search

AAROC / DevOps

DevOps code to deploy eScience services
http://www.africa-grid.org/DevOps
Other
19 stars 40 forks source link

Can't connect to ldap securely #119

Closed brucellino closed 9 years ago

brucellino commented 9 years ago

looks like the secure connection has not been enabled, or the keys and certificates have not been generated properly for the ldap machine.

[root@vm03 ~]# ldapsearch -d1 -vv -x -H ldaps://127.0.0.1 -b ou=People,dc=local
ldap_url_parse_ext(ldaps://127.0.0.1)
ldap_initialize( ldaps://127.0.0.1:636/??base )
ldap_create
ldap_url_parse_ext(ldaps://127.0.0.1:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 127.0.0.1:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/openldap/certs', error -8018:Unknown PKCS #11 error.
TLS: skipping 'cert.crt' - filename does not have expected format (certificate hash with numeric suffix)
TLS: skipping 'my1.key' - filename does not have expected format (certificate hash with numeric suffix)
TLS: skipping 'my.key' - filename does not have expected format (certificate hash with numeric suffix)
TLS: certificate [CN=vm03,O=INFN,L=Catania,C=IT] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
TLS: error: connect - force handshake failure: errno 0 - moznss error -8172
TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I tried to connect securely on the same host, but the cert used to connect had a pkcs error.

brucellino commented 9 years ago

Looks like the cert created in /etc/openldap/certs has a subject which does not recognise the fqdn of the machine :

openssl x509 -in /etc/openldap/certs/cert.crt -noout -subject subject= /C=IT/L=Catania/O=INFN/CN=vm03

Will try to execute using this diff

-  shell: openssl req -new -x509 -subj '/C={{ server_country }}/ST={{ server_state }}/L={{ server_location }}/O={{ server_organization }}/CN={{ ansible_hostname }}/' -days 3650 -key my.key -out cert.crt -extensions v3_ca chdir={{ ldap_config_path }}/certs/   creates={{ ldap_config_path }}/certs/cert.crt
+  shell: openssl req -new -x509 -subj '/C={{ server_country }}/ST={{ server_state }}/L={{ server_location }}/O={{ server_organization }}/CN={{ ansible_fqdn }}/' -days 3650 -key my.key -out cert.crt -extensions v3_ca chdir={{ ldap_config_path }}/certs/   creates={{ ldap_config_path }}/certs/cert.crt

(ie, ansible_hostname --> ansible_fqdn)

brucellino commented 9 years ago

Closing this Invalid, since the state of the site has changed.