You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Matthias Cramer <ma...@iway.ch> on 2010/01/06 10:32:20 UTC
[ApacheDS] Ceritficate for StartTLS
Hi
I'm fairly new to Apache DS but managed to get all working what I like
till now. I've generated an new SSL Cert and configured it into
server.xml so that it works for normal SSL ldaps connections.
But when I do starttl still the default certificate that came with the
package get's used. How do I replace this one. I did not find anything
on the website and google was of no help too.
Any hint is appreciated.
Regards
Matthias
--
Matthias Cramer / mc322-ripe Senior Network & Security Engineer
iway AG Phone +41 43 500 1111
Josefstrasse 225 Fax +41 44 271 3535
CH-8005 Zürich http://www.iway.ch/
GnuPG 1024D/2D208250 = DBC6 65B6 7083 1029 781E 3959 B62F DF1C 2D20 8250
Re: [ApacheDS] Ceritficate for StartTLS
Posted by Stefan Seelmann <se...@apache.org>.
Hi Beat,
Beat Burgener | NetSuccess GmbH wrote:
> Matthias,
>
> what tool do you use to connect to Apache DS? I use Apache Directory
> Studio, and AFAIR,
> there was an error if the certificate does not match the FQDN.
>
> However, connecting either using LDAPS on Port 636 or via StartTLS on
> port 389, I don't get an error.
> I don't konw of a way to display the certificate details of a connection
> in the AD Studio though ...
Studio 1.5 includes certificate validation and makes it possible to view
certificate details of manually trusted certificates (I just realize
that it is not possible to view details of valid certificates, btw). The
manually trusted certificates are listed in Preferences -> Apache
Directory Studio -> Connections -> Certificate Validation.
Kind Regards,
Stefan
Re: [ApacheDS] Ceritficate for StartTLS
Posted by Beat Burgener | NetSuccess GmbH <be...@netsuccess.ch>.
On 06.01.2010 16:55 PM, Emmanuel Lcharny wrote:
> Beat Burgener | NetSuccess GmbH a écrit :
>>>>
>>>> BTW2: I personally do not suggest storing the certificate data
>>>> within the LDAP directory itself, although there are fields available.
>>>> If you have a certificate used for "ssl.xyz.com", used for web,
>>>> ldap and so on, compromising the LDAP account or
>>>> ApacheDS through LDAP protocol might reveal the private key - or am
>>>> I wrong on this?
>>>> I know that more and more directories start storing PKI data within
>>>> the storage engine (Microsoft ADS does this too),
>>>> but somehow I don't feel comfortable with this ...
>>> The question here is much more about giving people a direct access
>>> to LDAP. I'm not sure it should be considered a good idea to expose
>>> your LDAP server to the world.
>> True, I do not intend to do so, but for example if you use LDAP to
>> validate "basic authentication" in web sites, there is a chance for
>> brute force attacks,
>> as web servers are not able to lock accounts (AFAIK) - this was a
>> recent question of another user...
>
> Hopefully, Firewalls can deal with brute force attack at a upper
> layer, like denying someone sending requests to your IT at a high rate !
Well, most firewalls to operate at OSI Layer 4 - so they don't know and
don't care what the request itself was ... Application Layer FW's/Gateways
do such things, but are very expensive and very custom ...
Further, if an application (like Apache, PHP) is in between, the request
are all from the same source, so you can't distinguish (Layer 4 FW assumed)
if there is 1 Client generating 1000 requests/second or if there are 500
Clients logging in per second, depending on the load of the service/site ...
>
> I must be frak here : ADS (and probably all the LDAP server) aren't
> ironed to support a brute force attack. At best, you'll get a DOS.
>
> Now, for web apps using a LDAP server to do basic auth, I think it's
> not safe to use something else than a dedicated server.
Okey, good to know that you think like this about that matter, as I am
suspicious to centralize everything that much ... however, easy to
understand
user demands are there ...
>
>> <snip/>
>> That's why I'm also looking into SSO and Kerberos solutions for
>> Authentication ...
>> There was also a POST regarding Kerberos and ApacheDS, but AFAIR, it
>> was that Kerberos is not fully supported yet?
> Well, it is, but it's not mature :/ We *want* to improve the existing
> Kerberos server, but we don't have time. At least, it works.
Might be that I'll give it a try soon, but I share the same faith -
time ....
>>>
>>> In many case, you will use your LDAP server as a NIS, requested ony
>>> by IT services, like FTP, DNS, etc.
>>>
>>> If you are to use LDAP to store user data, then eiher you protect
>>> the critical data (certificates) by adding ACI (good luck ...), or
>>> you install a second LDAP server (probably a better idea).
>> I'm currently have ACI in use and I like it ... I came from M$, so
>> ACL / ACI is crucial to me .. ,-)
>> The only thing that is a little bit "uncomfortable" is the
>> requirement to restart the server after changes ... But changes are
>> rare, fortunately ...
> AFAICT, ACI are dynamic in ADS. I mean, you define them and they are
> immediately used.
I'll try again and will then report ....
