Contribute  :  Advanced Search  :  Directory  :  Forum  :  FAQ's  :  My Downloads  :  Links  :  Polls  
AFP548 Changing the world one server at a time.

advanced search 

Sections

Home
AFP548 Site News (107/2)
Articles (282/26)
Apple (50/2)
Extended KB (3/1)
Ask AFP548 (16/42)
Reviews (5/1)
Security (16/2)
Tips (130/8)
Third Party Applications (53/6)
Odds and Ends (28/1)
Podcasts (2/0)

User Functions

:

:

Don't have an account yet? Sign up as a New User
Lost your password?

Poll

Do you want push services for the iPhone on Mac OS X Server?
Yes! Expand the existing stuff!
Yes! Apple should add EAS support!
No! I just use another service that already has push.
Results
80 votes | 0 comments
Welcome to AFP548
Thursday, July 29 2010 @ 09:34 am MDT
   

SSL and LDAP in Leopard

Monday, December 03 2007 @ 01:11 am MST
Contributed by: MacTroll
Views: 31,146
Articles

Be careful what you wish for, you just might get it... 

Starting with Leopard the OS X LDAP client is much more restrictive about which SSL certificates it trusts. It will adamantly refuse to use any cert you have explicity told it is ok. Technically this is a deeper issue with anything using OpenSSL, but chances are you'll notice it first, and hardest, with LDAP. 

Making this even more complicated is the idea that the new behavior is more secure than the old 10.4 behavior, so it's rather hard to get too angry about the change. However, things not working makes an admin cranky regardless of the bigger picture.

Read on for how to troubleshoot this and then how to work with it or around it. 



The Change

The difference between 10.4 and 10.5 lies entirely in /etc/openldap/ldap.conf. Where before it used to say

TLS_REQCERT = never

now it says

TLS_REQCERT = demand

This change means that the underlying ldap client will only use SSL certificates that it thinks are valid dropping the connection attempt if it thinks the cert is bad. So, what constiutes a valid cert?

Out of the box... nothing. The LDAP client trusts no one. Even if you actually paid for your SSL certificate and you have no issues when you use it to secure a website, the LDAP client will still refuse it. Annoyingly the GUI, in this case Directory Utility, will happily show you a green dot next to your server, it's just that it won't actually be used. If you require binding and SSL, that should fail as well.

While this is annoying if you didn't expect it, I find it hard to argue that it was a bad move. Without validating a site against its own certificate left the client systems open to something as simple as a DNS poisoning attack. So I do feel that this is a good thing, but it cetainly does take a bit more work to get things functioning. 

Test via the CLI

The easiest way to test what exactly is going on is to use the ldapsearch command to verify if you're able to connect or not. This assumes that you've first set up OD and enabled SSL for LDAP, either using the default certificate on the server or one you've configured yourself.
ldapsearch -v -x -H ldaps://biggie.afp548.com -b "dc=biggie,dc=afp548,dc=com"
Substituting in your correct server FQDN and search domain. This should fail on a stock 10.5 install with this error.
ldap_bind: Can't contact LDAP server (-1)
    additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Fairly self-explanatory, at least to what the error is. So now how to fix it.

Get the Cert

You're going to need to feed the cert to the LDAP client so that it knows to trust it. While it's possible to do this via exporting the cert from the server itself it's typically easier to use the "openssl s_client" to snarf the cert.
openssl s_client -connect biggie.afp548.com:636
Which should come back with a deluge of information for you. Within that is going to be a dozen or more lines that are blocked off by:
-----BEGIN CERTIFICATE-----
and
-----END CERTIFICATE-----
Take that text, including the begin certificate and end certificate lines and paste them into a text file. A CLI text editor would be best for this to ensure that you don't accidentally save it as a .rtf or something funky like that.

For purposes of demonstration we'll assume that you've saved the cert to /tmp/ssl.cert.

Note: you should get an error number 18 or 19 when using the s_client. This refers to either a self-signed certificate, 18, or a self-signed certificate in the chain, 19. Keep this in mind as the next step should clear this out.

