Alguém tem autenticação de cliente SSL trabalhando com o OpenLDAP (no CentOS7 - que está usando moznss)?
Eu pesquisei os últimos dois dias tentando fazer com que isso funcionasse, ambos com um banco de dados certutil e configuração PEM direta e frustrados por não estar funcionando.
Minha inicial é que o cliente não está enviando o certificado SSL para validação, e eu provei isso ao usar autenticação PEM e strace (e não há open () no arquivo crt ou chave).
Primeiro, este é o RHEL7, e o cliente e o servidor têm a mesma versão do openldap instalada:
Servidor:
openldap-servers-2.4.39-6.el7.x86_64
openldap-2.4.39-6.el7.x86_64
Cliente:
openldap-clients-2.4.39-6.el7.x86_64
openldap-2.4.39-6.el7.x86_64
SSL: minha própria autoridade de certificação.
Usando a autenticação PEM:
Servidor (cn = config.ldif):
olcTLSCACertificateFile: /etc/openldap/tls/ldap-ca.crts
olcTLSCertificateFile: /etc/openldap/tls/ldap-server.crt
olcTLSCertificateKeyFile: /etc/openldap/tls/ldap-server.key
olcTLSVerifyClient: hard
Servidor (/ usr / sbin / slapd -u ldap -h "ldapi: /// ldap: ///ldaps: ///" -d 1):
55935ff8 slap_listener_activate(10):
55935ff8 >>> slap_listener(ldaps:///)
55935ff8 connection_get(18): got connid=1000
55935ff8 connection_read(18): checking for input on id=1000
TLS: loaded CA certificate file /etc/openldap/tls/ldap-ca.crts.
TLS: error: the certificate '/etc/openldap/tls/ldap-server.crt' could not be found in the database - error -12285:Unable to find the certificate or key necessary for authentication..
TLS: certificate '/etc/openldap/tls/ldap-server.crt' successfully loaded from PEM file.
TLS: no unlocked certificate for certificate 'CN=x.x.x,...,C=AU'.
TLS: certificate [CN=x.x.x,...,C=AU] is valid
55935ff8 connection_get(18): got connid=1000
55935ff8 connection_read(18): checking for input on id=1000
TLS: error: accept - force handshake failure: errno 11 - moznss error -12285
TLS: can't accept: TLS error -12285:Unable to find the certificate or key necessary for authentication..
55935ff8 connection_read(18): TLS accept failure error=-1 id=1000, closing
55935ff8 connection_close: conn=1000 sd=18
Cliente (/etc/openldap/ldap.conf):
TLS_CACERT /etc/openldap/tls/ldap-ca.crts
TLS_CERT /etc/openldap/tls/ldap-client.crt
TLS_KEY /etc/openldap/tls/ldap-client.key
TLS_REQCERT never
Cliente (ldapsearch -d1 -H ldaps: //x.x.x -bc = AU 'uid = x'):
TLS: loaded CA certificate file /etc/openldap/tls/ldap-ca.crts.
TLS: certificate [CN=x.x.x,...,C=AU] is valid
TLS: error: connect - force handshake failure: errno 21 - moznss error -12271
TLS: can't connect: TLS error -12271:SSL peer cannot verify your certificate..
Cliente (strace - sem apresentação de certificado de cliente)
...
8047 stat("/etc/openldap/tls/ldap-ca.crts", {st_mode=S_IFREG|0644, st_size=5287, ...}) = 0
8047 open("/etc/openldap/tls/ldap-ca.crts", O_RDONLY) = 4
...
A conexão do cliente usando apenas o openssl connect funciona bem:
openssl s_client -connect x.x.x:636 -showcerts -CAfile /etc/openldap/tls/ldap-ca.crts -key /etc/openldap/tls/ldap-client.key -state -cert /etc/openldap/tls/ldap-client.crt
...
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-SHA
Session-ID: [long hex value]
Session-ID-ctx:
Master-Key: [long hex value]
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1435722028
Timeout : 300 (sec)
Verify return code: 0 (ok)
Usando o certutil (banco de dados moznss):
O mesmo problema:
Servidor (cn = config.ldif):
olcTLSVerifyClient: hard
olcTLSCertificateFile: "x.x.x - X"
olcTLSCACertificatePath: /etc/openldap/certs
Servidor (moznss):
[root@host certs]# certutil -d . -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
x LDAP CA CT,C,C
x.x.x - X u,u,u
x CA CT,C,C
x CA CT,C,C
Servidor (/ usr / sbin / slapd -u ldap -h "ldapi: /// ldap: ///ldaps: ///" -d 1):
559363d2 connection_get(18): got connid=1000
559363d2 connection_read(18): checking for input on id=1000
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/openldap/certs prefix .
TLS: certificate 'x.x.x - X' successfully loaded from moznss database.
TLS: no unlocked certificate for certificate 'CN=x.x.x,...,C=AU'.
TLS: certificate [CN=x.x.x,...,C=AU] is valid
559363d2 connection_get(18): got connid=1000
559363d2 connection_read(18): checking for input on id=1000
TLS: error: accept - force handshake failure: errno 11 - moznss error -12285
TLS: can't accept: TLS error -12285:Unable to find the certificate or key necessary for authentication..
Cliente (/etc/openldap/ldap.conf):
TLS_CACERTDIR /etc/openldap/certs
TLS_CERT "x - X"
TLS_REQCERT never
Cliente (moznss):
[root@client certs]# certutil -d . -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
X LDAP CA CT,C,C
x - X u,u,u
X Root CA CT,C,C
X CA CT,,
Cliente (ldapsearch -d1 -H ldaps: //x.x.x -bc = AU 'uid = x'):
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/openldap/certs prefix .
TLS: certificate [CN=x.x.x,...,C=AU] is valid
TLS: error: connect - force handshake failure: errno 21 - moznss error -12271
TLS: can't connect: TLS error -12271:SSL peer cannot verify your certificate..
Usando este método, o teste opensl funciona bem, no entanto, o ldapsearch falha com o mesmo erro. strace não ajuda, mas mostra a abertura dos arquivos de banco de dados para os certificados.
Cliente (strace):
8075 stat("/etc/openldap/certs/cert8.db", {st_mode=S_IFREG|0644, st_size=65536, ...}) = 0
8075 open("/etc/openldap/certs/cert8.db", O_RDONLY) = 4
8075 stat("/etc/openldap/certs/key3.db", {st_mode=S_IFREG|0644, st_size=16384, ...}) = 0
8075 open("/etc/openldap/certs/key3.db", O_RDONLY) = 5
Alguém tem alguma dica? (frustrado - eu sei que eu tinha esse trabalho em versões mais antigas do CentOS)