samba - Mar 2005 - TLSVerifyClient demand or try

Hi all!
I'm very close to have a fully functional samba and openldap. Thanks to
idealx.org.  I just need to understand how it works. Everything works accept one
thing. When I change TLSVerifyClient allow to TLSVerifyClient demand in
slapd.conf and do:
ldapsearch -x -ZZ -b 'dc=yourdomain,dc=com' '(objectclass=*)' -d
127
in the end I get:
ldap_chkResponseList for msgid=2, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 2
wait4msg continue, msgid 2, all 1
** Connections:
* host: s2.dbb.su.se  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Mon Mar  7 10:09:15 2005

** Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=2, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 2, all 1
ber_get_next
tls_read: want=5, got=0

ldap_read: want=8 error=Success
ber_get_next failed.
ldap_perror
ldap_bind: Can't contact LDAP server (81)

Here's my slapd.conf

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/samba.schema

# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck     on


TLSCertificateFile      /etc/ldap/s2.pem
TLSCertificateKeyFile   /etc/ldap/s2.key
TLSCACertificateFile    /etc/ldap/ca.pem
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSVerifyClient demand

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd.args
loglevel        256
modulepath      /usr/lib/ldap
moduleload      back_bdb
backend         bdb
database        bdb
directory  /var/lib/ldap

suffix     "dc=dbb,dc=su,dc=se"
rootdn     "cn=admin,dc=dbb,dc=su,dc=se"

index      objectClass,uidNumber,gidNumber                  eq
index      cn,sn,uid,displayName                            pres,sub,eq
index      memberUid,mail,givenname                 eq,subinitial

rootpw  {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# users can authenticate and change their password
access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange
      by dn="cn=samba,ou=DSA,dc=dbb,dc=su,dc=se" write
      by dn="cn=smbldap-tools,ou=DSA,dc=dbb,dc=su,dc=se" write
      by dn="cn=nssldap,ou=DSA,dc=dbb,dc=su,dc=se" write
      by self write
      by anonymous auth
      by * none
# some attributes need to be readable anonymously so that 'id user' can
answer
correctly
access to
attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid,loginShell
      by dn="cn=samba,ou=DSA,dc=dbb,dc=su,dc=se" write
      by dn="cn=smbldap-tools,ou=DSA,dc=dbb,dc=su,dc=se" write
      by * read
# somme attributes can be writable by users themselves
access to attrs=description,telephoneNumber
      by dn="cn=samba,ou=DSA,dc=dbb,dc=su,dc=se" write
      by dn="cn=smbldap-tools,ou=DSA,dc=dbb,dc=su,dc=se" write
      by self write

# some attributes need to be writable for samba
access to
attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdC$
      by dn="cn=samba,ou=DSA,dc=dbb,dc=su,dc=se" write
      by dn="cn=smbldap-tools,ou=DSA,dc=dbb,dc=su,dc=se" write
      by self read
      by * none
# samba need to be able to create the samba domain account
access to dn.base="dc=dbb,dc=su,dc=se"
      by dn="cn=samba,ou=DSA,dc=dbb,dc=su,dc=se" write
      by dn="cn=smbldap-tools,ou=DSA,dc=dbb,dc=su,dc=se" write
      by * none
# samba need to be able to create new users account
access to dn="ou=Users,dc=dbb,dc=su,dc=se"
      by dn="cn=samba,ou=DSA,dc=dbb,dc=su,dc=se" write
      by dn="cn=smbldap-tools,ou=DSA,dc=dbb,dc=su,dc=se" write
      by * none
# samba need to be able to create new groups account
access to dn="ou=Groups,dc=dbb,dc=su,dc=se"
      by dn="cn=samba,ou=DSA,dc=dbb,dc=su,dc=se" write
      by dn="cn=smbldap-tools,ou=DSA,dc=dbb,dc=su,dc=se" write
      by * none

# this can be omitted but we leave it: there could be other branch
# in the directory
access to *
      by self read
      by * none

Her's my ldap.conf

HOST s2.dbb.su.se
BASE dc=dbb,dc=su,dc=se

rootbinddn cn=nssldap,ou=DSA,dc=dbb,sc=su,dc=se

nss_base_passwd         dc=dbb,dc=su,dc=se?sub
nss_base_shadow         dc=dbb,dc=su,dc=se?sub
nss_base_group          ou=Groups,dc=dbb,dc=su,dc=se?one

pam_password md5

tls_checkpeer yes
TLS_CACERT /etc/ldap/ca.pem
TLS_REQCERT demand
ssl start_tls
tls_cert /etc/nss/nssldap.pem
tls_key /etc/nss/nssldap.key

I can neither login through ssh or login when TLSVerifyClient is set to demand
or try. Please enlight me here.

