OpenBSD 6.9 - Can/t make OpenLDAP work in TLS

[BSDguy389]

Hello folks, I have a quite unique problem here : OpenLDAP 2.4.58 work with TLS on OpenBSD 6.9 -release amd64.

Here is my slapd.conf, on which I did a slaptest -f slapd,conf -F slapd.d, which gave me the /etc/openldap/slapd.d/cn\=config/olcDatabase={1}mdb.ldif file :

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/openldap.schema


# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_mdb.la
# moduleload back_ldap.la

# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

################################################## #####################
# MDB database definitions
################################################## #####################

database mdb
maxsize 1073741824
suffix "dc=my-domain,dc=something,dc=somewhere"
rootdn "cn=Manager,dc=my-domain,dc=something,dc=somewhere"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/openldap-data
# Indices to maintain
index objectClass eq
index cn,sn,mail eq,sub
index uidNumber eq
index gidNumber eq

TLSCertificateFile /etc/openldap/certs/cert.pem
TLSCertificateKeyFile /etc/openldap/certs/privkey.pem
TLSCACertificateFile /etc/openldap/certs/chain.pem
TLSCipherSuite TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE
TLSCRLCheck none
TLSVerifyClient never

I obtained the certificates from certbot and they work with Apache in TLS 1.2, but not TLS 1.3 because LibreSSL lacks the OpenSSL API for TLS 1.3 until OPenBSD 7.0. Some folks on the OpenBSD bug mailing list assured me that OpenLDAP works with TLS 1.3, but I did that exact same configuration procedure on Ubuntu Server 20.04, CentOS 8, FreeBSD 12.2, OmniOS (current LTS) and with all of them, I get OpenLDAP work successfully with TLS, but not on OpenBSD.

I always get this error when I use ldapsearch and ldapwhoami commands with the -ZZ option, but they work fine without any encryption :

# ldapsearch -x -h my_domain -D "cn=Manager,dc=my_domain,dc=something,dc=somewhere " -W -ZZ
ldap_start_tls: Protocol error (2)
additional info: unsupported extended operation

Wthout the -ZZ option in the ldapsearch command, I get :

# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

My /etc/openldap/certs folder and the certificates files in it have the following permissions :

# ls -l certs/
total 32
-rw-r--r-- 1 _openldap _openldap 692 Jun 26 01:05 README
-rw-r--r-- 1 _openldap _openldap 1631 Jun 26 01:05 cert.pem
-rw-r--r-- 1 _openldap _openldap 3749 Jun 26 01:05 chain.pem
-rw-r--r-- 1 _openldap _openldap 5380 Jun 26 01:05 fullchain.pem
-rw------- 1 _openldap _openldap 306 Jun 26 01:05 privkey.pem

[jggimi]

I've not closely followed the long thread in bugs@, but I doubt you'll get better support for your issue here. You were communicating with the port maintainer.

https://marc.info/?t=162458685300001&r=1&w=2

[BSDguy389]

PROBLEM SOLVED!! OUHOUH!! 🤩

I inspired myself from this webpage. The problem was that slaptest -f slapd.conf -F slapd.d didn't update my olcTLScertificate entries in my database!)

https://www.golinuxcloud.com/configu...-certificates/

I simply created a file named tls7.ldif in which I put this content :

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/cert.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/privkey.pem
-
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/chain.pem

Then I typed this command (after having placed slapd_flags="-u _openldap -h ldap:///\ ldaps:///\ ldapi:///" in my /etc/rc.conf.local) :

# ldapmodify -Y EXTERNAL -H ldapi:// -f tls7.ldif

Now :

# ldapwhoami -H ldap://my_domain -D "cn=Manager,dc=my_domain,dc=something,dc=somewhere " -W -x -ZZ
Enter LDAP Password:
dn:cn=Manager,dc=my_domain,dc=something,dc=somewhe re

# ldapsearch -x -h my_domain -D "cn=Manager,dc=my_domain,dc=something,dc=somewhere " -W -ZZ

Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 3
result: 32 No such object

# numResponses: 1

[BSDguy389]

I then added this line to my slapd.conf :

security ssf=256

just on top of this section of the file

# Sample access control policy:

Then, I did :
# rm /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}mdb.ldif
# slaptest -f slapd.conf -F slapd.d
# chown -R _openldap:_openldap /etc/openldap/slapd.d
# chmod -R 700 /etc/openldap/slapd.d

And now, I have TLS enforced with my OpenLDAP server!

If I try now to make :

# ldapsearch -x -h my_domain -D "cn=Manager,dc=my_domain,dc=something,dc=somew here " -W
Enter LDAP Password:
ldap_bind: Confidentiality required (13)
additional info: confidentiality required

So it won't work without the -ZZ option, that means without TLS.

[jggimi]

I'm glad you discovered the cause and the solution! Also, hello and welcome! (Sorry, I missed that in my first reply.)