Hi,
I was trying to secure the connectivity to openLDAP server to a client secure using TLS with PHP. Now the problem is it can't bind with the ldap server.
I am following the link:
http://www.linuxhomenetworking.com/w...DAP_and_RADIUS
Created the server certificate as with
Code:
openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650
Then created a client.pem by certificate portion with:
Code:
grep -A 100 CERTIFICATE server.pem > client.pem
and copied that in /etc/openldap/cacerts folder of client machine.
In my slapd.conf file I have changed like this:
PHP Code:
TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
TLSCACertificateFile /etc/openldap/cacerts/server.pem
TLSCertificateFile /etc/openldap/cacerts/server.pem
TLSCertificateKeyFile /etc/openldap/cacerts/server.pem
TLSVerifyClient allow
and the service starts properly also.
Now when give this command it gives me this:
ldapsearch -H ldaps://dc.example.com -x -b 'dc=example,dc=com' '(objectclass=*)'
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
But the normal connection works and gives the result
ldapsearch -H ldap://dc.example.com -x -b 'dc=example,dc=com' '(objectclass=*)'
I also used this command and it gives output as below:
PHP Code:
# openssl s_client -connect dc.example.com:636 -showcerts
CONNECTED(00000003)
depth=0 /C=CA/ST=QC/L=Ontario/O=TEST/OU=TEST/CN=dc.example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=CA/ST=QC/L=Ontario/O=TEST/OU=TEST/CN=dc.example.com
verify return:1
---
Certificate chain
0 s:/C=CA/ST=QC/L=Ontario/O=TEST/OU=TEST/CN=dc.example.com
i:/C=CaA/ST=QC/L=Ontario/O=TEST/OU=TEST/CN=dc.example.com
-----BEGIN CERTIFICATE-----
MIIDCjCCAnOgAwIBAgIJAI0cCvZ/yDlyMA0GCSqGSIb3DQEBBQUAMGIxCzAJBgNV
BAYTAkJEMQswCQYDVQQIEwJRQzEOMAwGA1UEBxMFRGhha2ExDTALBgNVBAoTBFRF
U1QxDTALBgNVBAsTBFRFU1QxGDAWBgNVBAMTD2RjLmluc2U2MTIwLmNvbTAeFw0w
OTExMjgxODI3MzBaFw0xOTExMjYxODI3MzBaMGIxCzAJBgNVBAYTAkJEMQswCQYD
VQQIEwJRQzEOMAwGA1UEBxMFRGhha2ExDTALBgNVBAoTBFRFU1QxDTALBgNVBAsT
BFRFU1QxGDAWBgNVBAMTD2RjLmluc2U2MTIwLmNvbTCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEA24nLxvx7TzhGGZ922YwDv8SLn0p7k51diQVFYTJLmBIW1Pnd
r6L2c0JMAVA/hlFJ5paSRKa6SZ/5BbhBzi/4ymjZf0yiAsFuj2SUSdRxHLZVQh0n
QWtQxRfw4Ixj5ZLzh4hyto6qm5ngFCrQ9fGrF6HoXzJUlZz+YESkYJtq0V8CAwEA
AaOBxzCBxDAdBgNVHQ4EFgQUgYW3/hA3vw30t+ECCxR+LiYz5xowgZQGA1UdIwSB
jDCBiYAUgYW3/hA3vw30t+ECCxR+LiYz5xqhZqRkMGIxCzAJBgNVBAYTAkJEMQsw
CQYDVQQIEwJRQzEOMAwGA1UEBxMFRGhha2ExDTALBgNVBAoTBFRFU1QxDTALBgNV
BAsTBFRFU1QxGDAWBgNVBAMTD2RjLmluc2U2MTIwLmNvbYIJAI0cCvZ/yDlyMAwG
A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAs9UOIfue9/K9+DDcL7gQnTw3
Slxk8a/9zfDg3f1w3jodP6jLDc/1dKWDAXPr36CEUkcwlkJ/VOogfQP0XxqdpqKq
iQ73gyJtmQv/nhmHerdulluCdzTb/CkeyxhVruGspcEc1uNVJGmNbLOSKJAW5WAn
cKrrOmIjoJz4aLzN9Mw=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=CA/ST=QC/L=Ontario/O=TEST/OU=TEST/CN=dc.example.com
issuer=/C=CA/ST=QC/L=Ontario/O=TEST/OU=TEST/CN=dc.example.com
---
Acceptable client certificate CA names
/C=CA/ST=QC/L=Ontaroio/O=TEST/OU=TEST/CN=dc.example.com
