Fedora directory users - Jan 2009 - [OT?] tls_checkpeer yes problems

Hello, all.  This may be a bit off-topic as it is primarily an ldap
client issue but I am having a bear of a time getting my test centos
clients to access fds.  The problem is tls_checkpeer.  I do want it set
to yes but this breaks access.  It is as if the directory server''s cert
cannot be validated against the CA cert.  Here are the pertinent
settings from my centos client ldap.conf (as you can see, I''ve tried
many combinations):

uri ldap://ldap.mycompany.com/
#host ldap.mycompany.com
#ssl on
ssl start_tls
#tls_cacertdir /etc/pki/tls/certs
tls_cacertfile /etc/pki/tls/certs/SSICA.pem
pam_password md5
tls_checkpeer yes
tls_ciphers TLSv1

An strace shows that the SSICA.pem file is opened.  Apparently, this is
a problem in Ubuntu because of a change to gnutls.  However, I can
confirm the combination of uri ldap://, ssl start_tls, and tls_certfile
rather than tls_certdir work on Ubuntu.  My problem is redhat style
systems.

Our test bed is CentOS 5.2.  Does anyone have this working on newer
redhat based systems? If so, with what configuration? Thanks - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

On [Thu, 29.01.2009 13:32], John A. Sullivan III wrote:
>Hello, all.  This may be a bit off-topic as it is primarily an ldap
>client issue but I am having a bear of a time getting my test centos
>clients to access fds.  The problem is tls_checkpeer.  I do want it set
>to yes but this breaks access.  It is as if the directory server''s
cert
>cannot be validated against the CA cert.  Here are the pertinent
>settings from my centos client ldap.conf (as you can see, I''ve
tried
>many combinations):
>
>uri ldap://ldap.mycompany.com/
>#host ldap.mycompany.com
>#ssl on
>ssl start_tls
>#tls_cacertdir /etc/pki/tls/certs
>tls_cacertfile /etc/pki/tls/certs/SSICA.pem
>pam_password md5
>tls_checkpeer yes
>tls_ciphers TLSv1
>
>An strace shows that the SSICA.pem file is opened.  Apparently, this is
>a problem in Ubuntu because of a change to gnutls.  However, I can
>confirm the combination of uri ldap://, ssl start_tls, and tls_certfile
>rather than tls_certdir work on Ubuntu.  My problem is redhat style
>systems.
>
>Our test bed is CentOS 5.2.  Does anyone have this working on newer
>redhat based systems? If so, with what configuration? Thanks - John
gnutls has a bug in some ubunto versions. This prevents correct
certificate validation. See here:

https://bugs.launchpad.net/ubuntu/+source/gnutls12/+bug/305264

How did you test access to FDS on Red Hat systems? If you use OpenLDAP
commandline tools like ldapsearch to get access to FDS, you have to run
cacertdir_rehash on the directory where the CA cert is stored. What is
the output from:

# openssl s_client -connect your_host_fqdn:443

(make sure you have the cacert available in ca-bundle.crt)

Happy Day.
Thorsten
  

-- 
"Eternity is a very long time, especially towards the end."
  — Stephen Hawking

On Thu, 2009-02-05 at 16:12 +0100, Thorsten Scherf
wrote:
> On [Thu, 29.01.2009 13:32], John A. Sullivan III wrote:
> >Hello, all.  This may be a bit off-topic as it is primarily an ldap
> >client issue but I am having a bear of a time getting my test centos
> >clients to access fds.  The problem is tls_checkpeer.  I do want it set
> >to yes but this breaks access.  It is as if the directory
server''s cert
> >cannot be validated against the CA cert.  Here are the pertinent
> >settings from my centos client ldap.conf (as you can see, I''ve
tried
> >many combinations):
> >
> >uri ldap://ldap.mycompany.com/
> >#host ldap.mycompany.com
> >#ssl on
> >ssl start_tls
> >#tls_cacertdir /etc/pki/tls/certs
> >tls_cacertfile /etc/pki/tls/certs/SSICA.pem
> >pam_password md5
> >tls_checkpeer yes
> >tls_ciphers TLSv1
> >
> >An strace shows that the SSICA.pem file is opened.  Apparently, this is
> >a problem in Ubuntu because of a change to gnutls.  However, I can
> >confirm the combination of uri ldap://, ssl start_tls, and tls_certfile
> >rather than tls_certdir work on Ubuntu.  My problem is redhat style
> >systems.
> >
> >Our test bed is CentOS 5.2.  Does anyone have this working on newer
> >redhat based systems? If so, with what configuration? Thanks - John
> 
> gnutls has a bug in some ubunto versions. This prevents correct
> certificate validation. See here:
> 
> https://bugs.launchpad.net/ubuntu/+source/gnutls12/+bug/305264
> 
> How did you test access to FDS on Red Hat systems? If you use OpenLDAP
> commandline tools like ldapsearch to get access to FDS, you have to run
> cacertdir_rehash on the directory where the CA cert is stored. What is
> the output from:
> 
> # openssl s_client -connect your_host_fqdn:443
> 
> (make sure you have the cacert available in ca-bundle.crt)
> 
> Happy Day.
> Thorsten
<snip>
Bizarre! It works now! I had been trying actual logins to test.  I
flushed ncsd countless times.  For hours, I could not get it to work.
Now that I''ve let is sit for a couple of days, I set tls_checkpeer to
yes and LDAP users can login fine.

I did use opessn s_client as you suggested. I added -verify to force CA
validation and changed the port to 636.  If I did not supply -CAfile, it
worked and said the CA was self-signed (true) and if I did supply
-CAfile, it worked as well.  Thanks - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society