User profile for user: ghanoian
ghanoian Author
User level: Level 1
0 points

Address Book - self signed LDAPS certifiate on openldap server

I'm fairly new to the Mac, but I'm not new to FreeBSD or *NIX type boxes.

I'm trying to get Address Book to contact my openldap server that runs on OpenBSD. I have it working well with thunderbird, horde + (l)imp, dovecot, and various other openldap client based pieces of software. I use a self signed certificate on the server as most do. The key with the openldap client libraries normally is changing /etc/openldap/ldap.conf to not require a valid certificate from the server with the following setting:

TLS_REQCERT never

This setting is present in my version of OS X by default. On other *NIX machines i've had to set that manually.

If there is any chrooting involved by the client, clearly another copy of /etc/openldap/ldap.conf is necessary in the chrooted area. Does anyone know if Address Book chroots itself? Or why it isn't paying attention to the /etc/openldap/ldap.conf? I get a clear message on the server that the client is rejecting the self signed certificate.

Thanks much for your time,

Geff

Mac Book Mac OS X (10.4.8)

Posted on Feb 1, 2007 3:17 PM

Reply
3 replies
User profile for user: Alexander Hartner
Alexander Hartner
User level: Level 1
120 points

Feb 3, 2007 6:22 PM in response to ghanoian

I have had some success after adding my CA's cert into the x509 Anchors in the keychain. Make sure that it's X509 Anchors and not the login keychain. Once you have done that you need to use Directory Services to configure the LDAP connection. After that you can use the Address Book to query via Directory Services.

In my experience this has been working, but much slower then standard ldap / ldaps connection. I am not quite sure, but it seems that Directory Services has some connection problem and only succeeds on the second attempt every time.

If you managed to find a method of doing a direct connection from the Address Book to the directory please post it in this forum.

Alex
http://www.j2anywhere.com
The home of Address Book X LDAP

Reply
User profile for user: ghanoian
ghanoian Author
User level: Level 1
0 points

Feb 8, 2007 8:46 PM in response to ghanoian

Where's the button for "Yes, I answered my own question." ???? Okay ... <rant on> I guess Apple is no different from everything else: openbsd, linux, windows, open source, closed source, etc. always answering our own questions. I feel like the software isn't even tested. A FIX or some more information would be nice. </rant off>

Okay here's the deal. I don't have a cert signed by an approved CA so I'm not sure if one would have to jump through fewer hoops to get it to work with a "proper" (non-self signed) cert. Turns out if you are using AddressBook to attempt to go to an LDAP server and you want SSL with a self signed cert, it seems that AddressBook won't properly attach to the LDAP server on port 636. Even tho that's what happens to the PORT setting when you CLICK THE BUTTON (bitter, am I ranting again? 🙂 ). So what you do is click the button for "SSL" and then REVERT THE PORT back MANUALLY to 389. (more bitter) This causes addressbook to ... well ... uhm ... WORK. 🙂 What ends up happening is that it makes a non-ssl connection initially and then upgrades the connection via "STARTTLS" to an encrypted connection. There one setting that you should have in slapd.conf (or like file) before doing this.

# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

security simple_bind=64

This requires the connection to have at least the minimum amount of encryption before the bind (authenticate) process. Keep in mind if you add this setting, anything that previously attempted to bind clear text (even on localhost) will fail. However you should never be sending a password in the clear.

Geff
Reply
User profile for user: ghanoian
ghanoian Author
User level: Level 1
0 points

Feb 8, 2007 8:55 PM in response to Alexander Hartner

I did try to add the cert to the KeyChain Access. That didn't help. I don't know why. Safari would browse there without warning. Yes obviously browsing with safari doesn't yield an ldap result but it didn't complain about the CERT. I followed the same procedure with Mail and IMAPS. Mail accepts the cert in KeyChain, but AddressBook did not work until I did the 389, SSL solution. And with such an utter lack of docs on AddressBook who know's what's happening. I'm starting to think that AB was trying to make a clear text connection with 636 and then try the StartTLS command. I haven't sniffed it to validate that. Quite honestly I might launch my mac through the nearest 40 story building if that was true.

-bitter
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Address Book - self signed LDAPS certifiate on openldap server

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up