# openldap tls



## gullio (Mar 20, 2011)

Hi all,

I'm trying to configure an ldap server to authenticate login and other services like ssh mail etc. on FreeBSD 8.2. I have followed the guide here: http://www.freebsd.org/doc/en_US.ISO8859-1/articles/ldap-auth/ldap.html and I have encountered a problem: issuing [cmd=]ldapsearch -Z[/cmd] he returns


```
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
	additional info: SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text) (unknown mech-code 2 for mech unknown)
```

Here are the configurations:

slapd.conf


```
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

# Load dynamic backend modules:
modulepath      /usr/local/libexec/openldap
moduleload      back_bdb
# moduleload    back_hdb
# moduleload    back_ldap

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
security ssf=128
TLSCertificateFile /cert/cert.crt
TLSCertificateKeyFile /cert/cert.key
TLSCACertificateFile /cert/cacert.crt

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#       by self write

#       by users read
#       by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################

database        bdb
suffix          "dc=example,dc=com"
rootdn          "cn=manager,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/db/openldap-data
# Indices to maintain
index   objectClass     eq
```

ldap.conf

```
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never


BASE    dc=example,dc=com
URI     ldap://server.example.com
ssl start_tls
tls_cacert /cert/cacert.crt
```

Any suggestions?


----------



## olav (Mar 20, 2011)

try to add this after tls_cacert

```
TLS_REQCERT     never
```


----------



## mamalos (Mar 20, 2011)

Plus, make sure your certificates are valid, and readable by your ldap user.


----------



## DutchDaemon (Mar 20, 2011)

gullio, read your sign-up email about proper formatting of posts, thanks.


----------



## gullio (Mar 21, 2011)

Sorry dutchdaemon, I haven't noticed that. But nevertheless I have done the suggestion from olav but it didn't work.

Here are the error and debug log:

[CMD="ldapsearch -Z"][/CMD]


```
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
	additional info: SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text) (unknown mech-code 2 for mech unknown)
```

and finally:


```
Mar 20 22:31:09 server slapd[34380]: conn=1003 fd=11 ACCEPT from IP=172.16.182.147:34663 (IP=0.0.0.0:389)
Mar 20 22:31:09 server slapd[34380]: conn=1003 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Mar 20 22:31:09 server slapd[34380]: conn=1003 op=0 STARTTLS
Mar 20 22:31:09 server slapd[34380]: conn=1003 op=0 RESULT oid= err=0 text=
Mar 20 22:31:09 server slapd[34380]: conn=1003 fd=11 TLS established tls_ssf=256 ssf=256
Mar 20 22:31:09 server slapd[34380]: conn=1003 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Mar 20 22:31:09 server slapd[34380]: conn=1003 op=1 SRCH attr=supportedSASLMechanisms
Mar 20 22:31:09 server slapd[34380]: conn=1003 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Mar 20 22:31:09 server slapd[34380]: conn=1003 fd=11 closed (connection lost)
```

Any other suggestions?


----------



## klabacita (Apr 5, 2011)

Hi.

 I had been working on the same situation from last week, finally it works.

 My biggest issue was the Certificates, because the manual say that we must us the FQDN from the server.

 Them after a lot of Certs created I finally did.

 I follow FreeBSD openldap setup for creating my certs:

http://www.freebsd.org/doc/en_US.ISO8859-1/articles/ldap-auth/ldap.html

 This machine is inside a Jail, but never see any error about gssapi, even my jail.src is customize I didn't remove that module from the src because some modules require gssapi for build.

  Well, after I create my modules, openssl have a option to test the certs which in my case I pass the test, google have a lot of links about.

  Latter I went to my slapd.conf and did what the manual say and adding something extra because the FreeBSD handbook just give us four options that in my case didn't work until I add some extra options:


```
security ssf=128
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile      /usr/local/etc/openldap/keys/cert.crt
TLSCertificateKeyFile   /usr/local/etc/openldap/keys/cert.key
TLSCACertificateFile    /usr/local/etc/openldap/keys/cacert.crt
TLSVerifyClient demand
```

 The manual say that cert == cacert, them I just copy cert to cacert and done.

 I restart my service but the slapd was still using port 389, I didn't see port 636, them I read a little more and remember that on /etc/rc.conf we had some options for each services I just add the extra options to slapd:


```
slapd_enable="YES"
slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://mail at mydomain dot .com/ ldaps://mail dot at mydomain  com/"'
slapd_sockets="/var/run/openldap/ldapi"
```

 Restart my slapd service and done, I have my openldap server listening on port 636, I just test and done, I just change my services that depend on openldap to point to port 636 and give them the certificates:


```
smbldap-tools
dovecot
pam
```

 For pam, I install nss_ldap, pam_ldap, I just setup nss_ldap and do a soft link from nss_ldap.conf to /usr/local/etc/ldap.conf /usr/local/etc/openldap/ldap.conf

 With a already working nss_ldap plain, I just change my nss_ldap for the settings:


```
host server-ip
base dc=my domain,dc=com
uri ldap://mail at my domain com/
ldap_version 3
port 636
scope one
bind_policy soft
idle_timelimit 3600
pagesize 1000
pam_login_attribute uid
nss_base_passwd ou=Users,dc=my domain ,dc=com?one
nss_base_passwd ou=Computers,dc=my domain ,dc=com?one
nss_base_shadow ou=Users,dc=my domain ,dc=com?one
nss_base_group ou=Groups,dc=my domain ,dc=com?one
ssl start_tls
ssl on
tls_cacert      /usr/local/etc/openldap/keys/cacert.crt
TLS_REQCERT demand
```

Latter change nsswitch.conf.