Thanks
Peter


Peter Nyberg
Institutionen f?r Biokemi och Biofysik (DBB)
Sv.Arrhenius v?gen 12
106 91 Stockholm
Tel: 08-16 24 69
Mobil: 070 339 24 69
Fax 08 153679

<quote who="Peter Nyberg">
> Hi all!
> I'm very close to have a fully functional samba and openldap. Thanks to
> idealx.org.  I just need to understand how it works. Everything works
> accept one
> thing. When I change TLSVerifyClient allow to TLSVerifyClient demand in
> slapd.conf and do:
> ldapsearch -x -ZZ -b 'dc=yourdomain,dc=com'
'(objectclass=*)' -d 127
Hi,

ldapsearch, using -ZZ, requires -h ldap.yourhost.com, hence:
> ldap_bind: Can't contact LDAP server (81)

-- 
Kind Regards,

Gavin Henry.
Managing Director.

T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 742001
E ghenry@suretecsystems.com

Open Source. Open Solutions(tm).

http://www.suretecsystems.com/

Quoting Gavin Henry <ghenry@suretecsystems.com>:
> <quote who="Peter Nyberg">
> > Quoting Gavin Henry <ghenry@suretecsystems.com>:
> >
> >> Hi,
> >>
> >> ldapsearch, using -ZZ, requires -h ldap.yourhost.com, hence:
> >
> >
> > Hi and thanks for your answere.
> > Of course I did the following
> > ldapsearch -x -ZZ -b 'dc=dbb,dc=su,dc=se'
'(objectclass=*)'
> > ldap_bind: Can't contact LDAP server (81)
> > And I tried:
> > ldapsearch -x -ZZ -h s2.dbb.su.se '(objectclass=*)'
> > ldap_bind: Can't contact LDAP server (81)
> >
> > If I change to "TLSVerifyClient allow" I get in the end:
> > ldapsearch -x -ZZ -b 'dc=dbb,dc=su,dc=se'
'(objectclass=*)'
> >
> > Outputends with:
> > # testuser1, Users, dbb.su.se
> > dn: uid=testuser1,ou=Users,dc=dbb,dc=su,dc=se
> > objectClass: top
> 
> > ldapsearch -x -ZZ -h s2.dbb.su.se '(objectclass=*)'
> >
> > Output end with:
> > # testuser1, Users, dbb.su.se
> > dn: uid=testuser1,ou=Users,dc=dbb,dc=su,dc=se
> 
> Do you have the cacert installed on the clients?
> 
> I never use the TLSVeriftyClient option, but according to:
> 
> http://www.openldap.org/doc/admin22/tls.html
> 
> with the allow option, if the client doesn't have the cert installed,
the
> search proceeds as normal, but you must have, as a -ZZ option, only
> returns results on a successful search.
> 
> 
Thanks again!
I did the ldapsearch on my server. Doesn't ldapsearch use
/etc/ldap/ldap.conf.
If I use "TLSVeriftyClient allow" and change the fqdn to localhost
instead I get
an error in certificate:
ldap.conf
##HOST s2.dbb.su.se
HOST 127.0.0.1 
BASE dc=dbb,dc=su,dc=se

rootbinddn cn=nssldap,ou=DSA,dc=dbb,sc=su,dc=se

nss_base_passwd         dc=dbb,dc=su,dc=se?sub
nss_base_shadow         dc=dbb,dc=su,dc=se?sub
nss_base_group          ou=Groups,dc=dbb,dc=su,dc=se?one

pam_password md5

tls_checkpeer yes
TLS_CACERT /etc/ldap/ca.pem
TLS_REQCERT demand
ssl start_tls
tls_cert /etc/nss/nssldap.pem
tls_key /etc/nss/nssldap.key

ldapsearch -x -ZZ -b 'dc=dbb,dc=su,dc=se' '(objectclass=*)' -d 1
ends up with:

TLS: hostname (127.0.0.1) does not match common name in certificate
(s2.dbb.su.se).
ldap_perror
ldap_start_tls: Connect error (91)
        additional info: TLS: hostname does not match CN in peer certificate

But if I use your sugestion from yesterday:
 ldapsearch -x -ZZ -h s2.dbb.su.se '(objectclass=*)' -d 1
I don' get any error messages.

The big thing is I'm not even sure if TLS works since the "allow"
option works
with or without TLS. If I use "demand" nothing works. Evidently it
reads the
certificate:
TLS: hostname (127.0.0.1) does not match common name in certificate

I'm very confused. Is there a nother way of testing TLS?

Here's the howto I used:
http://www.idealx.org/prj/samba/smbldap-howto.en.html