BTW, control-c to get out of the s_client connection.

Test the Cert

Now that you have the cert sequestered into a text file you can test again with s_client manually specifying the certificate.
openssl s_client -connect biggie.afp548.com:636 -CAfile /tmp/ssl.cert
Which should display similar output to before, however, with a significant change to the last line:
Verify return code: 0 (ok)
Instead of either the 18 or 19 that you were getting before. This means that you've successfully managed to get openssl to be happy with the certificate that you're using on the remote server. So now to make LDAP as happy...

Edit ldap.conf

You are going to need to add a new line to /etc/openldap/ldap.conf that points to the certificate you've just pulled down. I tend to keep things tidy here and create a /etc/openldap/certs folder and then just copy the text file that we got before into there. Here we'll assume you renamed the file the name of the server and put it into this location.

After moving the cert you can add one line into /etc/openldap/ldap.conf
TLS_CACERT    /etc/openldap/certs/biggie.afp548.com
Now retest with the ldapsearch command and see if it works.
ldapsearch -v -x -H ldaps://biggie.afp548.com -b "dc=biggie,dc=afp548,dc=com"
Should actually return an LDIF of your whole LDAP setup, so this may take a while. Trim down the search if you want.

Ensuring OD Works

At this point you should be able to join and use an SSL-secured OD setup via Directory Utility. So please do that at this time. You may need to kick Directory Services if you had already attempted to setup the LDAP server.
sudo killall DirectoryService

Securing a Collection of Certs

The method above will only allow that one specific server, with that one specific cert to be trusted. If you have multiple LDAP servers you're working with you're going to need to specify those individually, or put them all in the same directory and point ldap.conf towards them. Here's how to do the later.

  • Grab all of the certs as before using openssl s_client.
  • Now you're going to have to use another OpenSSL utility to get the certs into a hashed format.For each cert you will run the it through c_hash which will give you a name that you'll need to rename the cert file to.
	/System/Library/OpenSSL/misc/c_hash /etc/openldap/certs/biggie.afp548.com
	03be8eb2.0 => /etc/openldap/certs/biggie.afp548.com

            In this example you'd rename your existing cert file to 03be8eb2.0

  • Then you can add
	TLS_CACERTDIR     /etc/openldap/certs/

            to your /etc/openldap/ldap.conf file.

  • Probably best to remove any earlier TLS_CACERT directives you have in ldap.conf at this time as well.

On the Other Hand

You could revert the ldap.conf file back to the 10.4 behavior and be done with all this...

Keychains

Note that while it would certainly make most of the pain go away, OpenSSL and therefor the LDAP libraries have no concept of what a keychain is. So, no, importing the certs into your keychain won't do anything for the LDAP issue. 

Other Notes

You will never be able to use the default certificate that comes with OS X Server  without changing TLS_REQCERT back to never. The default certificate isn't configured with a hostname so it will never pass an integrity check.

As mentioned by Mr. McCune in the comments, you may also want to investigate pointing ldap.conf to the default trusted root store that is included with curl on OS X.

TLS_CACERT /usr/share/curl/curl-ca-bundle.crt

Which should allow you to use a purchased certificate without having to do additionaly mods to ldap.conf.

 

What's Related

Story Options

Advertising

SSL and LDAP in Leopard | 37 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
SSL and LDAP in Leopard
Authored by: hetjan on Monday, December 03 2007 @ 06:27 pm MST
???

This seems to be a LOT of hassle. Can't I just use the keychain utility to import the cert?
SSL and LDAP in Leopard
Authored by: gaige on Monday, December 03 2007 @ 09:34 pm MST
Great article and thanks for that. Oddly enough, I'd called enterprise support on this issue in the last week of October and had basically given up on digging further into it until they got back to me. Apparently the problem is confirmed and is in Engineering's hands. Hopefully they'll find an appropriate way to solve this for larger sites.

For us, this solution is a fine work-around.

