[FUG-BR] [Fora de Tópico] LDAP + OpenSSL
Breno Brand Fernandes
breno em lagosnet.com.br
Quarta Dezembro 5 14:07:21 BRST 2007
Fala galera,
To precisando de uma ajuda. Estou motando um servidor LDAP + SSL, mas to
apanhando um pouquinho.
O que fiz:
Gerei os certificados da seguinte maneira:
openssl genrsa -des3 -out server.key 4096
openssl rsa -in server.key -out server.key
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out
server.csr
openssl genrsa -des3 -out client.key 1024
openssl rsa -in client.key -out client.key
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -signkey client.key -out
client.csr
Para utililiza-los, alterei os seguintes arquivos de configuração:
/usr/local/etc/openldap/slapd.conf:
TLSCertificateFile /usr/local/etc/openldap/certificates/server.csr
TLSCertificateKeyFile /usr/local/etc/openldap/certificates/server.key
TLSVerifyClient 0
/etc/ldap.conf
host ldap.meudominio.org
base dc=meudominio,dc=org
uri ldaps://ldap.meudominio.org
rootbinddn cn=administrador,dc=meudominio,dc=org
port 636
ssl true
TLS_CERT /usr/local/etc/openldap/certificates/client.csr
TLS_KEY /usr/local/etc/openldap/certificates/client.key
TLS_REQCERT never
/etc/samba/smb.conf:
passdb backend = ldapsam:ldaps://ldap.meudominio.org/
/usr/local/apache2/htdocs/lam/config/lam.conf:
ServerURL: ldaps://ldap.tropical.local:636
/etc/smbldap/smbldap.conf:
slavePort="636"
masterPort="636"
Eu starto meu ldap da seguinte maneira:
# /usr/local/libexec/slapd -h "ldap:/// ldaps:///" -4
E faco uma simples pesquisa:
ldapsearch -x -ZZ -h ldap.meudominioorg -b 'dc=meudominio,dc=org'
(objectclass=*)'
Que retorna:
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Dae fazendo outra pesquisa, esta mais debugged: ldapsearch -H
ldaps://ldap.meudominio.org -b "dc=meudominio,dc=org" -d7
Tenho o retorno:
ldap_create
ldap_url_parse_ext(ldaps://ldap.meudominio.org)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_build_search_req ATTRS:
supportedSASLMechanisms
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.meudominio.org:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
tls_write: want=118, written=118
0000: 80 74 01 03 01 00 4b 00 00 00 20 00 00 39 00 00 .t....K... ..9..
0010: 38 00 00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 8..5............
0020: 00 00 33 00 00 32 00 00 2f 03 00 80 00 00 05 00 ..3..2../.......
0030: 00 04 01 00 80 00 00 15 00 00 12 00 00 09 06 00 ................
0040: 40 00 00 14 00 00 11 00 00 08 00 00 06 04 00 80 @...............
0050: 00 00 03 02 00 80 84 52 ae 53 5f 95 3a 6b cf e5 .......R.S_.:k..
0060: 6e 3f 29 21 85 98 6e 35 59 84 79 87 47 fc ff 66 n?)!..n5Y.y.G..f
0070: 2f 58 90 69 8d 2c /X.i.,
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=7
0000: 16 03 01 00 4a 02 00 ....J..
tls_read: want=72, got=72
0000: 00 46 03 01 47 56 ca 0d 5c af 0d 4c 3b d9 3a 30 .F..GV..\..L;.:0
0010: f9 98 c3 4c b5 31 71 15 d1 b4 5a a6 73 ef d3 a2 ...L.1q...Z.s...
0020: b8 ae 65 6d 20 1f e3 ae 8e 0b 7c 68 ff 20 75 ff ..em .....|h. u.
0030: 20 6e 38 fd 5f 66 1a 11 41 70 79 f4 20 ba 6b 08 n8._f..Apy. .k.
0040: 33 42 42 d2 1d 00 35 00 3BB...5.
TLS trace: SSL_connect:SSLv3 read server hello A
tls_read: want=5, got=5
0000: 16 03 01 05 82 .....
tls_read: want=1410, got=1410
0000: 0b 00 05 7e 00 05 7b 00 05 78 30 82 05 74 30 82 ...~..{..x0..t0.
