openLDAP Proxy fails with ldaps

1.6k views Asked by At

This issue is driving me a bit insane. I am trying to configure an openLDAP Proxy to an Active Directory, which works fine as long as I use unencrypted ldap to the AD. But I would like to secure the connection between the proxy and the AD via LDAPs.

What drives me crazy is that this worked before until I enabled LDAPs for the proxy itself. Now I can't get it running, even if I undo my changes.

This is how the slapd.conf looks like:

# Include schemas
include         /etc/openldap/schema/corba.schema
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/duaconf.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/java.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/ppolicy.schema
include         /etc/openldap/schema/collective.schema

include         /etc/openldap/schema/local.schema

allow bind_v2

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

modulepath  /usr/lib/openldap
modulepath  /usr/lib64/openldap
moduleload  back_ldap
moduleload  rwm

loglevel        256

#LDAPS Settings

TLSCipherSuite HIGH:MEDIUM:-SSLv3
TLSCertificateFile /etc/openldap/cacerts/server.crt
TLSCertificateKeyFile /etc/openldap/cacerts/server.key
TLSCACertificateFile /etc/openldap/cacerts/CAs.pem

### Database definition (Proxy to AD) #########################################
database                ldap
readonly                no
protocol-version        3
rebind-as-user
uri                     "ldaps://ad-server.internal.de:636"
suffix                  "dc=ad,dc=internal,dc=de"

Now when I search I get the below error (ldaps or ldap). Both queries work just fine when I change the uri to "ldap://ad-server.internal.de:389"

ldapsearch -h localhost:389 -D "CN=admin,OU=User,DC=ad,DC=internal,DC=de" -W -b DC=ad,DC=internal,DC=de '(objectclass=person)'

ldapsearch -H ldaps://localhost:636 -D "CN=admin,OU=User,DC=ad,DC=internal,DC=de" -W -b DC=ad,DC=internal,DC=de '(objectclass=person)'

=>

ldap_bind: Server is unavailable (52)
        additional info: Proxy operation retry failed

This is not a certificate error, as the direct ldapsearch from the same host works just fine:

ldapsearch -H ldaps://ad-server.internal.de:636 -D "CN=admin,OU=User,DC=ad,DC=internal,DC=de" -W -b DC=ad,DC=internal,DC=de '(objectclass=person)'

This is what the log looks like:

Jun 09 12:06:06 adproxy.internal.de slapd[94952]: conn=1000 fd=12 ACCEPT from IP=127.0.0.1:47458 (IP=0.0.0.0:389)
Jun 09 12:06:06 adproxy.internal.de slapd[94952]: conn=1000 op=0 BIND dn="cn=admin,ou=User,dc=ad,dc=internal,dc=de" method=128
Jun 09 12:06:06 adproxy.internal.de slapd[94952]: conn=1000 op=0 ldap_back_retry: retrying URI="ldaps://ad-server.internal.de:636" DN=""
Jun 09 12:06:06 adproxy.internal.de slapd[94952]: conn=1000 op=0 RESULT tag=97 err=52 text=Proxy operation retry failed
Jun 09 12:06:06 adproxy.internal.de slapd[94952]: conn=1000 op=1 UNBIND
Jun 09 12:06:06 adproxy.internal.de slapd[94952]: conn=1000 fd=12 closed

Any idea why this happens would be greatly appreciated.

Edit:

I did some more digging and it actually seems to be a certificate problem. The tcpdump for the connection returns this error:

TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Unknown CA)

The AD certificate is self signed and unfortunately I have no saying in that, so I cannot change that.

In the standard config I get the same error when running ldapsearch. I can get ldapsearch running with two methods:

  1. Set TLS_REQCERT never in ldap.conf
  2. Set environment variable LDAPTLS_REQCERT=never

I know this is not ideal but this is not supposed to be the final configuration, I just want to get it running first.

However slapd seems to ignore both, because I still get the same error in the tcpdump and slapd debugging still gives me the following:

TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject: /CN=ad-server.internal.de, issuer: /CN=ad-server.internal.de
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS trace: SSL_connect:error in error
TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate).

I tried to add the self-signed certificate to the ldap.conf and to the trusted anchors for openssl, but both didn't work. I also noticed that I cannot get openssl to verify the self-signed certificate, while I can do the same on my PC...

My PC:

$ openssl version
OpenSSL 1.1.1h  22 Sep 2020

$ openssl verify server.crt
error server.crt: verification failed
CN = ad-server.internal.de
error 18 at 0 depth lookup: self signed certificate

$ openssl verify -CAfile server.crt server.crt
server.crt: OK

While on the server (REHL 7.9):

$ openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

$ openssl verify server.crt
server.crt: CN = ad-server.internal.de
error 20 at 0 depth lookup: unable to get local issuer certificate

$ openssl verify -CAfile server.crt server.crt
server.crt: CN = ad-server.internal.de
error 20 at 0 depth lookup: unable to get local issuer certificate

The result on my PC is the expected behaviour for self-signed certificates, as far as I know. I already checked, but it is the latest version available on RHEL 7.9

So does anyone have any idea how I can

  1. get SLAPD to honor the TLS_REQCERT or LDAPTLS_REQCERT settings OR
  2. openssl to verify the self-signed certificate

Thank you!

1

There are 1 answers

1
Brtlb On BEST ANSWER

I finally found a possibility to ignore the certificate validation error. Which is not the optimal solution, but due to the self-signed certificate and the openssl issue in the RHEL7.9 version, I am for now content to have it running at all. The final solution should then be to make the AD department get a certificate from our CA, though I don't know if I can convince them to do so.

So while the LDAP proxy seems to ignore the TLS_REQCERT none setting in the ldap.conf, there is a possibility to do this directly in slapd.conf:

### Database definition (Proxy to AD) #########################################
database                ldap
readonly                no
protocol-version        3
rebind-as-user
uri                     "ldaps://ad-server.internal.de:636"
suffix                  "dc=ad,dc=internal,dc=de"
tls                     start tls_reqcert=never

The last line eliminates the verification error.