Thanks again and keep up the great work!
-Gaige

SSL and LDAP in Leopard
Authored by: Anonymous on Tuesday, December 04 2007 @ 09:31 am MST
Thank you for posting this solution. Saved me hours of work and troubleshooting. Your solution is more complete and better explained than what Apple has been telling me. You seem to know more than Apple about this problem based on my communications with them.
SSL and LDAP in Leopard
Authored by: mccune on Tuesday, December 04 2007 @ 04:02 pm MST

I posted a follow up note about leveraging the curl ca-bundle PEM file already present on all Leopard clients to use a purchased certificate with relative ease.

Check out: More on SSL and LDAP in Leopard

Cheers,
-Jeff
SSL and LDAP in Leopard
Authored by: boardwalk2 on Tuesday, December 04 2007 @ 06:10 pm MST
Note; Posted the question and comment as a reply to another comment, but wanted to show up at main level
so the original author can respond. Thanks.

---

If I already have a wild card SSL certificate and Certificate authority file issued by a valid certificate authority for my domain (i.e., WC_companyA_com.crt is
a valid SSL certificate issued that works domain companyA.com and subdomains server1.companyA.com, server2.companyA.com; WC_company_com.ca-bundle is the CA file), can I use those files instead of generating a self-signed certificate? If yes, how? Just copy them into /etc/openldap/certs path?

Until I read this article, I wasn't sure why creating a new user in OS X Leopard server fails.
Strangely, it shows different symptoms when using 'Work Group Manager' vs 'Server Preferences'. The WGM creates
the user, but not any home directories, etc. Server Preferences shows -14002 error. How did it get through Apple QA?
Didn't any try to add users to OS X Server?
SSL and LDAP in Leopard
Authored by: mosx86 on Wednesday, December 05 2007 @ 06:08 pm MST
I'm able to get as far as

openssl s_client -connect OD.master.edu:636 -CAfile /tmp/ssl.cert

But continue to get: "Verify return code: 19 (self signed certificate in certificate chain)"

SSL and LDAP in Leopard
Authored by: Anonymous on Thursday, December 06 2007 @ 10:16 am MST
What about replica servers? I haven't test this yet but It seems like the SSL certs for all replica servers would need to be copied to and configured on the client computers as well.
SSL and LDAP in Leopard
Authored by: MK on Thursday, December 06 2007 @ 10:59 am MST
This also causes problems for Address Book lookups in an LDAP, like Active Directory, that you are not bound to. Adding the TLS_CACERT line does fix the problem for those with purchased certs. We found an alternate fix at http://www.novell.com/coolsolutions/feature/19965.html that may also help with understanding this problem.
SSL and LDAP in Leopard
Authored by: cshooshan on Wednesday, December 26 2007 @ 09:20 am MST
This is great! Works like a charm. However, I am hungup on getting LDAP address lookup to work with SSL from mail clients.

After following the instructions, both of these return full results:

ldapsearch -v -x -H ldap://mail.mydomain.com -b "dc=mydomain,dc=com"
ldapsearch -v -x -H ldaps://mail.mydomain.com -b "dc=mydomain,dc=com"

Just to make sure, these also work:

ldapsearch -v -x -H ldap://mail.mydomain.com:389 -b "dc=mydomain,dc=com"
ldapsearch -v -x -H ldaps://mail.mydomain.com:636 -b "dc=mydomain,dc=com"

And they work from my OS X (Tiger) client on the same LAN (no firewall issues).

I want to setup the Apple Mail client to use this LDAP server as an address source (lookup).

It works fine (address completion, for example) if I setup Apple Mail (Configure LDAP) on the ldap port (389) without SSL but is unsuccessful if I choose port 636 and SSL.

Am I missing something? Am I supposed to get a prompt for the certificate on the client or is there some other magic that I am leaving out?

Thanks for your help,
Charlie

SSL and LDAP in Leopard
Authored by: orris on Friday, February 01 2008 @ 11:32 am MST
Am I missing something, or do the clients also have to modify their ldap.conf files? Worked on the server but not clients.