0010: 03 5c 02 09 00 b0 9e 40 b6 d1 4a 6f 73 30 0d 06 .\..... em ..Jos0..
0020: 09 2a 86 48 86 f7 0d 01 01 05 05 00 30 7c 31 0b .*.H........0|1.
0030: 30 09 06 03 55 04 06 13 02 42 52 31 0c 30 0a 06 0...U....BR1.0..
0040: 03 55 04 08 13 03 52 69 6f 31 13 30 11 06 03 55 .U....Rio1.0...U
0050: 04 07 13 0a 50 65 74 72 6f 70 6f 6c 69 73 31 0c ....Petropolis1.
0060: 30 0a 06 03 55 04 0a 13 03 74 63 63 31 16 30 14 0...U....tcc1.0.
0070: 06 03 55 04 03 13 0d 61 64 6d 69 6e 69 73 74 72 ..U....administr
0080: 61 64 6f 72 31 24 30 22 06 09 2a 86 48 86 f7 0d ador1$0"..*.H...
0090: 01 09 01 16 15 62 72 65 6e 6f 40 6c 61 67 6f 73 .....breno em lagos
00a0: 6e 65 74 2e 63 6f 6d 2e 62 72 30 1e 17 0d 30 37 net.com.br0...07
00b0: 31 32 30 35 31 34 34 39 32 31 5a 17 0d 30 38 31 1205144921Z..081
00c0: 32 30 34 31 34 34 39 32 31 5a 30 7c 31 0b 30 09 204144921Z0|1.0.
00d0: 06 03 55 04 06 13 02 42 52 31 0c 30 0a 06 03 55 ..U....BR1.0...U
00e0: 04 08 13 03 52 69 6f 31 13 30 11 06 03 55 04 07 ....Rio1.0...U..
00f0: 13 0a 50 65 74 72 6f 70 6f 6c 69 73 31 0c 30 0a ..Petropolis1.0.
0100: 06 03 55 04 0a 13 03 74 63 63 31 16 30 14 06 03 ..U....tcc1.0...
0110: 55 04 03 13 0d 61 64 6d 69 6e 69 73 74 72 61 64 U....administrad
0120: 6f 72 31 24 30 22 06 09 2a 86 48 86 f7 0d 01 09 or1$0"..*.H.....
0130: 01 16 15 62 72 65 6e 6f 40 6c 61 67 6f 73 6e 65 ...breno em lagosne
0140: 74 2e 63 6f 6d 2e 62 72 30 82 02 22 30 0d 06 09 t.com.br0.."0...
0150: 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 02 0f 00 *.H.............
0160: 30 82 02 0a 02 82 02 01 00 9f 34 d5 3c 68 5f 55 0.........4.<h_U
0170: ed 35 5a 9c fc 13 b5 34 14 f2 3b 93 b1 80 9f 2c .5Z....4..;....,
0180: 1a aa 11 27 47 71 e3 15 0c 61 de 14 c2 b5 48 49 ...'Gq...a....HI
0190: 0e fc 7f 5d 61 9f f5 13 5f 6c 54 47 a9 81 98 71 ...]a..._lTG...q
01a0: b8 4d 3c 16 48 e5 68 9e c0 0c 7a e8 1f 7a 35 fb .M<.H.h...z..z5.
01b0: 1d e6 29 b1 46 a5 4f 6b 2c c2 34 8e 6e 72 68 19 ..).F.Ok,.4.nrh.
01c0: 89 c0 01 59 86 6b da 90 8c a3 b1 0b 79 ad 54 0e ...Y.k......y.T.
01d0: 64 85 86 14 eb 16 d1 c9 61 44 fe 3f 44 35 d9 82 d.......aD.?D5..
01e0: 8c 6b 2a 03 e9 36 99 a7 a8 c1 34 32 56 b5 77 f3 .k*..6....42V.w.
01f0: fd 3a 9a 45 c2 7a c2 77 e5 99 81 c4 0e ca f1 cf .:.E.z.w........
0200: 9e 2d 51 7d 8b 92 a0 93 fd 43 ac 02 37 b8 a5 1d .-Q}.....C..7...