>
>>>
>>> M$ has it wrong at the beginning, when they start telling their user
>>> that AD was a LDAP server and that you should use it for your
>>> applications, until they realized how dangerous it was, and they
>>> created AD/AM (of course, there were other reasons like if you FU
>>> with AD, you have little option but reinstaling your domain server
>>> ... :/). But M$ AD is really a NIS server, not a LDAP server, with
>>> all the access control needed to protect such private data as the
>>> users certificates.
>> Well, M$ AD at least exports a more or less compliant LDAP / LDAPS
>> infrastructure ... and if that is possible, "attacks" available
>> against LDAP might be possible against AD too, I assume ...
>> I don't know what you reference NIS to, but I only know NIS as of
>> Unix .... and this is a entire infrastructure on it's own far away
>> from Kerberos and LDAP ...
>
> Don't get me wrong : when M$ decided to move to something close to
> LDAP to manage W$ domain, and added kerberos support into it, they
> made a fantastic move, with a double impact :
> - suddenly, Kerberos was available without having to go through a
> cryptic configuration and an painful installation
> - LDAP became the de-facto solution for storing and managing users and
> resources on a system
>
> In fact, LDAP and Kerberos were quiletly sleeping, waiting for better
> days, when M$ came and push it back to the front-stage. That was Good,
> tm.
I fully agree!
>
>
Thank you for the responsive conversation
Beat
Re: [ApacheDS] Ceritficate for StartTLS
Posted by Emmanuel Lcharny <el...@gmail.com>.
Beat Burgener | NetSuccess GmbH a écrit :
>>>
>>> BTW2: I personally do not suggest storing the certificate data
>>> within the LDAP directory itself, although there are fields available.
>>> If you have a certificate used for "ssl.xyz.com", used for web, ldap
>>> and so on, compromising the LDAP account or
>>> ApacheDS through LDAP protocol might reveal the private key - or am
>>> I wrong on this?
>>> I know that more and more directories start storing PKI data within
>>> the storage engine (Microsoft ADS does this too),
>>> but somehow I don't feel comfortable with this ...
>> The question here is much more about giving people a direct access to
>> LDAP. I'm not sure it should be considered a good idea to expose your
>> LDAP server to the world.
> True, I do not intend to do so, but for example if you use LDAP to
> validate "basic authentication" in web sites, there is a chance for
> brute force attacks,
> as web servers are not able to lock accounts (AFAIK) - this was a
> recent question of another user...
Hopefully, Firewalls can deal with brute force attack at a upper layer,
like denying someone sending requests to your IT at a high rate !
I must be frak here : ADS (and probably all the LDAP server) aren't
ironed to support a brute force attack. At best, you'll get a DOS.
Now, for web apps using a LDAP server to do basic auth, I think it's not
safe to use something else than a dedicated server.
> <snip/>
> That's why I'm also looking into SSO and Kerberos solutions for
> Authentication ...
> There was also a POST regarding Kerberos and ApacheDS, but AFAIR, it
> was that Kerberos is not fully supported yet?
Well, it is, but it's not mature :/ We *want* to improve the existing
Kerberos server, but we don't have time. At least, it works.
>>
>> In many case, you will use your LDAP server as a NIS, requested ony
>> by IT services, like FTP, DNS, etc.
>>
>> If you are to use LDAP to store user data, then eiher you protect the
>> critical data (certificates) by adding ACI (good luck ...), or you
>> install a second LDAP server (probably a better idea).
> I'm currently have ACI in use and I like it ... I came from M$, so ACL
> / ACI is crucial to me .. ,-)
> The only thing that is a little bit "uncomfortable" is the requirement
> to restart the server after changes ... But changes are rare,
> fortunately ...
AFAICT, ACI are dynamic in ADS. I mean, you define them and they are
immediately used.
>>
>> M$ has it wrong at the beginning, when they start telling their user
>> that AD was a LDAP server and that you should use it for your
>> applications, until they realized how dangerous it was, and they
>> created AD/AM (of course, there were other reasons like if you FU
>> with AD, you have little option but reinstaling your domain server
>> ... :/). But M$ AD is really a NIS server, not a LDAP server, with
>> all the access control needed to protect such private data as the
>> users certificates.
> Well, M$ AD at least exports a more or less compliant LDAP / LDAPS
> infrastructure ... and if that is possible, "attacks" available
> against LDAP might be possible against AD too, I assume ...
> I don't know what you reference NIS to, but I only know NIS as of Unix
> .... and this is a entire infrastructure on it's own far away from
> Kerberos and LDAP ...
Don't get me wrong : when M$ decided to move to something close to LDAP
to manage W$ domain, and added kerberos support into it, they made a
fantastic move, with a double impact :
- suddenly, Kerberos was available without having to go through a
cryptic configuration and an painful installation
- LDAP became the de-facto solution for storing and managing users and
resources on a system
In fact, LDAP and Kerberos were quiletly sleeping, waiting for better
days, when M$ came and push it back to the front-stage. That was Good, tm.
Re: [ApacheDS] Ceritficate for StartTLS
Posted by Beat Burgener | NetSuccess GmbH <be...@netsuccess.ch>.
Emmanuel,
thank you for the swift reply. Remarks below:
On 06.01.2010 15:46 PM, Emmanuel Lcharny wrote:
> Beat Burgener | NetSuccess GmbH a écrit :
>> Stefan,
>>
>> thank you for pointing this out.
