Unable to use SSL or TLS to access OpenDirectory ldap server
I am unable to connect with my openserver system using SSL/TLS connection.
There are no issues communicating without SSL on port 389 and can connect and retrieve directory information without issue.
However, when using port 636 and expecting secure communications the connection fails to connect.
The below openssl connection attempt details the trace which would indicate that no ssl connection is being established.
The following image is from ServerAdmin indicating that SSL is enabled and a certificate has been provided for the server connection.
The port 636 is open on the ldap server, and no firewall is between the two hosts.
sauce:Java frank$ netstat -an | grep 636
tcp6 0 0 *.636 *.* LISTEN
tcp4 0 0 *.636 *.* LISTEN
A telnet connection to port 636 on the server succeeds indicating that there are no firewall issues in play.
Can anybody provide any additional items to check to identify and correct the cause of this issue?
The following were the steps I took to resolve this issue:
Reboot the server in safe mode (hold down shift key whilst restarting)
Let it idle for a while (apparently it is cleaning out caches in this mode)
Stop the existing slapd server
sudo launchctl unload /System/Library/LaunchDaemons/org.openldap.slapd.plist
Set the correct certificate GUID in the file /etc/openldap/slapd_macosxserver.conf. This can be ascertained from the contents of the /etc/certificates directory
sudo sed -e 's/oldguid/newguid/' /etc/openldap/slapd_macosxserver.conf >/tmp/conffile
sudo mv /tmp/conffile /etc/openldap/slapd_macosxserver.conf
Remove the configured TLS certificate values from the file /etc/openldap/slapd.d/cn=config.ldif
sudo vi /etc/openldap/slapd.d/cn=config.ldif
remove any lines beginning with olcTLSCertificate
Start the slapd server again
sudo launchctl load /System/Library/LaunchDaemons/org.openldap.slapd.plist
Reboot the server again into standard mode.
Then from a client computer with linux or mac osx check that you can connect via SSL and that the certificates are correct using the command
openssl s_client -connect ldap.yourdomain:636 -showcerts
If successful you will get a dump of your server certificates as well as a connection detail description:
No client certificate CA names sent
---
SSL handshake has read 5209 bytes and written 807 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: C8E0F4A4ED24021DB4D98ACF5A9ACDC2293BC3961BF2AE90026115D899369E73
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
...
Start Time: 1400140597
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Some other notes:
- Apple suggests that you can use self-signed and own certificate chains (http://support.apple.com/kb/ht3745). I use a self signed chain and it is successful.
- Port 636 is the standard ldaps port and is the port used by OpenDirectory (slapd)
- TLS1 is supported as can be seen from the openssl connection test
- Differing DNS names and host names do not matter (I tried both ways with a reboot between)
- Differing reverse DNS does not matter (I tried both ways with a reboot between)