[CentOS] LDAP Server Access Problem

Sun Feb 28 18:51:39 UTC 2010
Paul R. Ganci <ganci at nurdog.com>

On Sun, 2010-02-28 at 11:22 -0700, Craig White wrote:

> ----
> do you mean other than the fact that this simply talks about TLS Client
> and that SSL is deprecated and generally ignored in the documentation?
> 
> SSL communication is different than TLS.

With all due respect deprecated doesn't mean broken. While SSL is
different than TLS using "TLSVerifyClient allow" works on the server.
For that matter so does "TLSVerifyClient demand". In fact if I use the
latter configuration and do not provide a client certificate ldap_bind
fails as expected. From what I can tell the server certificate is never
passed to the client unless "TLSVerifyClient never" as seen from:

> ldapsearch -d 1 -x -LLL -H ldaps://incoming.mric.net:636
"(uid=acaplan)" sn uid
ldap_create
ldap_url_parse_ext(ldaps://incoming.mric.net:636)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP incoming.mric.net:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 208.139.195.124:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject: /O=Root
CA/OU=http://www.cacert.org/CN=CA Cert Signing
Authority/emailAddress=support at cacert.org, issuer: /O=Root
CA/OU=http://www.cacert.org/CN=CA Cert Signing
Authority/emailAddress=support at cacert.org
TLS certificate verification: depth: 0, err: 0,
subject: /CN=incoming.mric.net, issuer: /O=Root
CA/OU=http://www.cacert.org/CN=CA Cert Signing
Authority/emailAddress=support at cacert.org
TLS trace: SSL_connect:SSLv3 read server certificate A

The client requests hangs because the LDAP server is not providing its
certificate.  I just found it strange that the communication process
works fine as long as all the communication occurs on the server. I find
it even stranger that the failure mode seems to be that the LDAP server
doesn't pass its certificate to the client ... that seems really broke
to me whether or not SSL is deprecated.

In any event this is all moot because I am in the process of switching
over to TLS.

Thanks to everyone who helped sort this issue.

-- 
Paul (ganci at nurdog.com)