0210: 35 18 a6 a5 be 22 da b5 d2 3f 32 05 36 06 1c df 5...."...?2.6...
0220: 5e 2c 22 6f fe b2 64 b7 55 99 2d 1e bf ac cc 28 ^,"o..d.U.-....(
0230: 99 66 5b 94 3a 5a ad f7 87 80 f8 a3 96 3f 8f e5 .f[.:Z.......?..
0240: eb 93 c1 63 b2 fb 95 8f fc bf 37 59 87 bf 57 e4 ...c......7Y..W.
0250: f7 49 40 9a 19 9e 80 ee 7f 24 bc 2e d1 d3 24 47 .I em ......$....$G
0260: ae 58 4f 08 07 b5 ad 34 52 f4 ec 60 3f 8d 94 59 .XO....4R..`?..Y
0270: 90 e9 ef 15 27 a6 f1 02 af d4 d5 40 45 14 4e eb ....'...... em E.N.
0280: bc 33 01 ef d4 b1 b9 c6 24 d7 bb e5 50 09 25 cf .3......$...P.%.
0290: a6 6c 65 d3 01 c7 8f 56 56 aa 13 bb 55 4c 51 a1 .le....VV...ULQ.
02a0: 2c a5 c8 36 c9 42 fd 71 c1 9c 22 8b 99 99 a3 79 ,..6.B.q.."....y
02b0: 49 21 d1 d9 94 f8 93 e9 e6 ad d9 36 c0 e4 d7 40 I!.........6...@
02c0: 34 d2 8d f2 72 6a d2 c3 6b ed 12 16 85 d7 00 29 4...rj..k......)
02d0: 99 76 d8 79 b3 de 2f af 57 ec 94 c9 83 cf 35 0d .v.y../.W.....5.
02e0: ea c0 46 ba fb 4d 76 39 88 2b b0 42 86 26 75 9b ..F..Mv9.+.B.&u.
02f0: e4 29 d5 d6 94 7b c9 9d 74 ef 72 da 83 40 6a 6f .)...{..t.r.. em jo
0300: 17 fc 3d cf 68 81 1f 01 91 c2 31 40 e0 2e b2 d2 ..=.h.....1 em ....
0310: cf 2b 9b 3b 00 10 2c 02 a9 f5 34 ce 67 6a 31 df .+.;..,...4.gj1.
0320: 90 17 1e aa 5f f4 d3 5e 87 63 40 81 b6 f8 f0 ad ...._..^.c em .....
0330: 6e 57 fd 03 34 70 82 73 ce b8 11 2d 16 f7 84 d9 nW..4p.s...-....
0340: e1 56 78 b5 ef b0 3f e3 86 f9 b1 35 df e0 0d d9 .Vx...?....5....
0350: ec ea ca 91 2d fc 64 50 9e 2f 77 a8 b5 85 2b 44 ....-.dP./w...+D
0360: 80 ee 2b cf e7 7e e4 7a c7 02 03 01 00 01 30 0d ..+..~.z......0.
0370: 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 82 02 ..*.H...........
0380: 01 00 38 b3 83 f1 98 a9 db 01 8b 06 b3 c0 8c f9 ..8.............
0390: be 15 4e b3 42 2d 56 24 7c 8b 31 f0 20 7e bb 6a ..N.B-V$|.1. ~.j
03a0: 3a 24 a3 bc c4 fd 4e a0 60 24 d3 9e 73 b7 72 1c :$....N.`$..s.r.
03b0: bf b9 44 4d 2b b2 0d 8e f7 ce 95 6d 00 ab 20 97 ..DM+......m.. .
03c0: a4 c6 d1 03 57 30 a5 06 38 e6 b0 b2 3b 11 dd 62 ....W0..8...;..b
03d0: 3d 49 6a 9c c6 ce ba c3 06 df d8 12 ef 9a db 3f =Ij............?
03e0: 7c 83 bd c4 c8 19 9f 34 7a f1 7d ac e5 f8 8e 87 |......4z.}.....
03f0: 09 57 a0 8d 53 55 c0 cb 05 8a f4 77 8e da 38 40 .W..SU.....w..8@
0400: 26 93 a0 93 d2 5e 06 92 a7 17 b6 7d dc ec 00 9c &....^.....}....
