Pesquisa do cliente LDAP com SSL - CentOS7

2

Alguém tem autenticação de cliente SSL trabalhando com o OpenLDAP (no CentOS7 - que está usando moznss)?

Eu pesquisei os últimos dois dias tentando fazer com que isso funcionasse, ambos com um banco de dados certutil e configuração PEM direta e frustrados por não estar funcionando.

Minha inicial é que o cliente não está enviando o certificado SSL para validação, e eu provei isso ao usar autenticação PEM e strace (e não há open () no arquivo crt ou chave).

Primeiro, este é o RHEL7, e o cliente e o servidor têm a mesma versão do openldap instalada:

Servidor:

openldap-servers-2.4.39-6.el7.x86_64
openldap-2.4.39-6.el7.x86_64

Cliente:

openldap-clients-2.4.39-6.el7.x86_64
openldap-2.4.39-6.el7.x86_64

SSL: minha própria autoridade de certificação.

Usando a autenticação PEM:

Servidor (cn = config.ldif):

olcTLSCACertificateFile:  /etc/openldap/tls/ldap-ca.crts
olcTLSCertificateFile:    /etc/openldap/tls/ldap-server.crt
olcTLSCertificateKeyFile: /etc/openldap/tls/ldap-server.key
olcTLSVerifyClient:       hard

Servidor (/ usr / sbin / slapd -u ldap -h "ldapi: /// ldap: ///ldaps: ///" -d 1):

55935ff8 slap_listener_activate(10):
55935ff8 >>> slap_listener(ldaps:///)
55935ff8 connection_get(18): got connid=1000
55935ff8 connection_read(18): checking for input on id=1000
TLS: loaded CA certificate file /etc/openldap/tls/ldap-ca.crts.
TLS: error: the certificate '/etc/openldap/tls/ldap-server.crt' could not be found in the database - error -12285:Unable to find the certificate or key necessary for authentication..
TLS: certificate '/etc/openldap/tls/ldap-server.crt' successfully loaded from PEM file.
TLS: no unlocked certificate for certificate 'CN=x.x.x,...,C=AU'.
TLS: certificate [CN=x.x.x,...,C=AU] is valid
55935ff8 connection_get(18): got connid=1000
55935ff8 connection_read(18): checking for input on id=1000
TLS: error: accept - force handshake failure: errno 11 - moznss error -12285
TLS: can't accept: TLS error -12285:Unable to find the certificate or key necessary for authentication..
55935ff8 connection_read(18): TLS accept failure error=-1 id=1000, closing
55935ff8 connection_close: conn=1000 sd=18

Cliente (/etc/openldap/ldap.conf):

TLS_CACERT                /etc/openldap/tls/ldap-ca.crts
TLS_CERT                  /etc/openldap/tls/ldap-client.crt
TLS_KEY                   /etc/openldap/tls/ldap-client.key
TLS_REQCERT               never

Cliente (ldapsearch -d1 -H ldaps: //x.x.x -bc = AU 'uid = x'):

TLS: loaded CA certificate file /etc/openldap/tls/ldap-ca.crts.
TLS: certificate [CN=x.x.x,...,C=AU] is valid
TLS: error: connect - force handshake failure: errno 21 - moznss error -12271
TLS: can't connect: TLS error -12271:SSL peer cannot verify your certificate..

Cliente (strace - sem apresentação de certificado de cliente)

...
8047  stat("/etc/openldap/tls/ldap-ca.crts", {st_mode=S_IFREG|0644, st_size=5287, ...}) = 0
8047  open("/etc/openldap/tls/ldap-ca.crts", O_RDONLY) = 4
...

A conexão do cliente usando apenas o openssl connect funciona bem:

openssl s_client -connect x.x.x:636 -showcerts -CAfile /etc/openldap/tls/ldap-ca.crts -key /etc/openldap/tls/ldap-client.key -state -cert /etc/openldap/tls/ldap-client.crt

...
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-SHA
    Session-ID: [long hex value]
    Session-ID-ctx:
    Master-Key: [long hex value]
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1435722028
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

Usando o certutil (banco de dados moznss):

O mesmo problema:

Servidor (cn = config.ldif):

olcTLSVerifyClient:      hard
olcTLSCertificateFile:   "x.x.x - X"
olcTLSCACertificatePath: /etc/openldap/certs

Servidor (moznss):

[root@host certs]# certutil -d . -L
Certificate Nickname                          Trust Attributes
                                              SSL,S/MIME,JAR/XPI

x LDAP CA                                     CT,C,C
x.x.x - X                                     u,u,u
x CA                                          CT,C,C
x CA                                          CT,C,C

Servidor (/ usr / sbin / slapd -u ldap -h "ldapi: /// ldap: ///ldaps: ///" -d 1):

559363d2 connection_get(18): got connid=1000
559363d2 connection_read(18): checking for input on id=1000
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/openldap/certs prefix .
TLS: certificate 'x.x.x - X' successfully loaded from moznss database.
TLS: no unlocked certificate for certificate 'CN=x.x.x,...,C=AU'.
TLS: certificate [CN=x.x.x,...,C=AU] is valid
559363d2 connection_get(18): got connid=1000
559363d2 connection_read(18): checking for input on id=1000
TLS: error: accept - force handshake failure: errno 11 - moznss error -12285
TLS: can't accept: TLS error -12285:Unable to find the certificate or key necessary for authentication..