---
SSL handshake has read 1055 bytes and written 334 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: DA7F2DAA3DD25E1872D641AAA0AA66D41EA6A71C4A9CDA21D6928B2088809D63
Session-ID-ctx:
Master-Key: B972FCC838A2D579AD613B8A6CBF607C8EACF34398923B3685AFC356BB11BEF202C3252BA2DE1853C301EE871B0CC573
Key-Arg : None
Start Time: 1259436526
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
I am using the php code:
<?php
// Ldap bind user credentials
$LDAP_Auth_User = "cn=Manager,dc=example,dc=com";
$LDAP_Auth_PWD = "password";
// Connecting to ldap server
$ldapconnect = ldap_connect ("dc.example.com", 636 ) or die ("Cannot Connect to OpenLDAP Server");
// Checking whether ldap connection is successful
//if ($ldapconnect) {
$bindldap = ldap_bind($ldapconnect,$LDAP_Auth_User, $LDAP_Auth_PWD) or die ("Could not bind to LDAP Database");
//}
?>
It gives me the error:
"Could Not bind to LDAP Database"
Any idea where it's going wrong .
Thanks in advance.
below is the ethereal log when try to connect to ldaps:
Code:
2.019721 192.168.139.134 -> 192.168.139.135 TCP 46181 > ldaps [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=3138808 TSER=0 WS=3
2.019803 192.168.139.135 -> 192.168.139.134 TCP ldaps > 46181 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=3184416 TSER=3138808 WS=3
2.020178 192.168.139.134 -> 192.168.139.135 TCP 46181 > ldaps [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=3138808 TSER=3184416
2.040603 192.168.139.134 -> 192.168.139.135 SSLv2 Client Hello
2.040644 192.168.139.135 -> 192.168.139.134 TCP ldaps > 46181 [ACK] Seq=1 Ack=119 Win=5792 Len=0 TSV=3184430 TSER=3138827
2.041009 192.168.139.135 -> 192.168.139.134 TLSv1 Server Hello, Certificate, Certificate Request, Server Hello Done
2.041300 192.168.139.134 -> 192.168.139.135 TCP 46181 > ldaps [ACK] Seq=119 Ack=997 Win=7832 Len=0 TSV=3138828 TSER=3184430
2.042116 192.168.139.134 -> 192.168.139.135 TLSv1 Alert (Level: Fatal, Description: Unknown CA)
2.042283 192.168.139.135 -> 192.168.139.134 TCP ldaps > 46181 [FIN, ACK] Seq=997 Ack=126 Win=5792 Len=0 TSV=3184432 TSER=3138828
2.042333 192.168.139.134 -> 192.168.139.1 SSH Encrypted response packet len=176
2.042828 192.168.139.1 -> 192.168.139.134 TCP 52045 > ssh [ACK] Seq=81 Ack=225 Win=16245 Len=0
2.047914 192.168.139.134 -> 192.168.139.1 SSH Encrypted response packet len=80
2.047919 192.168.139.134 -> 192.168.139.135 TCP 46181 > ldaps [FIN, ACK] Seq=126 Ack=998 Win=7832 Len=0 TSV=3138829 TSER=3184432
2.047987 192.168.139.135 -> 192.168.139.134 TCP ldaps > 46181 [ACK] Seq=998 Ack=127 Win=5792 Len=0 TSV=3184433 TSER=3138829
2.047920 192.168.139.134 -> 192.168.139.135 TCP 46181 > ldaps [RST, ACK] Seq=127 Ack=998 Win=7832 Len=0 TSV=3138829 TSER=3184432
2.048163 192.168.139.134 -> 192.168.139.135 TCP 46181 > ldaps [RST] Seq=127 Win=0 Len=0
2.049101 192.168.139.134 -> 192.168.139.1 SSH Encrypted response packet len=64
2.049883 192.168.139.1 -> 192.168.139.134 TCP 52045 > ssh [ACK] Seq=81 Ack=369 Win=16209 Len=0