>>
>> BTW: I just found out that I still have 1.5.4 ;-(
>>
>> BTW2: I personally do not suggest storing the certificate data within
>> the LDAP directory itself, although there are fields available.
>> If you have a certificate used for "ssl.xyz.com", used for web, ldap
>> and so on, compromising the LDAP account or
>> ApacheDS through LDAP protocol might reveal the private key - or am I
>> wrong on this?
>> I know that more and more directories start storing PKI data within
>> the storage engine (Microsoft ADS does this too),
>> but somehow I don't feel comfortable with this ...
> The question here is much more about giving people a direct access to
> LDAP. I'm not sure it should be considered a good idea to expose your
> LDAP server to the world.
True, I do not intend to do so, but for example if you use LDAP to
validate "basic authentication" in web sites, there is a chance for
brute force attacks,
as web servers are not able to lock accounts (AFAIK) - this was a recent
question of another user... PHP with it's security issues might be an
option to get access to an LDAP,
and if not well protected by ACI, this might be dangerous ...
That's why I'm also looking into SSO and Kerberos solutions for
Authentication ...
There was also a POST regarding Kerberos and ApacheDS, but AFAIR, it was
that Kerberos is not fully supported yet?
>
> In many case, you will use your LDAP server as a NIS, requested ony by
> IT services, like FTP, DNS, etc.
>
> If you are to use LDAP to store user data, then eiher you protect the
> critical data (certificates) by adding ACI (good luck ...), or you
> install a second LDAP server (probably a better idea).
I'm currently have ACI in use and I like it ... I came from M$, so ACL /
ACI is crucial to me .. ,-)
The only thing that is a little bit "uncomfortable" is the requirement
to restart the server after changes ... But changes are rare,
fortunately ...
>
> M$ has it wrong at the beginning, when they start telling their user
> that AD was a LDAP server and that you should use it for your
> applications, until they realized how dangerous it was, and they
> created AD/AM (of course, there were other reasons like if you FU with
> AD, you have little option but reinstaling your domain server ... :/).
> But M$ AD is really a NIS server, not a LDAP server, with all the
> access control needed to protect such private data as the users
> certificates.
Well, M$ AD at least exports a more or less compliant LDAP / LDAPS
infrastructure ... and if that is possible, "attacks" available against
LDAP might be possible against AD too, I assume ...
I don't know what you reference NIS to, but I only know NIS as of Unix
.... and this is a entire infrastructure on it's own far away from
Kerberos and LDAP ...
;o)
>>
>> BTW3: Is there a way to force StartTLS an LDAP connection using port
>> 389 via the ApacheDS configuration?
> It's an extended operation, so yes, you can send such a resquest to
> the server prior to any operation, on port 389. That's the way
> everyone should use LDAP, btw. LDAPS is considered as obsolete.
>> That's why I use LDAPS, which does not support plain text connections
>> AFAIK. For LDAP, I don't feel in the position to control that
>> as the client use StartTLS or not ...
>
> I don't remember is there is a way to tell ADS not to accept plain
> text requests when not using LDAPS (Stefan ? Stefan (Z)? )
Linus van Geuns just replied that the LDAP protocol does not force to
use the use of TLS, so if the client is configured the wrong way,
there is a risk that the LDAP Admin password is exposed ... Okey, you
can limit access to connections using IPSec/SSL, though ...
As of Wikipedia:
A common alternate method of securing LDAP communication is using an SSL
tunnel
<http://en.wikipedia.org/w/index.php?title=Secure_Socket_Layer_Tunnel&action=edit&redlink=1>.
This is denoted in LDAP URLs by using the URL scheme "ldaps". The
default port for LDAP over SSL
<http://en.wikipedia.org/wiki/Secure_Socket_Layer> is 636. The use of
LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never
standardized in any formal specification. This usage has been deprecated
along with LDAPv2, which was officially retired in 2003
<http://tools.ietf.org/html/draft-zeilenga-ldapv2-04>.
Hmmm, I see, the IT world is far from being mature ...
Thank you all for shading some light on this!
Best regards
Beat
Re: [ApacheDS] Ceritficate for StartTLS
Posted by Emmanuel Lcharny <el...@gmail.com>.
Beat Burgener | NetSuccess GmbH a écrit :
> Stefan,
>
> thank you for pointing this out.
>
> BTW: I just found out that I still have 1.5.4 ;-(
>
> BTW2: I personally do not suggest storing the certificate data within
> the LDAP directory itself, although there are fields available.
> If you have a certificate used for "ssl.xyz.com", used for web, ldap
> and so on, compromising the LDAP account or
> ApacheDS through LDAP protocol might reveal the private key - or am I
> wrong on this?
> I know that more and more directories start storing PKI data within
> the storage engine (Microsoft ADS does this too),
> but somehow I don't feel comfortable with this ...
The question here is much more about giving people a direct access to
LDAP. I'm not sure it should be considered a good idea to expose your
LDAP server to the world.
In many case, you will use your LDAP server as a NIS, requested ony by
IT services, like FTP, DNS, etc.