0410: 09 82 22 fa 59 09 18 7d e0 ee bb 68 3e 1c 2e 01 ..".Y..}...h>...
0420: e4 09 66 2b c4 cb b2 ba 75 59 66 58 1f 39 2b 86 ..f+....uYfX.9+.
0430: ca 7a 87 a5 dc e8 dc 9a 33 ac e2 2f a8 bd e8 1e .z......3../....
0440: 09 9a 63 a7 6f 9b f0 a6 9c 77 b5 00 89 04 f8 6d ..c.o....w.....m
0450: b2 94 71 df d1 a8 80 5f e2 4b 79 de e4 9c ee b8 ..q...._.Ky.....
0460: 1b 33 54 a7 8d dc 01 79 5b 0d 7a 06 59 d8 4e 9b .3T....y[.z.Y.N.
0470: 93 fa b6 f7 19 fb a6 84 34 61 e5 af 36 a9 14 7f ........4a..6...
0480: ef 83 2f 38 8b b5 34 d1 8e a7 2b 9f 6a 58 8f e0 ../8..4...+.jX..
0490: 0e 67 73 a9 e3 3f 3a 16 11 5e c6 d7 f0 80 a8 0c .gs..?:..^......
04a0: 19 e4 2f c1 fa 0c 5c e9 74 fe a6 2b 81 46 58 a3 ../...\.t..+.FX.
04b0: 3a a4 14 15 d9 81 76 15 f0 5f d6 00 f8 5f 0d f4 :.....v.._..._..
04c0: d0 b3 26 0e 7c 28 70 47 0b 8b 4d 68 d7 5b e1 40 ..&.|(pG..Mh.[.@
04d0: 8f 9c e3 e3 35 61 f4 d7 3e 8e 60 b6 f1 ae 86 96 ....5a..>.`.....
04e0: 79 98 e6 d0 fa dc 50 9f 10 bc 9f 5a 86 20 22 d5 y.....P....Z. ".
04f0: f4 7a 20 e3 40 cd 0f a3 d0 b3 08 ab d5 9c d6 10 .z . em ...........
0500: 92 ab da 1b a8 13 5f ab ed 55 9a 64 0c 69 dc 13 ......_..U.d.i..
0510: 0a 48 dc 3a 85 6e bd f4 ba 55 df b0 f5 f7 1a e8 .H.:.n...U......
0520: 53 a9 52 a4 7d 6b 6b 8e 0f 01 37 38 64 32 07 43 S.R.}kk...78d2.C
0530: 89 27 6a 68 2b ba e4 df 92 bb 83 a6 d1 57 3b 93 .'jh+........W;.
0540: 01 66 38 d3 69 f3 0e 8c 60 a9 e5 fe 54 f7 e5 ef .f8.i...`...T...
0550: 8f d2 58 7a 74 42 d6 d6 2b 2e c3 4c 2e 47 90 8f ..XztB..+..L.G..
0560: 47 32 d6 82 f8 dd 35 b6 11 c2 f2 d9 06 c4 ef c8 G2....5.........
0570: 75 7c 62 03 d8 0f 79 77 54 70 5b ab c3 28 7d fd u|b...ywTp[..(}.
0580: cf 57 .W
TLS certificate verification: depth: 0, err: 18, subject:
/C=BR/ST=XXX/L=XXX/O=meudominio/CN=administrador/emailAddress=administrador em meudominio,
issuer:
/C=BR/ST=XXX/L=XXX/O=meudominio/CN=administrador/emailAddress=administrador em meudominio
TLS certificate verification: Error, self signed certificate
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30 ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Está claro que é falta do certificado CA. Mas acho que não preciso dele. Em
pesquisas pelo google achei bastante coisa, mas nada deu certo (o resultado
está aí em cima).
Muitissimo obrigado desde já! Toda e qualquer ajuda será muito bem vinda.
Para maiores informações, estou seguindo grande parte deste tutorial:
http://www.vivaolinux.com.br/artigos/verArtigo.php?codigo=5178&pagina=15.
Att,
Breno Brand Fernandes
Mais detalhes sobre a lista de discussão freebsd