Hi
I hope this is not covered in a FAQ (I searched without success): how do I configure clients to query multiple LDAP servers while using TLS?
Listing the servers in ldap.conf's URI works, but I'd prefer to have the server list stored in DNS, as it would allow adding a server without the need to change all clients configuration.
Having a rotative DNS for ldap.example.net cause the TLS checks to fail.
And OpenLDAP client library does not perform DNS SRV lookups.
Is there some kind of trick to get this done properly?
--On Monday, July 16, 2007 3:04 PM +0200 Emmanuel Dreyfus manu@netbsd.org wrote:
Hi
I hope this is not covered in a FAQ (I searched without success): how do I configure clients to query multiple LDAP servers while using TLS?
Listing the servers in ldap.conf's URI works, but I'd prefer to have the server list stored in DNS, as it would allow adding a server without the need to change all clients configuration.
Having a rotative DNS for ldap.example.net cause the TLS checks to fail.
And OpenLDAP client library does not perform DNS SRV lookups.
OpenLDAP 2.4 will (just to note)
Is there some kind of trick to get this done properly?
Use a cert with a correct subjectAltName, or a wildcard cert.
--Quanah
-- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Quanah Gibson-Mount quanah@zimbra.com wrote:
Is there some kind of trick to get this done properly?
Use a cert with a correct subjectAltName, or a wildcard cert.
For future reference:
Assuming we have in the DNS the following RR: foo IN A 192.0.2.11 bar IN A 192.0.2.12 ldap 1 IN A 192.0.2.11 ldap 1 IN A 192.0.2.12
Create certificate for foo: subjectAltName=DNS:ldap.example.net,DNS:foo.example.net CN=ldap.example.net
Create certificate for bar: subjectAltName=DNS:ldap.example.net,DNS:bar.example.net CN=ldap.example.net
On foo and bar, for generating the CSR, i needed that in /etc/openssl/openssl.cnf, in order to have openssl asking for subjectAltName [ req ] (...) distinguished_name = req_distinguished_name (...) [ req_distinguished_name ] (...) subjectAltName = Alternative Subject Name subjectAltName_default = DNS:fqdn
On the CA, for signing the certificate, I needed that in /etc/openssl/openssl.cnf :
[ ca ] default_ca = CA_default [ CA_default ] (...) policy = policy_match
[ policy_match ] (...) subjectAltName = optional
Then, I have been able to use URI ldaps://ldap.example.net:636 in ldap.conf
Emmanuel Dreyfus manu@netbsd.org wrote:
Then, I have been able to use URI ldaps://ldap.example.net:636 in ldap.conf
One last problem: if a LDAP server accepts the TCP connexion but remain hung after that (because slapd has been stoped with a kill -STOP for instance), then the client will just hang without trying the next server. Using something such as TIMELIMIT 1 in ldap.conf does not help.
Any magic trick for that?
On Tue, 17 Jul 2007, Emmanuel Dreyfus wrote:
One last problem: if a LDAP server accepts the TCP connexion but remain hung after that (because slapd has been stoped with a kill -STOP for instance), then the client will just hang without trying the next server. Using something such as TIMELIMIT 1 in ldap.conf does not help.
Any magic trick for that?
Nope. TIMELIMIT just sets the default for the value passed to the server in the search request. There's no option for setting a default timeout to be used by the ldap_result() call. What's more, there's no API of any sort for putting a timeout on TLS/SSL negotiation.
A long-lived program that needs to impose a time limit on LDAP operations that may include using ldap_starttls_s() or opening an ldaps URL basically has to do so in one thread or process and do the timing out in a separate thread or process.
(Or reimplement that part of the OpenLDAP API, I suppose.)
Philip Guenther Sendmail, Inc.
Philip Guenther guenther+ldapsoft@sendmail.com wrote:
Nope. TIMELIMIT just sets the default for the value passed to the server in the search request. There's no option for setting a default timeout to be used by the ldap_result() call. What's more, there's no API of any sort for putting a timeout on TLS/SSL negotiation.
A long-lived program that needs to impose a time limit on LDAP operations that may include using ldap_starttls_s() or opening an ldaps URL basically has to do so in one thread or process and do the timing out in a separate thread or process.
(Or reimplement that part of the OpenLDAP API, I suppose.)
So how do you build a failover mechanism? Because it's something that can be done, right?
Philip Guenther wrote:
On Tue, 17 Jul 2007, Emmanuel Dreyfus wrote:
One last problem: if a LDAP server accepts the TCP connexion but remain hung after that (because slapd has been stoped with a kill -STOP for instance), then the client will just hang without trying the next server. Using something such as TIMELIMIT 1 in ldap.conf does not help.
Any magic trick for that?
Nope. TIMELIMIT just sets the default for the value passed to the server in the search request. There's no option for setting a default timeout to be used by the ldap_result() call.
This has been changed in 2.4.
What's more, there's no API of any sort for putting a timeout on TLS/SSL negotiation.
If you can suggest a clean way to do this, go right ahead.
A long-lived program that needs to impose a time limit on LDAP operations that may include using ldap_starttls_s() or opening an ldaps URL basically has to do so in one thread or process and do the timing out in a separate thread or process.
(Or reimplement that part of the OpenLDAP API, I suppose.)
Philip Guenther Sendmail, Inc.
manu@netbsd.org (Emmanuel Dreyfus) writes:
Quanah Gibson-Mount quanah@zimbra.com wrote:
Is there some kind of trick to get this done properly?
Use a cert with a correct subjectAltName, or a wildcard cert.
For future reference:
Assuming we have in the DNS the following RR: foo IN A 192.0.2.11 bar IN A 192.0.2.12 ldap 1 IN A 192.0.2.11 ldap 1 IN A 192.0.2.12
Create certificate for foo: subjectAltName=DNS:ldap.example.net,DNS:foo.example.net CN=ldap.example.net
Create certificate for bar: subjectAltName=DNS:ldap.example.net,DNS:bar.example.net CN=ldap.example.net
I know that the subjectAltName type DNS is recommended, but RFC 4513 refers to type dNSName. Is there any reason that OpenLDAP requires type DNS?
-Dieter
Dieter Kluenter dieter@dkluenter.de wrote:
I know that the subjectAltName type DNS is recommended, but RFC 4513 refers to type dNSName. Is there any reason that OpenLDAP requires type DNS?
No idea, I just copied stuff from the result of google queries.
One of them explained that I needed type dNSName and had DNS:fqdn in the example. Could these be synonym? (Note that I really don't know what I'm talking about here)
Dieter Kluenter wrote:
manu@netbsd.org (Emmanuel Dreyfus) writes:
Quanah Gibson-Mount quanah@zimbra.com wrote:
Is there some kind of trick to get this done properly?
Use a cert with a correct subjectAltName, or a wildcard cert.
For future reference:
Assuming we have in the DNS the following RR: foo IN A 192.0.2.11 bar IN A 192.0.2.12 ldap 1 IN A 192.0.2.11 ldap 1 IN A 192.0.2.12
Create certificate for foo: subjectAltName=DNS:ldap.example.net,DNS:foo.example.net CN=ldap.example.net
Create certificate for bar: subjectAltName=DNS:ldap.example.net,DNS:bar.example.net CN=ldap.example.net
I know that the subjectAltName type DNS is recommended, but RFC 4513 refers to type dNSName. Is there any reason that OpenLDAP requires type DNS?
They are one and the same. "DNS" is just the way that it is specified in the OpenSSL tools.
openldap-software@openldap.org
-
Dieter Kluenter -
Howard Chu -
manu@netbsd.org -
Philip Guenther -
Quanah Gibson-Mount