If you are to use LDAP to store user data, then eiher you protect the
critical data (certificates) by adding ACI (good luck ...), or you
install a second LDAP server (probably a better idea).
M$ has it wrong at the beginning, when they start telling their user
that AD was a LDAP server and that you should use it for your
applications, until they realized how dangerous it was, and they created
AD/AM (of course, there were other reasons like if you FU with AD, you
have little option but reinstaling your domain server ... :/). But M$ AD
is really a NIS server, not a LDAP server, with all the access control
needed to protect such private data as the users certificates.
>
> BTW3: Is there a way to force StartTLS an LDAP connection using port
> 389 via the ApacheDS configuration?
It's an extended operation, so yes, you can send such a resquest to the
server prior to any operation, on port 389. That's the way everyone
should use LDAP, btw. LDAPS is considered as obsolete.
> That's why I use LDAPS, which does not support plain text connections
> AFAIK. For LDAP, I don't feel in the position to control that
> as the client use StartTLS or not ...
I don't remember is there is a way to tell ADS not to accept plain text
requests when not using LDAPS (Stefan ? Stefan (Z)? )
Re: [ApacheDS] Ceritficate for StartTLS
Posted by Beat Burgener | NetSuccess GmbH <be...@netsuccess.ch>.
Dear Linus
Thank you for clarifying this!
Great insight knowledge.
Best regards
Beat
On 06.01.2010 19:42 PM, Linus van Geuns wrote:
> Hey Beat!
>
> On Wed, Jan 6, 2010 at 5:00 PM, Beat Burgener | NetSuccess GmbH
> <be...@netsuccess.ch> wrote:
>
>> Steven,
>>
>> thank you for pointing this out.
>>
>> @Stefan/Emmanuel
>>
>> What would be the equivalent for the configuration file?
>>
>> I assume that the client would try to send the username before the password,
>> and if that fails,
>>
> In fact, no!
> Most simple LDAP clients configured with a static distinguished name
> (user name) and password, will create a tcp connection to your server
> and send a bind request containing distinguished name and password.
> The server may reject that request and the client may issue a StartTLS
> in reaction to that, but it is still valid LDAP client behavior to
> just connect& bind w/o asking for server policies first.
>
> On the other hand, if your cleints for example are configured to do a
> anonymous search for the distinguised name to bind as before the bind
> request itself, it will get the server side rejection of unencrypted
> requests first.
>
> And, of course, if your client is configured to enforce a StartTLS
> encrypted connection, it will issue a STartTLS first and wont continue
> w/o setting up encryption.
>
> Regards, Linus
>
Re: [ApacheDS] Ceritficate for StartTLS
Posted by Linus van Geuns <li...@vangeuns.name>.
Hey Beat!
On Wed, Jan 6, 2010 at 5:00 PM, Beat Burgener | NetSuccess GmbH
<be...@netsuccess.ch> wrote:
> Steven,
>
> thank you for pointing this out.
>
> @Stefan/Emmanuel
>
> What would be the equivalent for the configuration file?
>
> I assume that the client would try to send the username before the password,
> and if that fails,
In fact, no!
Most simple LDAP clients configured with a static distinguished name
(user name) and password, will create a tcp connection to your server
and send a bind request containing distinguished name and password.
The server may reject that request and the client may issue a StartTLS
in reaction to that, but it is still valid LDAP client behavior to
just connect & bind w/o asking for server policies first.
On the other hand, if your cleints for example are configured to do a
anonymous search for the distinguised name to bind as before the bind
request itself, it will get the server side rejection of unencrypted
requests first.
And, of course, if your client is configured to enforce a StartTLS
encrypted connection, it will issue a STartTLS first and wont continue
w/o setting up encryption.
Regards, Linus
Re: [ApacheDS] Ceritficate for StartTLS
Posted by Beat Burgener | NetSuccess GmbH <be...@netsuccess.ch>.
Steven,
thank you for pointing this out.
@Stefan/Emmanuel
What would be the equivalent for the configuration file?
I assume that the client would try to send the username before the
password, and if that fails,
it will hopefully not ignore that fact and will not send the password ...
;-)
Regards
Beat
On 06.01.2010 16:16 PM, Hammond, Steven wrote:
> I use ApacheDS embedded instead of the config file. But to force startTLS I have:
> apacheds = new LdapServer();
> apacheds.setConfidentialityRequired(true);
>
> When a client is connected unencrypted, the only command allowed is startTLS, all others are rejected.
>
> -----Original Message-----
> From: Linus van Geuns [mailto:linus@vangeuns.name]
> Sent: Wednesday, January 06, 2010 7:48 AM
> To: users@directory.apache.org
> Subject: Re: [ApacheDS] Ceritficate for StartTLS
>
> Hi!
>
> On Wed, Jan 6, 2010 at 3:26 PM, Beat Burgener | NetSuccess GmbH
> <be...@netsuccess.ch> wrote:
> [..]
>
>> BTW3: Is there a way to force StartTLS an LDAP connection using port 389 via
>> the ApacheDS configuration?
>> That's why I use LDAPS, which does not support plain text connections AFAIK.
>> For LDAP, I don't feel in the position to control that
>> as the client use StartTLS or not ...