---
What you do is of little significance; but it is very important that you do it. -Mohandas K. Gandhi (1869-1948)

SSL and LDAP in Leopard
Authored by: dayglojesus on Wednesday, February 27 2008 @ 10:42 am MST

Quote: Note that while it would certainly make most of the pain go away, OpenSSL and therefor the LDAP libraries have no concept of what a keychain is. So, no, importing the certs into your keychain won't do anything for the LDAP issue.

I find this odd considering that during my Apple Server training for 10.3 (granted, it was 10.3), we were instructed to use the System keychain to store our LDAP SSL certs. The exercise they guided us through used certtool to import the cert into the X509Anchors KC, and it worked flawlessly. And AFAIK, this still works in Tiger.

Does this not suggest that it's broken in Leopard?

If your certificate is signed by your self-signed CA
Authored by: arekdreyer on Tuesday, April 15 2008 @ 10:27 pm MDT
If you made a CA for yourself, then signed a certificate with it, use 
openssl s_client -connect mainserver.pretendco.com:636 -showcerts
to show ALL the certificates. Then do the copy, paste, c_hash dance for the CA.
SSL and LDAP in Leopard
Authored by: kangaman on Thursday, June 19 2008 @ 03:12 pm MDT
I have my Leopard client authenticating against Linux/OpenLDAP using unencrypted connections. When I try to enable SSL connectivity, even though I can "verify" the CA as described in this article, and even though I can use ldapsearch to print *everything* in the LDAP directory, but "DirectoryService" won't budge. When I do:

dscl localhost /LDAPv3/myhost.mydomain I get :
list: Invalid Path
DS Error: -14009 (eDSUnknownNodeName).

If the Mac will authenticate unencrypted, the OpenLDAP server should be setup just fine.

My OpenLDAP is configured with SSL, Cyrus-SASL support is compiled in, but I haven't done anything special to configure it, and I don't use Kerberos (for the moment). Any assistance would be *greatly* appreciated. I've spent almost 2 days trying to figure this out.

SSL and LDAP in Leopard
Authored by: Anonymous on Friday, December 05 2008 @ 01:04 pm MST
I moved a verified working computer with this setup from a network I controlled to an external network and it stopped working. Using dscl, I got the error 'eDNSUnknownNodeName' when I tried to cd to /LDAPv3/myserver. Testing with ldapsearch and openssl both succeeded.

Adding the IP address / server name combination to /etc/hosts fixed the problem.

I think that DirectoryService verifies that the server name on the certificate, in DNS and in reverse DNS match.

SSL and LDAP in Leopard
Authored by: cshooshan on Monday, March 09 2009 @ 11:35 pm MDT
I am still enjoying the fruits of this article! I recently spent a lot of time trying to apply this article and the article entitled "Becoming a CSA to sign SSL certs for Open Directory Replicas" together.

What I was hoping was to be able to sign my self-signed certificates and then use those signed certificates as a basis for SSL IMAP and APOP connections. I was able to create my own CA and sign the server certificates but I was unable to get the certificates to work with openldap. I copied the new certificate into /etc/openldap/certs (where my CACERT instruction always has pointed) and I even concatenated the CA certificate (in PEM format) to the certificate in the CACERT location (two certs in one file).

I continue to get the "unable to verify first certificate error" and the Directory Service (GUI) fails to connect using SSL (I know it is silly to connect to oneself with SSL but it is the only way to verify that others can connect).

This all started because the system.log shows "TLS server engine: cannot load CA data" and then connects with starttls for secure IMAP and APOP (all because of the self-signed certificates.

Any help would be appreciated. I may have to break down and buy a certificate :-}
SSL and LDAP in SNOW Leopard 10.5.6
Authored by: teigerwutz on Friday, October 30 2009 @ 06:13 am MDT
What about SSL and LDAP in Snow Leopard (10.5.6) with TLS_REQCERT = demand? The last step - binding to OD with Directory Utility - does'nt work. adding cert to key chain as system/system-root cert also doesn't help. didn't try 10.5.8 yet..

 Copyright © 2010 AFP548
 All trademarks and copyrights on this page are owned by their respective owners.		 Powered By Geeklog 
Created this page in 0.23 seconds