 Test each one and done, right now I just moving my other services here, I want to handle of my users from ldap.

  Hope this could give you some help, see u latter!


----------



## gullio (Apr 7, 2011)

Thanks for your reply. I will try your advice asap and I will let you know.

BR
Giulio


----------



## wmoreno3 (Oct 27, 2011)

*slapd fails at restart server*



> ```
> server#cat /var/log/debug.log
> Oct 27 15:03:33 server slapd[2047]: daemon: shutdown requested and initiated.
> Oct 27 15:03:33 server slapd[2047]: slapd shutdown: waiting for 0 operations/tasks to finish
> ...


I followed the instructions as did klabacita ... but I have a problem when resetting the server, slapd looks down, but the process slapd [1064] is UP.
I need help...


----------



## wmoreno3 (Nov 30, 2011)

*slapd fails at restart server*


```
Errors: "bdb_db_open: database "": database already in use" + "backend_startup_one (type=bdb, suffix=""): bi_db_open failed! (-1)"

Log:

Nov 28 17:57:41 server slapd[1066]: @(#) $OpenLDAP: slapd 2.4.26 (Nov 27 2011 16:35:34) $ 	root@mydomain.com.co:/usr/ports/net/openldap24-server/work/openldap-2.4.26/servers/slapd
Nov 28 17:57:42 server slapd[1067]: slapd starting
Nov 28 17:57:56 server slapd[1698]: @(#) $OpenLDAP: slapd 2.4.26 (Nov 27 2011 16:35:34) $ 	root@mydomain.com.co:/usr/ports/net/openldap24-server/work/openldap-2.4.26/servers/slapd
Nov 28 17:57:56 server slapd[1701]: bdb_db_open: database "dc=mydomain,dc=com,dc=co": database already in use.
Nov 28 17:57:56 server slapd[1701]: backend_startup_one (type=bdb, suffix="dc=mydomain,dc=com,dc=co"): bi_db_open failed! (-1)
Nov 28 17:57:56 server slapd[1701]: slapd stopped.
Nov 28 17:58:04 server slapd[1067]: conn=1000 fd=11 ACCEPT from IP=192.168.0.21:32861 (IP=0.0.0.0:636)
Nov 28 17:58:04 server slapd[1067]: conn=1000 fd=11 TLS established tls_ssf=256 ssf=256
Nov 28 17:58:04 server slapd[1067]: conn=1000 op=0 BIND dn="cn=asterisk,dc=mydomain,dc=com,dc=co" method=128
Nov 28 17:58:04 server slapd[1067]: conn=1000 op=0 BIND dn="cn=asterisk,dc=mydomain,dc=com,dc=co" mech=SIMPLE ssf=0
Nov 28 17:58:04 server slapd[1067]: conn=1000 op=0 RESULT tag=97 err=0 text=
```

Problem:   backend_startup_one (type=bdb suffix): bi_db_open failed! (-1), bdb_db_open: database "suffix" database already in use.

Cause:     Apparent conflict with system startup scripts. /usr/local/etc/rc.d/ldap-server.sh & /usr/local/etc/rc.d/slapd

Solution:  Delete /usr/local/etc/rc.d/ldap-server.sh, from Webmin --> System -- Start & Stop.

Note:      I don't find any documentation about: "/usr/local/etc/rc.d/ldap-server.sh"


----------



## wmoreno3 (Dec 3, 2011)

Finally I managed to create the necessary certificates for "openldap-client-2.4.26" and "openldap-server-2.4.26" following the guide http://www.freebsd.org/doc/en/articles/ldap-auth/ssl-ca.html and making a few adjustments.

```
OpenSSL Certificates For LDAP

Example B-1. Creating a certificate // Used to openldap-client ldap.conf
openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 1024 -in server.csr -signkey server.key -out server.crt

To sign the key, use -CA and -CAkey instead of -signkey:

Example B-2. Signing as a certificate authority // Used to openldap-server sladp.conf
openssl genrsa -out server-ca.key 1024
openssl req -new -key server-ca.key -out server-ca.csr
openssl x509 -req -days 1024 -in server-ca.csr -CA server.crt -CAkey server.key -CAcreateserial -out server-ca.crt

Problem: "Getting CA Private Key server.srl: No such file or directory"
Fix:      Add "-CAcreateserial"

openssl x509 -req -days 1024 -in server-ca.csr -CA server.crt -CAkey server.key -CAcreateserial -out server-ca.crt
```


----------