>>
> AFAIK it is valid LDAP protocol behavior for a client to just connect
> to the server using plain text simple bind and thereby sending
> passwords in clear text to your server.
> The server could reject that request, but the client is not forced to
> look up server policies before it's first request.
>
> Therefore you need to ensure that your clients are configured to use StartTLS.
>
> Regards, Linus
>
Re: [ApacheDS] Ceritficate for StartTLS
Posted by Emmanuel Lcharny <el...@gmail.com>.
Hammond, Steven a écrit :
> I use ApacheDS embedded instead of the config file. But to force startTLS I have:
> apacheds = new LdapServer();
> apacheds.setConfidentialityRequired(true);
>
> When a client is connected unencrypted, the only command allowed is startTLS, all others are rejected.
>
Thanks Steven !
And happy new year :)
RE: [ApacheDS] Ceritficate for StartTLS
Posted by "Hammond, Steven" <St...@Polycom.com>.
I use ApacheDS embedded instead of the config file. But to force startTLS I have:
apacheds = new LdapServer();
apacheds.setConfidentialityRequired(true);
When a client is connected unencrypted, the only command allowed is startTLS, all others are rejected.
-----Original Message-----
From: Linus van Geuns [mailto:linus@vangeuns.name]
Sent: Wednesday, January 06, 2010 7:48 AM
To: users@directory.apache.org
Subject: Re: [ApacheDS] Ceritficate for StartTLS
Hi!
On Wed, Jan 6, 2010 at 3:26 PM, Beat Burgener | NetSuccess GmbH
<be...@netsuccess.ch> wrote:
[..]
> BTW3: Is there a way to force StartTLS an LDAP connection using port 389 via
> the ApacheDS configuration?
> That's why I use LDAPS, which does not support plain text connections AFAIK.
> For LDAP, I don't feel in the position to control that
> as the client use StartTLS or not ...
AFAIK it is valid LDAP protocol behavior for a client to just connect
to the server using plain text simple bind and thereby sending
passwords in clear text to your server.
The server could reject that request, but the client is not forced to
look up server policies before it's first request.
Therefore you need to ensure that your clients are configured to use StartTLS.
Regards, Linus
Re: [ApacheDS] Ceritficate for StartTLS
Posted by Linus van Geuns <li...@vangeuns.name>.
Hi!
On Wed, Jan 6, 2010 at 3:26 PM, Beat Burgener | NetSuccess GmbH
<be...@netsuccess.ch> wrote:
[..]
> BTW3: Is there a way to force StartTLS an LDAP connection using port 389 via
> the ApacheDS configuration?
> That's why I use LDAPS, which does not support plain text connections AFAIK.
> For LDAP, I don't feel in the position to control that
> as the client use StartTLS or not ...
AFAIK it is valid LDAP protocol behavior for a client to just connect
to the server using plain text simple bind and thereby sending
passwords in clear text to your server.
The server could reject that request, but the client is not forced to
look up server policies before it's first request.
Therefore you need to ensure that your clients are configured to use StartTLS.
Regards, Linus
Re: [ApacheDS] Ceritficate for StartTLS
Posted by Beat Burgener | NetSuccess GmbH <be...@netsuccess.ch>.
Stefan,
thank you for pointing this out.
BTW: I just found out that I still have 1.5.4 ;-(
BTW2: I personally do not suggest storing the certificate data within
the LDAP directory itself, although there are fields available.
If you have a certificate used for "ssl.xyz.com", used for web, ldap and
so on, compromising the LDAP account or
ApacheDS through LDAP protocol might reveal the private key - or am I
wrong on this?
I know that more and more directories start storing PKI data within the
storage engine (Microsoft ADS does this too),
but somehow I don't feel comfortable with this ...
BTW3: Is there a way to force StartTLS an LDAP connection using port 389
via the ApacheDS configuration?
That's why I use LDAPS, which does not support plain text connections
AFAIK. For LDAP, I don't feel in the position to control that
as the client use StartTLS or not ...
Thank you and sorry for consufing on the versions of ApacheDS ...
Beat
On 06.01.2010 13:28 PM, Stefan Seelmann wrote:
> Hi Matthias,
>
> Matthias Cramer wrote:
>>
>> As it looks like, the starttls extension does not honor the keystore
>> configured in the ldapServer config.
>
> Yes, you are right. I just checked the source code and the configured
> keystore in server.xml isn't used for StartTLS extended operation :-/
>
> You could find the certificate and key that is use in the Admin Entry
> (uid=admin,ou=system):
>
> dn: uid=admin,ou=system
> keyAlgorithm: RSA
> privateKey:: ...
> privateKeyFormat: PKCS#8
> publicKey:: ...
> publicKeyFormat: X.509
> userCertificate:: ...
> ...
>
> What you need to do is to extract the private key, public key and
> certificate from your keystore and replace the attributes privateKey,
> publicKey and userCertificate with those guys. You could use Portacle
> and OpenSSL to extract those information. If you need further help
> don't hesitate to ask.
>
> Not very user friendly right now...
>
> Kind Regards,
> Stefan
>
>
Re: [ApacheDS] Ceritficate for StartTLS
Posted by Stefan Seelmann <se...@apache.org>.
