Problems with LDAP SSL certificates

To: debian-edu@lists.debian.org
Subject: Problems with LDAP SSL certificates
From: Petter Reinholdtsen <pere@hungry.com>
Date: Thu, 05 Jul 2007 15:33:40 +0200
Message-id: <[🔎] E1I6RSm-00073Z-E4@saruman.uio.no>

There is something wrong with how we handle the SSL certificate of the
LDAP server in Debian Edu.  I'm not sure what is wrong, nor how to fix
it.  This is bug #1211 in bugzilla.

It started when I decided I wanted to make sure the public part of the
SSL certificate for the LDAP server was distributed to the clients, to
make it possible for them to verify that they connect to the correct
LDAP server.  I modified mkslapdcert to extract what I thought was the
public part of the SSL key and store it in
/var/www/ldap-server-pubkey.pem.  Next, I wrote an init.d script
executed when the clients boot, copying the file from
http://www/ldap-server-pubkey.pem to
/etc/ldap/ssl/ldap-server-pubkey.pem.  I believed this would make sure
every client had the public key info it needed to verify that it
connected to the correct server.  It proved to not work when I removed
the 'TLS_REQCERT never' setting in /etc/ldap/ldap.conf.

There were several problems.

 - The file I extracted as ldap-server-pubkey.pem was not the file the
   client needed.  I was told that it really was the CERTIFICATE block
   in slapd.pem, so the file we distributed did not work.  This is now
   fixed.

 - I was also explained how I could extract the certificate from the
   LDAP server directly, and rewrote the init.d script to connect to
   port 636 and extract the certificate that way instead of using
   http.  This need some tuning to make the file prettier, but is
   working.

 - Next, I discovered that it was not enough to store the certificate
   in /etc/ldap/ssl/, I had to mention it explicitly in
   /etc/ldap/ldap.conf as well.  This is now done.

So these bugs are fixed, and with those in place I was able to get
'ldapwhoami -ZZ -x -h ldap' working on the client.  I am told this
command only work if the client have the valid server certificate
available.

But, the problem did not solve the initial problem, that lwap web
serveice was unable to log in the admin user.  Also, there seem to be
something wrong with samba.  At least the self test at the end of the
installation report that samba isn't working as it should.

I have no idea what is wrong here.  As the ldapwhoami command is
working, I suspect something else than LDAP is involved.  Perhaps
apache/lwat and samba are using a different ldap configuration file,
and need to be told where the certificate is?  This do not make sense,
as it do helt p add 'TLS_REQCERT never' in /etc/ldap/ldap.conf to get
it working.

Anyone got any clues?  A quickfix is to drop the certificate checking,
but this make the clients prone to man-in-the-middle attacks.  I would
rather fix the certificate checking.

At the moment the lwat and samba is broken.  pam and nss seem to work
as they should, so the ldap server seem to be working. :/

Happy hacking,
-- 
Petter Reinholdtsen

Reply to:

Prev by Date: Re: Education metapackages reorganization
Next by Date: debian-edu-config_0.412.0.edu.etch.1+svn35411_i386.changes ACCEPTED
Previous by thread: debian-edu-config_0.412.0.edu.etch.1+svn35388_i386.changes ACCEPTED
Next by thread: debian-edu-config_0.412.0.edu.etch.1+svn35411_i386.changes ACCEPTED
Index(es):
- Date
- Thread