Discussion :

[kloklo55]

Bonjour,

j'essaie d'installer un serveur LDAP + TLS.

Mon probleme est au niveau du TLS. Avec juste mon serveur LDAP, j'arrive a authentifer des users mais j'arrive pas a integrer le TLS.

Je ne comprend pas pourquoi ma conf ne marche pas.

Voici mes fichiers de conf :

slapd.conf coté serveur

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
 
include        /etc/openldap/schema/freeradius.schema
include        /etc/openldap/schema/corba.schema
include        /etc/openldap/schema/core.schema
include        /etc/openldap/schema/cosine.schema
include        /etc/openldap/schema/duaconf.schema
include        /etc/openldap/schema/dyngroup.schema
include        /etc/openldap/schema/inetorgperson.schema
include        /etc/openldap/schema/java.schema
include        /etc/openldap/schema/misc.schema
include        /etc/openldap/schema/nis.schema
include        /etc/openldap/schema/openldap.schema
include        /etc/openldap/schema/ppolicy.schema
include        /etc/openldap/schema/collective.schema
 
# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2
 
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral    ldap://root.openldap.org
 
pidfile        /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args
 
# Load dynamic backend modules:
# modulepath    /usr/lib/openldap # or /usr/lib64/openldap
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload denyop.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload lastmod.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
 
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.  Your client software
# may balk at self-signed certificates, however.
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
 
#TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
#TLSCACertificateFile /etc/pki/tls/certs/server.pem
#TLSCertificateFile /etc/pki/tls/certs/server.pem
#TLSCertificateKeyFile /etc/ldap/private.pem
#TLSVerifyClient never
 
#TLSCipherSuite  HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
#TLSVerifyClient  allow
 
# Sample security restrictions
#    Require integrity protection (prevent hijacking)
#    Require 112-bit (3DES or better) encryption for updates
#    Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
 
# Sample access control policy:
#    Root DSE: allow anyone to read it
#    Subschema (sub)entry DSE: allow anyone to read it
#    Other DSEs:
#        Allow self write access
#        Allow authenticated users read access
#        Allow anonymous users to authenticate
#    Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#    by self write
#    by users read
#    by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
 
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
 
database    bdb
suffix        "dc=example,dc=org"
checkpoint    1024 15
rootdn        "cn=Manager,dc=example,dc=org"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
#rootpw        astrium
rootpw        {SSHA}BSZ3iz45sm4liKdQXE2aoXpuXT88rFWa
 
# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory    /var/lib/ldap
 
# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
 
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
#     bindmethod=sasl saslmech=GSSAPI
#     authcId=host/ldap-master.example.com@EXAMPLE.COM
 
 
# enable monitoring
database monitor
 
# allow onlu rootdn to read the monitor
access to *
        by dn.exact="cn=Manager,dc=astrium,dc=fr" read
        by * none

ldap.conf coté serveur

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#
# LDAP Defaults
#
 
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
 
#BASE    dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
 
#SIZELIMIT    12
#TIMELIMIT    15
#DEREF        never
URI ldaps://127.0.0.1/
BASE dc=example,dc=org
#TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/openldap/cacerts/ca.pem

ldap.conf coté client

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#
# LDAP Defaults
#
 
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
 
#BASE    dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
 
#SIZELIMIT    12
#TIMELIMIT    15
#DEREF        never
URI ldaps://192.168.0.2/
BASE dc=example,dc=org
#TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/openldap/cacerts/ca.pem

Quelqu'un pourrait m'aider svp??

[tetzispa]

1 : je suppose que tu as généré tes certificats SSL par toi même vu la tête qu'ils ont ^^

2 : pourquoi tu restes en v2 sur ton openLDAP, depuis longtemps on est passé en v3, tu devrais y passer toi aussi

3 : arrives-tu à faire une requête de ton serveur ldap vers ton ldap pour tester le SSL ? (faut faire, de mémoire, un ldapsearch -x -b dc=domaine,dc=com -D cn=admin,dc=domaine,dc=com -ZZ -W) c'est avec l'option -ZZ que tu vas forcer à être en TLS/SSL

4 : le fichier /etc/default/slapd regarde si au niveau du service SLAPD_SERVICES tu as ldap://:386 ldaps://:636

le port 636 est le port SSL du LDAP.

installe nmap aussi, tu verras mieux si ton SSL est actif