Hi Matthias,
Matthias Cramer wrote:
>
> As it looks like, the starttls extension does not honor the keystore
> configured in the ldapServer config.
Yes, you are right. I just checked the source code and the configured
keystore in server.xml isn't used for StartTLS extended operation :-/
You could find the certificate and key that is use in the Admin Entry
(uid=admin,ou=system):
dn: uid=admin,ou=system
keyAlgorithm: RSA
privateKey:: ...
privateKeyFormat: PKCS#8
publicKey:: ...
publicKeyFormat: X.509
userCertificate:: ...
...
What you need to do is to extract the private key, public key and
certificate from your keystore and replace the attributes privateKey,
publicKey and userCertificate with those guys. You could use Portacle
and OpenSSL to extract those information. If you need further help don't
hesitate to ask.
Not very user friendly right now...
Kind Regards,
Stefan
Re: [ApacheDS] Ceritficate for StartTLS
Posted by Matthias Cramer <ma...@iway.ch>.
Hi Beat
Beat Burgener | NetSuccess GmbH wrote:
> Matthias,
>
> what tool do you use to connect to Apache DS? I use Apache Directory
> Studio, and AFAIR,
> there was an error if the certificate does not match the FQDN.
When connectiong with apache studio ans starttls i get a cert error and
ehen showing the cert i get the one with cn=ApacheDS.
When connecting with ldaps I do get the right cert.
When using openssl s_client on port 636 i also get the right cert.
> However, connecting either using LDAPS on Port 636 or via StartTLS on
> port 389, I don't get an error.
> I don't konw of a way to display the certificate details of a connection
> in the AD Studio though ...
Have not found anything too. and openssl can't do starttls for ldap.
As it looks like, the starttls extension does not honor the keystore
configured in the ldapServer config.
Regards
Matthias
--
Matthias Cramer / mc322-ripe Senior Network & Security Engineer
iway AG Phone +41 43 500 1111
Josefstrasse 225 Fax +41 44 271 3535
CH-8005 Zürich http://www.iway.ch/
GnuPG 1024D/2D208250 = DBC6 65B6 7083 1029 781E 3959 B62F DF1C 2D20 8250
Re: [ApacheDS] Ceritficate for StartTLS
Posted by Beat Burgener | NetSuccess GmbH <be...@netsuccess.ch>.
Matthias,
what tool do you use to connect to Apache DS? I use Apache Directory
Studio, and AFAIR,
there was an error if the certificate does not match the FQDN.
However, connecting either using LDAPS on Port 636 or via StartTLS on
port 389, I don't get an error.
I don't konw of a way to display the certificate details of a connection
in the AD Studio though ...
Regards
Beat
On 06.01.2010 12:30 PM, Matthias Cramer wrote:
> Hi Beat
>
> I have it exactly that way. And ldaps works well. but starttls still
> uses the old cert.
>
> Ragrds
>
> Matthias
>
> Beat Burgener | NetSuccess GmbH wrote:
>
>> Matthias, no problem at all ...
>>
>> Please refer to this post of Stefan as I had the same issue earlier this
>> year:
>>
>>
>>>
>> -------------------------------------------------------------------------------------
>>
>>
>>
>>> Further, I would like to use our self-signed and later "trusted" SSL
>>> certificate for
>>> the SSL communication, but the web page doc and the current config are
>>> different:
>>>
>>> From the web page:
>>>
>>> <ldapService id="ldapsService"
>>> enabled="true"
>>> tcpPort="10636"
>>> enableLdaps="true"
>>> nbTcpThreads="8"
>>> keystoreFile="C:/java/apacheds-1.5.5/conf/zanzibar.ks"
>>> certificatePassword="secret">
>>> <directoryService>#directoryService</directoryService>
>>> </ldapService>
>>>
>>>
>>> From what I see in our config:
>>>
>>> <ldapServer id="ldapServer"
>>> allowAnonymousAccess="false"
>>> saslHost="ldap.netsuccess.ch"
>>> saslPrincipal="ldap/ldap@netsuccess.ch"
>>> searchBaseDn="ou=users,ou=system"
>>> maxTimeLimit="15000"
>>> maxSizeLimit="1000">
>>> <transports>
>>> <tcpTransport address="0.0.0.0" port="389" nbThreads="8"
>>> backLog="50" enableSSL="false"/>
>>> <tcpTransport address="0.0.0.0" port="636" enableSSL="true"/>
>>> </transports>
>>>
>>> <directoryService>#directoryService</directoryService>
>>>
>>> </ldapServer>
>>>
>>>
>>> This appears quiet different, as some of the attributes in the sample
>>> config ended up in the<tcpTransport>
>>> definition ... where should the keystore definition go?
>>>
>> Yes. this has been changed from 1.5.4 to 1.5.5. The right place should
>> be the 'ldapServer element':
>>
>> <ldapServer id="ldapServer"
>> keystoreFile="..."
