How to Configure Linux OpenLDAP to Securely Connect to eDirectory

(Last modified: 07Apr2005)

This document (10097214) is provided subject to the disclaimer at the end of this document.

goal

How to Configure OpenLDAP to Securely Connect to eDirectory

fact

OpenLDAP on Linux

OpenSSL on Linux

eDirectory 8.7.x

symptom

error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

TLS handshake failed on connection 0x86f7528, err = -5875

cause

To use the OpenLDAP client securely on SLES, the eDirectory certificate needs to be exported and the OpenLDAP client needs to be configured to use the new certificate.

fix

Exporting the Certificate:

In iManager, perform the following:

1. Go to eDirectory Administration | Modify Object
2. Browse to the container where the NCP server object resides that corresponds to the LDAP server.
3. Modify the LDAP server object.
4. Go to the Connections tab.
5. Note what object is specified in the "Server Certificate" field.
NOTE: If a certificate is not specified, select one and then refresh the LDAP server. Make sure the LDAP server is listening on port 636.
6. Go back to eDirectory Administration | Modify Object.
7. Browse to the container where the NCP server object resides.
8. Click on the object that corresponds with the name noted in step 5.
9. Select Certificates | Trusted Root Certificate.
10. Click on Export
11. Do not export private key and click Next
12. Select the DER format and select Next
13. Click on Save Exported Certificate to a File.
14. Save the certificate to the local disk.
15. Copy the certificate to a directory that can be accessed by the OpenLDAP server on the Linux box. (I.E. /usr/ldaptools/eDircert.der)

Configure the OpenLDAP client to use the certificate:

On the Linux box, perform the following:

1. Open the /etc/ldap.conf file in a text editor.
2. Find the line that says "ssl start_tls" and make sure it is not commented out.
3. Find the line that says "ssl on" and make sure it is not commented out.
4. Find the line that says tls_cacertfile. Make sure it is not commented out.
5. Put the directory and path of the certificate file that you copies to the Linux box. ( I.E. tls_cacertfile /usr/ldaptools/eDircert.der)
6. Save the file.

Run the OpenLDAP client and specify to use SSL.

Listed below are sample OpenLDAP command lines to go secure:

// Simple LDAP bind on clear port 389 (-x is required or SASL bind is attempted)

ldapsearch -b o=novell -s sub -h 137.65.87.117 -D cn=admin,o=novell -w novell -p 389 -x -vvv objectclass=*

// Same simple LDAP bind with -H (preferred option) instead of -h (deprecated) (-x still required)

ldapsearch -b o=novell -s sub -H ldap://137.65.87.117:389 -D cn=admin,o=novell -w novell -x -vvv objectclass=*

// Clear LDAP bind on 389 with Start TLS extended operation to use TLS

ldapsearch -b o=novell -s sub -H ldap://137.65.87.117:389 -D cn=admin,o=novell -w novell -x -Z -vvv objectclass=*

// Direct Secure LDAP bind on port 636

ldapsearch -b o=novell -s sub -H ldaps://137.65.87.117:636 -D cn=admin,o=novell -w novell -x -vvv objectclass=*

document

Document Title:	How to Configure Linux OpenLDAP to Securely Connect to eDirectory
Document ID:	10097214
Solution ID:	NOVL101637
Creation Date:	04Apr2005
Modified Date:	07Apr2005
Novell Product Class:	novell directory services

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.