Cliente (/etc/openldap/ldap.conf):

TLS_CACERTDIR   /etc/openldap/certs
TLS_CERT        "x - X"
TLS_REQCERT     never

Cliente (moznss):

[root@client certs]# certutil -d  . -L

Certificate Nickname                          Trust Attributes
                                              SSL,S/MIME,JAR/XPI

X LDAP CA                                     CT,C,C
x - X                                         u,u,u
X Root CA                                     CT,C,C
X CA                                          CT,,

Cliente (ldapsearch -d1 -H ldaps: //x.x.x -bc = AU 'uid = x'):

TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/openldap/certs prefix .
TLS: certificate [CN=x.x.x,...,C=AU] is valid
TLS: error: connect - force handshake failure: errno 21 - moznss error -12271
TLS: can't connect: TLS error -12271:SSL peer cannot verify your certificate..

Usando este método, o teste opensl funciona bem, no entanto, o ldapsearch falha com o mesmo erro. strace não ajuda, mas mostra a abertura dos arquivos de banco de dados para os certificados.

Cliente (strace):

8075  stat("/etc/openldap/certs/cert8.db", {st_mode=S_IFREG|0644, st_size=65536, ...}) = 0
8075  open("/etc/openldap/certs/cert8.db", O_RDONLY) = 4
8075  stat("/etc/openldap/certs/key3.db", {st_mode=S_IFREG|0644, st_size=16384, ...}) = 0
8075  open("/etc/openldap/certs/key3.db", O_RDONLY) = 5

Alguém tem alguma dica? (frustrado - eu sei que eu tinha esse trabalho em versões mais antigas do CentOS)

    
por Deon George 01.07.2015 / 05:59

1 resposta

1

O seguinte é retirado de um servidor ldap do CentOS7 e deve cobrir os principais aspectos da autenticação SASL / EXTERNAL (TLS). Menores notas:
- O servidor também está atuando como o cliente neste exemplo.
- Este exemplo faz uso de ~/.ldaprc em vez de /etc/openldap/ldap.conf
- Este exemplo usa olcTLSVerifyClient: verify em vez de hard porque o servidor está suportando outros tipos de autenticação além da autenticação SASL / EXTERNAL (TLS).

slapd-config

[root@ldap ~]# ldapsearch cn=config olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=config> (default) with scope subtree
# filter: cn=config
# requesting: olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient 
#

# config
dn: cn=config
olcTLSCACertificateFile: /etc/pki/tls/certs/ldap.example.com_CA.crt
olcTLSCertificateFile: /etc/pki/tls/certs/ldap.example.com.crt
olcTLSCertificateKeyFile: /etc/pki/tls/private/ldap.example.com.key
olcTLSVerifyClient: try

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

permissões de chave de certificado

[root@ldap ~]# ls -lZ /etc/pki/tls/private/ldap.example.com.key
-rw-r-----+ root root unconfined_u:object_r:cert_t:s0  /etc/pki/tls/private/ldap.example.com.key

[root@ldap ~]# getfacl /etc/pki/tls/private/ldap.example.com.key
getfacl: Removing leading '/' from absolute path names
# file: etc/pki/tls/private/ldap.example.com.key
# owner: root
# group: root
user::rw-
user:ldap:r--
group::---
mask::r--
other::---

configuração do sasl

[root@ldap ~]# cat /etc/sasl2/slapd.conf 
mech_list: external gssapi plain
pwcheck_method: saslauthd

configurações do cliente ldap

[root@ldap ~]# cat .ldaprc
URI ldapi:///
BASE cn=config
SASL_MECH external
#TLS_CACERT /etc/ssl/certs/ca-bundle.crt
TLS_CACERT /etc/pki/tls/certs/ldap.example.com_CA.crt
TLS_CERT /etc/pki/tls/certs/ldap.example.com.crt
TLS_KEY /etc/pki/tls/private/ldap.example.com.key

ligação SASL / EXTERNAL (TLS) bem-sucedida

[root@ldap ~]# ldapwhoami -ZZ -h ldap.example.com
SASL/EXTERNAL authentication started
SASL username: cn=ldap.example.com,<cert locality info>
SASL SSF: 0
dn:cn=ldap.example.com,<cert locality info>
[root@ldap ~]# ldapwhoami -H ldaps://ldap.example.com
SASL/EXTERNAL authentication started
SASL username: cn=ldap.example.com,<cert locality info>
SASL SSF: 0
    
por 02.07.2015 / 19:47

Tags