OpenBSD 6.9 - Unable to make OpenLDAP work with TLS
by Turbocharger from LinuxQuestions.org on (#5KKCJ)
Hello folks, I have a quite unique problem here : OpenLDAP 2.4.58 work with TLS on OpenBSD 6.9 -release amd64.
Here is my slapd.conf, on which I did a slaptest -f slapd,conf -F slapd.d, which gave me the /etc/openldap/slapd.d/cn\=config/olcDatabase={1}mdb.ldif file :
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/openldap.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_mdb.la
# moduleload back_ldap.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
################################################## #####################
# MDB database definitions
################################################## #####################
database mdb
maxsize 1073741824
suffix "dc=my-domain,dc=something,dc=somewhere"
rootdn "cn=Manager,dc=my-domain,dc=something,dc=somewhere"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/openldap-data
# Indices to maintain
index objectClass eq
index cn,sn,mail eq,sub
index uidNumber eq
index gidNumber eq
TLSCertificateFile /etc/openldap/certs/cert.pem
TLSCertificateKeyFile /etc/openldap/certs/privkey.pem
TLSCACertificateFile /etc/openldap/certs/chain.pem
TLSCipherSuite TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE
TLSCRLCheck none
TLSVerifyClient never
I obtained the certificates from certbot and they work with Apache in TLS 1.2, but not TLS 1.3 because LibreSSL lacks the OpenSSL API for TLS 1.3 until OPenBSD 7.0. Some folks on the OpenBSD bug mailing list assured me that OpenLDAP works with TLS 1.3, but I did that exact same configuration procedure on Ubuntu Server 20.04, CentOS 8, FreeBSD 12.2, OmniOS (current LTS) and with all of them, I get OpenLDAP work successfully with TLS, but not on OpenBSD.
I always get this error when I use ldapsearch and ldapwhoami commands with the -ZZ option, but they work fine without any encryption :
# ldapsearch -x -h my_domain -D "cn=Manager,dc=my_domain,dc=something,dc=somewhere " -W -ZZ
ldap_start_tls: Protocol error (2)
additional info: unsupported extended operation
Wthout the -ZZ option in the ldapsearch commad, I get :
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
My /etc/openldap/certs folder and the certificates files in it have the following permissions :
# ls -l certs/
total 32
-rw-r--r-- 1 _openldap _openldap 692 Jun 26 01:05 README
-rw-r--r-- 1 _openldap _openldap 1631 Jun 26 01:05 cert.pem
-rw-r--r-- 1 _openldap _openldap 3749 Jun 26 01:05 chain.pem
-rw-r--r-- 1 _openldap _openldap 5380 Jun 26 01:05 fullchain.pem
-rw------- 1 _openldap _openldap 306 Jun 26 01:05 privkey.pem
Here is my slapd.conf, on which I did a slaptest -f slapd,conf -F slapd.d, which gave me the /etc/openldap/slapd.d/cn\=config/olcDatabase={1}mdb.ldif file :
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/openldap.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_mdb.la
# moduleload back_ldap.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
################################################## #####################
# MDB database definitions
################################################## #####################
database mdb
maxsize 1073741824
suffix "dc=my-domain,dc=something,dc=somewhere"
rootdn "cn=Manager,dc=my-domain,dc=something,dc=somewhere"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/openldap-data
# Indices to maintain
index objectClass eq
index cn,sn,mail eq,sub
index uidNumber eq
index gidNumber eq
TLSCertificateFile /etc/openldap/certs/cert.pem
TLSCertificateKeyFile /etc/openldap/certs/privkey.pem
TLSCACertificateFile /etc/openldap/certs/chain.pem
TLSCipherSuite TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE
TLSCRLCheck none
TLSVerifyClient never
I obtained the certificates from certbot and they work with Apache in TLS 1.2, but not TLS 1.3 because LibreSSL lacks the OpenSSL API for TLS 1.3 until OPenBSD 7.0. Some folks on the OpenBSD bug mailing list assured me that OpenLDAP works with TLS 1.3, but I did that exact same configuration procedure on Ubuntu Server 20.04, CentOS 8, FreeBSD 12.2, OmniOS (current LTS) and with all of them, I get OpenLDAP work successfully with TLS, but not on OpenBSD.
I always get this error when I use ldapsearch and ldapwhoami commands with the -ZZ option, but they work fine without any encryption :
# ldapsearch -x -h my_domain -D "cn=Manager,dc=my_domain,dc=something,dc=somewhere " -W -ZZ
ldap_start_tls: Protocol error (2)
additional info: unsupported extended operation
Wthout the -ZZ option in the ldapsearch commad, I get :
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
My /etc/openldap/certs folder and the certificates files in it have the following permissions :
# ls -l certs/
total 32
-rw-r--r-- 1 _openldap _openldap 692 Jun 26 01:05 README
-rw-r--r-- 1 _openldap _openldap 1631 Jun 26 01:05 cert.pem
-rw-r--r-- 1 _openldap _openldap 3749 Jun 26 01:05 chain.pem
-rw-r--r-- 1 _openldap _openldap 5380 Jun 26 01:05 fullchain.pem
-rw------- 1 _openldap _openldap 306 Jun 26 01:05 privkey.pem