>> certificatePassword="secret"
>> allowAnonymousAccess="false"
>> saslHost="ldap.netsuccess.ch"
>> saslPrincipal="ldap/ldap@netsuccess.ch"
>> searchBaseDn="ou=users,ou=system"
>> maxTimeLimit="15000"
>> maxSizeLimit="1000">
>>
>>
>>> -------------------------------------------------------------------------------------
>>>
>>>
>>
>>
>> Best regards
>>
>> Beat
>>
>>
>> On 06.01.2010 10:44 AM, Matthias Cramer wrote:
>>
>>> Hi Beat
>>>
>>> I'm using 1.5.5
>>>
>>> Sorry for not mentioning it.
>>>
>>> Regards
>>>
>>> Matthias
>>>
>>> Beat Burgener | NetSuccess GmbH wrote:
>>>
>>>
>>>> Matthias
>>>>
>>>> Which version of Apache DS do you use?
>>>>
>>>> Beat
>>>>
>>>> On 06.01.2010 10:32 AM, Matthias Cramer wrote:
>>>>
>>>>
>>>>> Hi
>>>>>
>>>>> I'm fairly new to Apache DS but managed to get all working what I like
>>>>> till now. I've generated an new SSL Cert and configured it into
>>>>> server.xml so that it works for normal SSL ldaps connections.
>>>>> But when I do starttl still the default certificate that came with the
>>>>> package get's used. How do I replace this one. I did not find anything
>>>>> on the website and google was of no help too.
>>>>>
>>>>> Any hint is appreciated.
>>>>>
>>>>> Regards
>>>>>
>>>>> Matthias
>>>>>
>>>>>
>>>>>
>>>>>
>>>
>>>
>
>
Re: [ApacheDS] Ceritficate for StartTLS
Posted by Matthias Cramer <ma...@iway.ch>.
Hi Beat
I have it exactly that way. And ldaps works well. but starttls still
uses the old cert.
Ragrds
Matthias
Beat Burgener | NetSuccess GmbH wrote:
> Matthias, no problem at all ...
>
> Please refer to this post of Stefan as I had the same issue earlier this
> year:
>
>>
> -------------------------------------------------------------------------------------
>
>
>> Further, I would like to use our self-signed and later "trusted" SSL
>> certificate for
>> the SSL communication, but the web page doc and the current config are
>> different:
>>
>> From the web page:
>>
>> <ldapService id="ldapsService"
>> enabled="true"
>> tcpPort="10636"
>> enableLdaps="true"
>> nbTcpThreads="8"
>> keystoreFile="C:/java/apacheds-1.5.5/conf/zanzibar.ks"
>> certificatePassword="secret">
>> <directoryService>#directoryService</directoryService>
>> </ldapService>
>>
>>
>> From what I see in our config:
>>
>> <ldapServer id="ldapServer"
>> allowAnonymousAccess="false"
>> saslHost="ldap.netsuccess.ch"
>> saslPrincipal="ldap/ldap@netsuccess.ch"
>> searchBaseDn="ou=users,ou=system"
>> maxTimeLimit="15000"
>> maxSizeLimit="1000">
>> <transports>
>> <tcpTransport address="0.0.0.0" port="389" nbThreads="8"
>> backLog="50" enableSSL="false"/>
>> <tcpTransport address="0.0.0.0" port="636" enableSSL="true"/>
>> </transports>
>>
>> <directoryService>#directoryService</directoryService>
>>
>> </ldapServer>
>>
>>
>> This appears quiet different, as some of the attributes in the sample
>> config ended up in the<tcpTransport>
>> definition ... where should the keystore definition go?
>
> Yes. this has been changed from 1.5.4 to 1.5.5. The right place should
> be the 'ldapServer element':
>
> <ldapServer id="ldapServer"
> keystoreFile="..."
> certificatePassword="secret"
> allowAnonymousAccess="false"
> saslHost="ldap.netsuccess.ch"
> saslPrincipal="ldap/ldap@netsuccess.ch"
> searchBaseDn="ou=users,ou=system"
> maxTimeLimit="15000"
> maxSizeLimit="1000">
>
>> -------------------------------------------------------------------------------------
>>
>
>
>
> Best regards
>
> Beat
>
>
> On 06.01.2010 10:44 AM, Matthias Cramer wrote:
>> Hi Beat
>>
>> I'm using 1.5.5
>>
>> Sorry for not mentioning it.
>>
>> Regards
>>
>> Matthias
>>
>> Beat Burgener | NetSuccess GmbH wrote:
>>
>>> Matthias
>>>
>>> Which version of Apache DS do you use?
>>>
>>> Beat
>>>
>>> On 06.01.2010 10:32 AM, Matthias Cramer wrote:
>>>
>>>> Hi
>>>>
>>>> I'm fairly new to Apache DS but managed to get all working what I like
>>>> till now. I've generated an new SSL Cert and configured it into
>>>> server.xml so that it works for normal SSL ldaps connections.
>>>> But when I do starttl still the default certificate that came with the
>>>> package get's used. How do I replace this one. I did not find anything
>>>> on the website and google was of no help too.
>>>>
>>>> Any hint is appreciated.
>>>>
>>>> Regards
>>>>
>>>> Matthias
>>>>
>>>>
>>>>
>>
>>
--
Matthias Cramer / mc322-ripe Senior Network & Security Engineer
iway AG Phone +41 43 500 1111
Josefstrasse 225 Fax +41 44 271 3535
CH-8005 Zürich http://www.iway.ch/
GnuPG 1024D/2D208250 = DBC6 65B6 7083 1029 781E 3959 B62F DF1C 2D20 8250
Re: [ApacheDS] Ceritficate for StartTLS
Posted by Beat Burgener | NetSuccess GmbH <be...@netsuccess.ch>.
