12-01 slapd[1120]: slapd shutdown: waiting for 0 operations/tasks to finish
2016-01-31T20:21:33.157725+01:00 bis-sl-sles12-01 slapd[1120]: slapd stopped.
2016-01-31T20:21:33.205667+01:00 bis-sl-sles12-01 slapd[6537]: @(#) $OpenLDAP: slapd 2.4.41 $#012#011opensuse-buildservice@opensuse.org
2016-01-31T20:21:33.231214+01:00 bis-sl-sles12-01 slapd[6558]: hdb_monitor_db_open: monitoring disabled; configure monitor database to enable
2016-01-31T20:21:33.231978+01:00 bis-sl-sles12-01 slapd[6558]: slapd starting

At Yast Authentication Server Configuration
Checking LDAP connectivity to the provider failed.

“StartTLS operation failed”
“Connect error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)”

Thats right - it is a self signed certificate installed on /etc/pki/trust/anchors

Where is my fault? What is my fault?
Thanks for your replay

system · February 5, 2016, 7:30am

shorty67,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

Visit http://www.suse.com/support and search the knowledgebase and/or check all
the other support options available.
Open a service request: https://www.suse.com/support
You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.suse.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.suse.com/faq.php

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot…

Good luck!

Your SUSE Forums Team
http://forums.suse.com

Jens-U · February 9, 2016, 2:52pm

Hi shorty67,

[QUOTE=shorty67;31336]Hi

I canÂ´t start our LDAP Server with TLS Support.
[…]
At Yast Authentication Server Configuration
Checking LDAP connectivity to the provider failed.

“StartTLS operation failed”
“Connect error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)”

Thats right - it is a self signed certificate installed on /etc/pki/trust/anchors[/QUOTE]

the above sounds more like slapd (the LDAP server) is actually started with StartTLS support, and the (local) client doesn’t like the self-signed cert.

What TLS options have you enabled? Please note that there’s a difference between StartTLS and LDAP over SSL/TLS (“ldaps”).

Your (remote) client tried ldaps (judging from the port number), while StartTLS would work via the standard port. If nothing else, a network trace could show if the session to your remote client (via port 389) is actually TLS-encrypted. You may need to configure your client to attempted StartTLS, though.

Regards,
Jens

Topic		Replies	Views
Can't use common server certificate to configure TLS in LDAP SLES Configure-Administer	1	262	October 20, 2017
Failure to use certificate files provided during LDAP config SLES Configure-Administer	2	238	October 25, 2017
Trying to get ldap/sssd to work on SLES 12.1 SLES Configure-Administer	4	210	June 15, 2016
Configuring ldap client, need cert SLES Networking	6	232	March 5, 2015
SLE 12 Ldap Authentication to clustered LDAP Server SLES Configure-Administer	2	220	June 17, 2016

TLS Settings on LDAP (Authenti.) Server - Self Signed Cert.

Related topics