Re: load balancer with SSL
by Jeremiah Martell
man ldap.conf says:
"never
The client will not request or check any server certificate."
It seems that never means it will never check any server certificate
(even if given one). I'm assuming there are no exceptions here and
that "never" really does mean "never".
Back to the version I'm using, which is 2.2.17. If Howard Chu is
correct, this functionality should be in my version ... if the
functionality was added in April 2003 ... because 2.2.17 was released
in Sep 2004. Or was that date wrong?
I tried looking at the versions 1, 2, and 3 CHANGES files, and I
couldn't pin down when it was added.
I'm looking for either (1) my version is definately too old and it
simply does not have this functionality, or (2) I'm doing something
wrong, and what I need to do to fix it is XYZ.
Thanks,
- Jeremiah
On 10/18/06, Dieter Kluenter <dieter(a)dkluenter.de> wrote:
> "Jeremiah Martell" <inlovewithgod(a)gmail.com> writes:
>
> > Dieter,
> >
> > Thanks for the response. However, why should I have to do this if I
> > have "TLS_REQCERT never" in my ldap.conf file? Shouldn't that mean
> > openldap doesn't request, check, verify, etc any certificates?
>
> Right, the client does not request for a certificate, but if the
> server presents one, it of course is beeing checked, man ldap.conf(5)
> and man slapd.conf(5)
>
> -Dieter
>
> --
> Dieter Klünter | Systemberatung
> http://www.dkluenter.de
> N 53°37'10.08"
> E 10°08'02.82"
> GPG Key ID:8EF7B6C6
>
>
16 years, 11 months
only one slurp per machine ?
by Sepp
Hello,
I'm testing a configuration with several master und replicas
at one machine (2.3.25), but when there seems to be no way
to start a second slurpd ?
Any Ideas or should I take syncrepl for this purpose ?
Thanks in advance,
Sepp
16 years, 11 months
Re: load balancer with SSL
by Jonathan Higgins
>>"or just get a cert for "loadbalancer.example.com" and use that."
This is exactly what we do for load balancing. We use the same cert on
each node.
We use ssh tunnels for slurpd replication to get past unencrypted
replication. (OL v2.2.29)
Jonathan Higgins
Assoc Director Network & Security
Kennesaw State University
jhiggins(a)kennesaw.edu
>>> Aaron Richton <richton(a)nbcs.rutgers.edu> 10/18 2:28 PM >>>
I don't see this...
[put NotTheCert in /etc/hosts]
$ ldapsearch -x -LLL -ZZ -H "ldap://NotTheCert.rutgers.edu/"
'(doesnt=exist)'
No such object (32)
$ ed ldap.conf
633
1,$s/never/demand/p
TLS_REQCERT demand
w
634
q
$ ldapsearch -x -LLL -ZZ -H "ldap://NotTheCert.rutgers.edu/"
'(doesnt=exist)'
ldap_start_tls: Connect error (-11)
additional info: TLS: hostname does not match CN in peer
certificate
Certainly appears to instigate different behavior to me.
However, the whole point of the load balancer is to make everything
look
the same. Toward that end, why would you want server1 and server2 to
look
different--might as well lose the load balancer at that point. With the
load balancer, either use subjectAltNames, or just get a cert for
"loadbalancer.example.com" and use that. We do the latter; I don't
*want*
the users to see that they're connected to server1 or server2 or....
16 years, 11 months
ldapadd error
by Sailesh D
Hi all,
I installed openldap on windows and successfully started the server. My
slapd.conf file is :
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
ucdata-path ./ucdata
include ./schema/core.schema
pidfile ./run/slapd.pid
argsfile ./run/slapd.args
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=org"
rootdn "cn=admin,dc=org"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}XXXXXXXXXXXXXXXXXXXXXXXX
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory ./data
# Indices to maintain
index objectClass eq
#database access control definitions
access to *
by dn="cn=admin,dc=org" write
by * read
Now, I wanted to add the following entry to the file using ldapadd:
dn: cn=sailesh,dc=org
objectclass:person
sn:sailesh
Descriptiom: user
It returned the following error :
request 1 done
adding entry "cn=sailesh,dc=novell"
request 2 done
ldap_add : No such object (32)
What is the mistake in that? Please help me in this regard.
Thanks in advance,
D.Sailesh Kumar.
16 years, 11 months
Re: load balancer with SSL
by Jeremiah Martell
> >
> > Jeremiah,
> >
> > I did the test with TLS_REQCERT set to 'allow' and got the same result
> > as you. I am not sure what they mean by 'bad certificate' in the manual
> > page of 'ldap.conf'.
> >
>
> Generally a bad certificate means a certificate whose signature cannot
> be verified by the SSL library, or a missing certificate. If a
> certificate is provided and the SSL library can verify it, then it will
> be used. If the hostname doesn't match, the connection will fail. I.e.,
> hostname matches are never ignored once the certificate is verified. For
> a load balancing situation you must use subjectAltName's with the
> relevant names, that's all there is to it.
>
> --
> -- Howard Chu
> Chief Architect, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc
> OpenLDAP Core Team http://www.openldap.org/project/
>
>
Howard Chu,
Sorry to resurrect this thread after so many months. I have a
question as to why if I put in "TLS_REQCERT never" in my ldap.conf,
openldap does any actions with any certificates. It seems to me from
the man for ldap.conf, that never causes "The client will not request
or check any server certificate."
In my instance (I still haven't solved this problem), I put in
"TLS_REQCERT never" in my ldap.conf, but still get this error from
openldap:
TLS: hostname (loadbalancer.example.com) does not match common name in
certificate (server1.example.com).
Your thoughts?