Matthias, no problem at all ...
Please refer to this post of Stefan as I had the same issue earlier this
year:
>
-------------------------------------------------------------------------------------
> Further, I would like to use our self-signed and later "trusted" SSL
> certificate for
> the SSL communication, but the web page doc and the current config are
> different:
>
> From the web page:
>
> <ldapService id="ldapsService"
> enabled="true"
> tcpPort="10636"
> enableLdaps="true"
> nbTcpThreads="8"
> keystoreFile="C:/java/apacheds-1.5.5/conf/zanzibar.ks"
> certificatePassword="secret">
> <directoryService>#directoryService</directoryService>
> </ldapService>
>
>
> From what I see in our config:
>
> <ldapServer id="ldapServer"
> allowAnonymousAccess="false"
> saslHost="ldap.netsuccess.ch"
> saslPrincipal="ldap/ldap@netsuccess.ch"
> searchBaseDn="ou=users,ou=system"
> maxTimeLimit="15000"
> maxSizeLimit="1000">
> <transports>
> <tcpTransport address="0.0.0.0" port="389" nbThreads="8"
> backLog="50" enableSSL="false"/>
> <tcpTransport address="0.0.0.0" port="636" enableSSL="true"/>
> </transports>
>
> <directoryService>#directoryService</directoryService>
>
> </ldapServer>
>
>
> This appears quiet different, as some of the attributes in the sample
> config ended up in the<tcpTransport>
> definition ... where should the keystore definition go?
Yes. this has been changed from 1.5.4 to 1.5.5. The right place should
be the 'ldapServer element':
<ldapServer id="ldapServer"
keystoreFile="..."
certificatePassword="secret"
allowAnonymousAccess="false"
saslHost="ldap.netsuccess.ch"
saslPrincipal="ldap/ldap@netsuccess.ch"
searchBaseDn="ou=users,ou=system"
maxTimeLimit="15000"
maxSizeLimit="1000">
> -------------------------------------------------------------------------------------
Best regards
Beat
On 06.01.2010 10:44 AM, Matthias Cramer wrote:
> Hi Beat
>
> I'm using 1.5.5
>
> Sorry for not mentioning it.
>
> Regards
>
> Matthias
>
> Beat Burgener | NetSuccess GmbH wrote:
>
>> Matthias
>>
>> Which version of Apache DS do you use?
>>
>> Beat
>>
>> On 06.01.2010 10:32 AM, Matthias Cramer wrote:
>>
>>> Hi
>>>
>>> I'm fairly new to Apache DS but managed to get all working what I like
>>> till now. I've generated an new SSL Cert and configured it into
>>> server.xml so that it works for normal SSL ldaps connections.
>>> But when I do starttl still the default certificate that came with the
>>> package get's used. How do I replace this one. I did not find anything
>>> on the website and google was of no help too.
>>>
>>> Any hint is appreciated.
>>>
>>> Regards
>>>
>>> Matthias
>>>
>>>
>>>
>
>
Re: [ApacheDS] Ceritficate for StartTLS
Posted by Matthias Cramer <ma...@iway.ch>.
Hi Beat
I'm using 1.5.5
Sorry for not mentioning it.
Regards
Matthias
Beat Burgener | NetSuccess GmbH wrote:
> Matthias
>
> Which version of Apache DS do you use?
>
> Beat
>
> On 06.01.2010 10:32 AM, Matthias Cramer wrote:
>> Hi
>>
>> I'm fairly new to Apache DS but managed to get all working what I like
>> till now. I've generated an new SSL Cert and configured it into
>> server.xml so that it works for normal SSL ldaps connections.
>> But when I do starttl still the default certificate that came with the
>> package get's used. How do I replace this one. I did not find anything
>> on the website and google was of no help too.
>>
>> Any hint is appreciated.
>>
>> Regards
>>
>> Matthias
>>
>>
--
Matthias Cramer / mc322-ripe Senior Network & Security Engineer
iway AG Phone +41 43 500 1111
Josefstrasse 225 Fax +41 44 271 3535
CH-8005 Zürich http://www.iway.ch/
GnuPG 1024D/2D208250 = DBC6 65B6 7083 1029 781E 3959 B62F DF1C 2D20 8250
Re: [ApacheDS] Ceritficate for StartTLS
Posted by Beat Burgener | NetSuccess GmbH <be...@netsuccess.ch>.
Matthias
Which version of Apache DS do you use?
Beat
On 06.01.2010 10:32 AM, Matthias Cramer wrote:
> Hi
>
> I'm fairly new to Apache DS but managed to get all working what I like
> till now. I've generated an new SSL Cert and configured it into
> server.xml so that it works for normal SSL ldaps connections.
> But when I do starttl still the default certificate that came with the
> package get's used. How do I replace this one. I did not find anything
> on the website and google was of no help too.
>
> Any hint is appreciated.
>
> Regards
>
> Matthias
>
>