buzzco.org

Drunk and Famous

buzzco.org header image 2

Ubuntu OpenLDAP SSL

April 27th, 2010 · 1 Comment · tech

The setup:
I have an Ubuntu Karmic machine hosting an Apache webserver. Being security minded, I decided to set up SSL to protect user logins. Works fine. I am using an external IBM Tivoli Directory Server (ITDS) for authentication. It is an LDAP server so everything works out of the box. That is until I tried to do LDAPS. See, when you log into apache, it sends a request of to LDAP. If you don’t use LDAPS, it is in clear text. That is a big no no.

Here is my rough config:

LDAPTrustedGlobalCert CA_DER /etc/ssl/example.com.pem
<VirtualHost *:443>
ServerName wingfont
AddDefaultCharset utf-8
SSLEngine on
SSLOptions +StrictRequire
SSLCertificateFile /etc/ssl/certs/wingfont.crt
SSLCertificateKeyFile /etc/ssl/private/wingfont.key
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug
CustomLog /var/log/apache2/access.log combined
LDAPTrustedClientCert CERT_BASE64 /etc/ssl/example.com.pem
<Location /svn>
DAV svn
SVNPath /srv/svn/wwptsng
AuthBasicProvider ldap
AuthType Basic
AuthName “BluePages”
AuthzLDAPAuthoritative on
AuthLDAPURL ldaps://example.com/,o=example.com?mail?sub?(objectClass=ePerson)
require valid-user
</Location>
</VirtualHost>

LDAPTrustedGlobalCert CA_DER /etc/ssl/example.com.pem

<VirtualHost *:443>

ServerName wingfont

AddDefaultCharset utf-8

SSLEngine on

SSLOptions +StrictRequire

SSLCertificateFile /etc/ssl/certs/wingfont.crt

SSLCertificateKeyFile /etc/ssl/private/wingfont.key

ErrorLog /var/log/apache2/error.log

LogLevel debug

CustomLog /var/log/apache2/access.log combined

LDAPTrustedClientCert CERT_BASE64 /etc/ssl/example.com.pem

<Location /svn>

DAV svn

SVNPath /srv/svn/wwptsng

AuthBasicProvider ldap

AuthType Basic

AuthName “Example.com”

AuthzLDAPAuthoritative on

AuthLDAPURL ldaps://example.com/,o=example.com?mail?sub?(objectClass=ePerson)

require valid-user

</Location>

</VirtualHost>

The issue:


Apache’s error log has this.

[Thu Apr 15 12:26:10 2010] [debug] ssl_engine_io.c(1892): OpenSSL: I/O error, 5 bytes expected to read on BIO#21604778 [mem: 216250c0]
[Thu Apr 15 12:26:10 2010] [info] [client 9.56.181.54] (70007)The timeout specified has expired: SSL input filter read failed.

So I tired to do a search with ldapsearch.

ldapsearch -x -H ldaps://host:636 -b “o=example.com” “(mail=mike@example.com)” -d-1

TLS: peer cert untrusted or revoked (0×42)
TLS: can’t connect: (unknown error code).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)

The story:


Google was very little help, hence this blog post.
Way back in the ancient time, Debian was king. Ubuntu is a step child, and has inherited lots Debian’s awesomeness. Debian folks will tell you that they adhere to open source licenses in the strictest sense of the word. LIBSSL has a non GPL compatible license. Debian and Ubuntu normally do not compile and link against it. The use GNU LTS instead. Which is fine. But for some reason there is a bug with GNU TLS and certain SSL cert chains. I have tested this against a number of ITDS servers and they all fail.

The fix:

Replace GNU TLS with libssl for the openldap libraries.

sudo apt-get install build-essential fakeroot dpkg-dev
sudo apt-get build-dep libldap-2.4-2
cd ~/
mkdir libldap
cd libldap/

sudo apt-get source libldap-2.4-2
sudo dpkg-source -x openldap_2.4.21-0ubuntu4.dsc

cd openldap-2.4.21/

cp debian/configure.options debian/configure.options.orig

sed ‘s/tls=gnutls/tls=openssl/g’ debian/configure.options.orig > debian/configure.options

DEB_BUILD_OPTIONS=”–with-tls=openssl” fakeroot debian/rules binary

Go grab a nice glass of Blanton’s whiskey, this might be a while.

Once the compile and tests are all done, install the new debs.

dpkg – i ldap-utils_2.4.21-0ubuntu4_i386.deb libldap-2.4-2_2.4.21-0ubuntu4_i386.deb slapd_2.4.21-0ubuntu4_i386.deb

Tags: ·······

One Comment so far ↓

  • Gavin Henry

    Dont forget you’re best using StartTLS do you don’t need LDAPS. LDAPS is deprecated and StartTLS should be using on port 389.

    Cheers.

Leave a Comment