|
OpenBSD Packages and Ports Installation and upgrading of packages and ports on OpenBSD. |
|
Thread Tools | Display Modes |
|
|||
OpenBSD 6.9 - Can/t make OpenLDAP work in TLS
Hello folks, I have a quite unique problem here : OpenLDAP 2.4.58 work with TLS on OpenBSD 6.9 -release amd64.
Here is my slapd.conf, on which I did a slaptest -f slapd,conf -F slapd.d, which gave me the /etc/openldap/slapd.d/cn\=config/olcDatabase={1}mdb.ldif file : # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/corba.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/collective.schema include /etc/openldap/schema/openldap.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # Load dynamic backend modules: # modulepath /usr/local/libexec/openldap # moduleload back_mdb.la # moduleload back_ldap.la # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! ################################################## ##################### # MDB database definitions ################################################## ##################### database mdb maxsize 1073741824 suffix "dc=my-domain,dc=something,dc=somewhere" rootdn "cn=Manager,dc=my-domain,dc=something,dc=somewhere" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/openldap-data # Indices to maintain index objectClass eq index cn,sn,mail eq,sub index uidNumber eq index gidNumber eq TLSCertificateFile /etc/openldap/certs/cert.pem TLSCertificateKeyFile /etc/openldap/certs/privkey.pem TLSCACertificateFile /etc/openldap/certs/chain.pem TLSCipherSuite TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE TLSCRLCheck none TLSVerifyClient never I obtained the certificates from certbot and they work with Apache in TLS 1.2, but not TLS 1.3 because LibreSSL lacks the OpenSSL API for TLS 1.3 until OPenBSD 7.0. Some folks on the OpenBSD bug mailing list assured me that OpenLDAP works with TLS 1.3, but I did that exact same configuration procedure on Ubuntu Server 20.04, CentOS 8, FreeBSD 12.2, OmniOS (current LTS) and with all of them, I get OpenLDAP work successfully with TLS, but not on OpenBSD. I always get this error when I use ldapsearch and ldapwhoami commands with the -ZZ option, but they work fine without any encryption : # ldapsearch -x -h my_domain -D "cn=Manager,dc=my_domain,dc=something,dc=somewhere " -W -ZZ ldap_start_tls: Protocol error (2) additional info: unsupported extended operation Wthout the -ZZ option in the ldapsearch command, I get : # extended LDIF # # LDAPv3 # base <> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1 My /etc/openldap/certs folder and the certificates files in it have the following permissions : # ls -l certs/ total 32 -rw-r--r-- 1 _openldap _openldap 692 Jun 26 01:05 README -rw-r--r-- 1 _openldap _openldap 1631 Jun 26 01:05 cert.pem -rw-r--r-- 1 _openldap _openldap 3749 Jun 26 01:05 chain.pem -rw-r--r-- 1 _openldap _openldap 5380 Jun 26 01:05 fullchain.pem -rw------- 1 _openldap _openldap 306 Jun 26 01:05 privkey.pem Last edited by BSDguy389; 27th June 2021 at 08:11 PM. |
|
||||
I've not closely followed the long thread in bugs@, but I doubt you'll get better support for your issue here. You were communicating with the port maintainer.
https://marc.info/?t=162458685300001&r=1&w=2 |
|
|||
PROBLEM SOLVED!! OUHOUH!! í ¾í´©
I inspired myself from this webpage. The problem was that slaptest -f slapd.conf -F slapd.d didn't update my olcTLScertificate entries in my database!) https://www.golinuxcloud.com/configu...-certificates/ I simply created a file named tls7.ldif in which I put this content : dn: cn=config changetype: modify replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/certs/cert.pem - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/certs/privkey.pem - replace: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/openldap/certs/chain.pem Then I typed this command (after having placed slapd_flags="-u _openldap -h ldap:///\ ldaps:///\ ldapi:///" in my /etc/rc.conf.local) : # ldapmodify -Y EXTERNAL -H ldapi:// -f tls7.ldif Now : # ldapwhoami -H ldap://my_domain -D "cn=Manager,dc=my_domain,dc=something,dc=somewhere " -W -x -ZZ Enter LDAP Password: dn:cn=Manager,dc=my_domain,dc=something,dc=somewhe re # ldapsearch -x -h my_domain -D "cn=Manager,dc=my_domain,dc=something,dc=somewhere " -W -ZZ Enter LDAP Password: # extended LDIF # # LDAPv3 # base <> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 3 result: 32 No such object # numResponses: 1 |
|
|||
I then added this line to my slapd.conf :
security ssf=256 just on top of this section of the file # Sample access control policy: Then, I did : # rm /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}mdb.ldif # slaptest -f slapd.conf -F slapd.d # chown -R _openldap:_openldap /etc/openldap/slapd.d # chmod -R 700 /etc/openldap/slapd.d And now, I have TLS enforced with my OpenLDAP server! If I try now to make : # ldapsearch -x -h my_domain -D "cn=Manager,dc=my_domain,dc=something,dc=somew here " -W Enter LDAP Password: ldap_bind: Confidentiality required (13) additional info: confidentiality required So it won't work without the -ZZ option, that means without TLS. Last edited by BSDguy389; 27th June 2021 at 08:29 PM. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Can't make tftpd work with inetd | mikygee | OpenBSD General | 7 | 1st November 2015 12:36 AM |
NetBSD on a laptop: trying to make it work | Mr-Biscuit | NetBSD Installation and Upgrading | 1 | 1st June 2009 01:43 AM |
Any chance to make work in FreeBSD ? | giga | FreeBSD General | 2 | 30th January 2009 10:07 PM |
firefox3 with mplayer-plugin? Any possibility to make them work together.? | daemonFromHeaven | FreeBSD Ports and Packages | 4 | 16th September 2008 09:47 AM |
How to make it work with VLAN-trunking? | Seb74 | OpenBSD Security | 4 | 28th June 2008 02:08 PM |