Reputation: 744
Implement ldaps using SSL for a ldap server using TLS Encryption
We use Google Workspace (GWS) which server ldaps (Secure LDAP) over TLS. When creating new LDAP Clients in GWS, we get
- Bind Username
- Bind Password
- Private Key File (
.keyfile) - TLS Certificate (
.crtfile)
I want to connect MongoDB Atlas to Google Directory for User Authentication and it only supports ldaps over SSL. I already have a working Stunnel (https://www.stunnel.org/) setup on a Ubuntu EC2 instance for converting the TLS Tunnel to a non-secure ldap connection.
Note: The certificate and key file is placed under
/etc/ssl/privatedirectory
The stunnel configuration file looks like below:
## /etc/stunnel4/stunnel.conf
debug = 2
output = /tmp/stunnel.log
[ldap]
client = yes
accept = $EC2_PRIVATE_IP:1636 ## Listen on port 1636
connect = ldap.google.com:636 ## Forward requests to Google's LDAP server
cert = ldap_crt.crt
key = ldap_key.key
I tried to start an SSL Tunnel using the same configuration file. I tried generating the SSL Certificate as mentioned in this DigitalOcean guide.
## /etc/stunnel4/stunnel.conf
debug = 2
output = /tmp/stunnel.log
[ldap]
client = yes
accept = $EC2_PRIVATE_IP:1636 ## Listen on port 1636
connect = ldap.google.com:636 ## Forward requests to Google's LDAP server
cert = ldap_crt.crt
key = ldap_key.key
[ssl_service]
accept = $EC2_PRIVATE_IP:2929 ## Listen on port 2929
connect = $EC2_PRIVATE_IP:1636 ## Forward to ldap client
cert = mongodb_ssl.pem
After saving the configuration file, I restarted the stunnel service using the command
$ stunnel /etc/stunnel4/stunnel.conf
I receive the following error message:
[ ] Clients allowed=500
[.] stunnel 5.44 on x86_64-pc-linux-gnu platform
[.] Compiled with OpenSSL 1.1.0g 2 Nov 2017
[.] Running with OpenSSL 1.1.1 11 Sep 2018
[.] Update OpenSSL shared libraries or rebuild stunnel
[.] Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
[ ] errno: (*__errno_location ())
[.] Reading configuration from file /etc/stunnel4/stunnel.conf
[.] UTF-8 byte order mark not detected
[.] FIPS mode disabled
[ ] Compression disabled
[ ] PRNG seeded successfully
[ ] Initializing service [ldap]
[ ] Ciphers: HIGH:!DH:!aNULL:!SSLv2
[ ] TLS options: 0x02120004 (+0x02000000, -0x00000000)
[ ] Loading certificate from file: ldap_crt.crt
[ ] Certificate loaded from file: ldap_crt.crt
[ ] Loading private key from file: ldap_key.key
[:] Insecure file permissions on ldap_key.key
[ ] Private key loaded from file: ldap_key.key
[ ] Private key check succeeded
[:] Service [ldap] needs authentication to prevent MITM attacks
[ ] Initializing service [ssl_service]
[ ] Ciphers: HIGH:!DH:!aNULL:!SSLv2
[ ] TLS options: 0x02124004 (+0x02004000, -0x00000000)
[ ] Loading certificate from file: mongodb_ssl.pem
[!] error queue: 140DC002: error:140DC002:SSL routines:use_certificate_chain_file:system lib
[!] error queue: 20074002: error:20074002:BIO routines:file_ctrl:system lib
[!] SSL_CTX_use_certificate_chain_file: 2001002: error:02001002:system library:fopen:No such file or directory
[!] Service [ssl_service]: Failed to initialize TLS context
After executing the command, I also checked the port numbers but only the ldap service had started:
$ netstat -tulnep
tcp 0 0 172.31.13.255:1636 0.0.0.0:* LISTEN 0 53162235 6541/stunnel4
Question: How do I resolve this setup so that I can start a SSL tunnel and then again forward the traffic to a TLS tunnel?
Upvotes: 0
Views: 885
Answers (0)
Related Questions
- How to connect LDAP with TLS by JAVA
- Connect to open LDAP over ssl
- Setup Secure LDAP over SSL/TLS (LDAPS) for PostgreSQL
- How to authenticate against Active Directory via LDAP over TLS?
- Using ldapsearch with a server over ssl but no password
- Trying to connect to an LDAP server with TLS using python-ldap module
- Postgresql LDAP authentication over SSL
- Binding and Authenticating to an LDAP Server over SSL and TLS
- Implementing LDAP over TLS
- Authenticate via LDAP fails when using TLS