Thanks,
- Jeremiah
16 years, 11 months
LDAP search filter validation
by Greg B
hi,
Does OpenLDAP provide any routines for validating whether a given
string represents a valid LDAP search filter? This is for me to detect
invalid configuration settings in my LDAP client, and report the
problem to the end-user as early as possible. For example, I want to
catch settings like LDAPFilter="(cn=foo)", since they don't conform to
the RFC 2254. Also, a side question, is the use of brackets around the
main filter definition compulsory? All of the LDAP tools I have at my
disposal seem to allow just cn=foo type filters...
thanks in advance,
regards,
Greg
16 years, 11 months
Bind with crypt password
by Jose Manuel Lopez
Hello,
I has compiled openldap 2.3.27 with enable-crypt, but I can't bind with
user with crypt password, but if password is MD5, it's run.
don't support crypt password openldap-2.3.27?
Thanks.
16 years, 11 months
how optimize importation ?
by Pierre FERT
Hello,
I seek to make an importation in openldap of more than 3.000.000 of entries
within the shortest times.
Then well on I have some questions has to pose to you.
The importation is carried out starting from a ldapadd and not a slapadd
because I do not have the data timestamps UIDS etc
.
How can I to make differently? I noted to make an indexing after an
importation LDIF is faster but, I have the impression that the objectclass
are indexed in any event has the importation even if `index objectClass eq'
is not specified in slapd.conf.
What wants to thus say that the objectclass are still indexed by slapindex,
it is thus a waste of time, how can I to make differently?
To optimize the importation I have:
Slapd.conf :
Backend bdb
Loglevel = 0
put that 3 shemas necessary A the importation (core/cosine/private)
schemacheck off
dbnosync
dbnolocking
# replogfile
disabeled the monitor and indexs DB
DB_CONFIG :
set_flags DB_TXN_NOSYNC (but it seems to me that dbnosync of slapd.conf is
equivalent)
set_cachesize 0 268435456 1 (for 1Go of memory 512 was slower)
and I did not modify the repertory of the logs because I nothing gained
there, I found that odd besides
since I make db_archive - D to remove the whole of the logs, would not have
it there not a means of avoiding creating them?
kind to make an importation with a backend which is faster to make a
slapcat. to go up a backend bdb and to import the LDIF directly in the DIB
without passing by the DSA?
Thank you for your councils.
and sorry for translater
16 years, 11 months
problem with syncrepl
by Thomas Cataldo
Hi,
I'm having trouble setting up syncrepl beetween 2 openldap 2.3.27 servers.
When I run the consumer with "full debug" I see that the data I want
to replicate is transfered correctly, but the consumer "fails to store
it". The sync ends with :
do_syncrep2: got search entry without control
Sync phase in the consumer logs :
=>do_syncrepl
=>do_syncrep2
ldap_result ld 0x819f6d0 msgid -1
ldap_chkResponseList ld 0x819f6d0 msgid -1 all 0
ldap_chkResponseList returns ld 0x819f6d0 NULL
wait4msg ld 0x819f6d0 msgid -1 (timeout 0 usec)
wait4msg continue ld 0x819f6d0 msgid -1 all 0
** ld 0x819f6d0 Connections:
* host: 172.24.239.122 port: 389 (default)
refcnt: 2 status: Connected
last used: Wed Oct 18 11:33:40 2006
** ld 0x819f6d0 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
** ld 0x819f6d0 Response Queue:
Empty
ldap_chkResponseList ld 0x819f6d0 msgid -1 all 0
ldap_chkResponseList returns ld 0x819f6d0 NULL
ldap_int_select
read1msg: ld 0x819f6d0 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 692 contents:
read1msg: ld 0x819f6d0 msgid 2 message type search-entry
ber_scanf fmt ({xx) ber:
do_syncrep2: got search entry without control
My slapd.conf on consumer looks like :
backend bdb
checkpoint 512 30
database bdb
suffix "dc=actia,dc=com"
directory "/var/lib/ldap"
index objectClass,entryCSN,entryUUID eq
lastmod on
replogfile /var/lib/ldap/replog
# seems mandatory for syncrepl
rootdn cn=admin,dc=actia,dc=com
access to attrs=userPassword
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to * by * read
syncrepl rid=112
provider=ldap://172.24.239.122:389
type=refreshAndPersist
interval=00:00:00:20
retry="5 +"
searchbase="ou=Filiale2,dc=actia,dc=com"
scope=one
filter="(objectClass=posixAccount)"
binddn="cn=syncuser,dc=actia,dc=com"
bindmethod=simple
credentials=synchro
schemachecking=off
On the provider it looks like :
database bdb
suffix "dc=actia,dc=com"
directory "/var/lib/ldap"
index objectClass,entryCSN,entryUUID eq
lastmod on
access to attrs=userPassword
by dn="cn=admin,dc=actia,dc=com" write
by dn="cn=syncuser,dc=actia,dc=com" read
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by dn="cn=admin,dc=actia,dc=com" write
by * read
syncprov-checkpoint 100 10
syncprov-sessionlog 100
I would take any hint on why my data is transfered but not stored.
Thanks in advance,
Thomas.
16 years, 11 months
Trouble with SSL certs
by Josh M. Hurd
I have created a set of self signed certs for my master and a slave.
Clients can connect to either with the cert installed on the client
but I am having trouble getting them to talk to each over TLS.
I want the master to replicate to the slave over TLS but can't get it
to work. Strangely I have it working the other way; the slave can
bind to the master over TLS but the master cannot bind to the slave.
I have TLS_CACERTDIR set correctly with the certs installed in that
location (with symlinks being created) but I am still getting the
self signed cert error when trying to bind.
Debig output:
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 18, subject: ........
TLS certificate verification: Error, self signed certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
16 years, 11 months
