6:04 a.m.
Hi
I hope this is not covered in a FAQ (I searched without success): how do
I configure clients to query multiple LDAP servers while using TLS?
Listing the servers in ldap.conf's URI works, but I'd prefer to have the
server list stored in DNS, as it would allow adding a server without the
need to change all clients configuration.
Having a rotative DNS for ldap.example.net cause the TLS checks to fail.
And OpenLDAP client library does not perform DNS SRV lookups.
Is there some kind of trick to get this done properly?
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu(a)netbsd.org
8:14 a.m.
--On Monday, July 16, 2007 3:04 PM +0200 Emmanuel Dreyfus <manu(a)netbsd.org>
wrote:
Hi
I hope this is not covered in a FAQ (I searched without success): how do
I configure clients to query multiple LDAP servers while using TLS?
Listing the servers in ldap.conf's URI works, but I'd prefer to have the
server list stored in DNS, as it would allow adding a server without the
need to change all clients configuration.
Having a rotative DNS for ldap.example.net cause the TLS checks to fail.
And OpenLDAP client library does not perform DNS SRV lookups.
OpenLDAP 2.4 will (just to note)
Is there some kind of trick to get this done properly?
Use a cert with a correct subjectAltName, or a wildcard cert.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
2:50 p.m.
New subject: [SOLVED] Re: multiple servers in DNS and TLS
Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> Is there some kind of trick to get this done properly?
Use a cert with a correct subjectAltName, or a wildcard cert.
For future reference:
Assuming we have in the DNS the following RR:
foo IN A 192.0.2.11
bar IN A 192.0.2.12
ldap 1 IN A 192.0.2.11
ldap 1 IN A 192.0.2.12
Create certificate for foo:
subjectAltName=DNS:ldap.example.net,DNS:foo.example.net
CN=ldap.example.net
Create certificate for bar:
subjectAltName=DNS:ldap.example.net,DNS:bar.example.net
CN=ldap.example.net
On foo and bar, for generating the CSR, i needed that in
/etc/openssl/openssl.cnf, in order to have openssl asking for
subjectAltName
[ req ]
(...)
distinguished_name = req_distinguished_name
(...)
[ req_distinguished_name ]
(...)
subjectAltName = Alternative Subject Name
subjectAltName_default = DNS:fqdn
On the CA, for signing the certificate, I needed that in
/etc/openssl/openssl.cnf :
[ ca ]
default_ca = CA_default
[ CA_default ]
(...)
policy = policy_match
[ policy_match ]
(...)
subjectAltName = optional
Then, I have been able to use URI ldaps://ldap.example.net:636 in
ldap.conf
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu(a)netbsd.org
2:58 p.m.
New subject: [SOLVED] Re: multiple servers in DNS and TLS
Emmanuel Dreyfus <manu(a)netbsd.org> wrote:
Then, I have been able to use URI ldaps://ldap.example.net:636 in
ldap.conf
One last problem: if a LDAP server accepts the TCP connexion but remain
hung after that (because slapd has been stoped with a kill -STOP for
instance), then the client will just hang without trying the next
server. Using something such as TIMELIMIT 1 in ldap.conf does not help.
Any magic trick for that?
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu(a)netbsd.org
11:07 p.m.
New subject: client timeouts [was: Re: multiple servers in DNS and TLS]
On Tue, 17 Jul 2007, Emmanuel Dreyfus wrote:
One last problem: if a LDAP server accepts the TCP connexion but
remain
hung after that (because slapd has been stoped with a kill -STOP for
instance), then the client will just hang without trying the next
server. Using something such as TIMELIMIT 1 in ldap.conf does not help.
Any magic trick for that?
Nope. TIMELIMIT just sets the default for the value passed to the server
in the search request. There's no option for setting a default timeout to
be used by the ldap_result() call. What's more, there's no API of any
sort for putting a timeout on TLS/SSL negotiation.
A long-lived program that needs to impose a time limit on LDAP operations
that may include using ldap_starttls_s() or opening an ldaps URL basically
has to do so in one thread or process and do the timing out in a separate
thread or process.
(Or reimplement that part of the OpenLDAP API, I suppose.)
Philip Guenther
Sendmail, Inc.
5:31 a.m.
New subject: client timeouts [was: Re: multiple servers in DNS and TLS]
Philip Guenther <guenther+ldapsoft(a)sendmail.com> wrote:
Nope. TIMELIMIT just sets the default for the value passed to the
server
in the search request. There's no option for setting a default timeout to
be used by the ldap_result() call. What's more, there's no API of any
sort for putting a timeout on TLS/SSL negotiation.
A long-lived program that needs to impose a time limit on LDAP operations
that may include using ldap_starttls_s() or opening an ldaps URL basically
has to do so in one thread or process and do the timing out in a separate
thread or process.
(Or reimplement that part of the OpenLDAP API, I suppose.)
So how do you build a failover mechanism? Because it's something that
can be done, right?
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu(a)netbsd.org
8:35 a.m.
New subject: client timeouts [was: Re: multiple servers in DNS and TLS]
Philip Guenther wrote:
On Tue, 17 Jul 2007, Emmanuel Dreyfus wrote:
> One last problem: if a LDAP server accepts the TCP connexion but remain
> hung after that (because slapd has been stoped with a kill -STOP for
> instance), then the client will just hang without trying the next
> server. Using something such as TIMELIMIT 1 in ldap.conf does not help.
>
> Any magic trick for that?
Nope. TIMELIMIT just sets the default for the value passed to the server
in the search request. There's no option for setting a default timeout to
be used by the ldap_result() call.
This has been changed in 2.4.
What's more, there's no API of any
sort for putting a timeout on TLS/SSL negotiation.
If you can suggest a clean way to do this, go right ahead.
A long-lived program that needs to impose a time limit on LDAP
operations
that may include using ldap_starttls_s() or opening an ldaps URL basically
has to do so in one thread or process and do the timing out in a separate
thread or process.
(Or reimplement that part of the OpenLDAP API, I suppose.)
Philip Guenther
Sendmail, Inc.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
8:15 p.m.
New subject: [SOLVED] Re: multiple servers in DNS and TLS
manu(a)netbsd.org (Emmanuel Dreyfus) writes:
Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> > Is there some kind of trick to get this done properly?
> Use a cert with a correct subjectAltName, or a wildcard cert.
For future reference:
Assuming we have in the DNS the following RR:
foo IN A 192.0.2.11
bar IN A 192.0.2.12
ldap 1 IN A 192.0.2.11
ldap 1 IN A 192.0.2.12
Create certificate for foo:
subjectAltName=DNS:ldap.example.net,DNS:foo.example.net
CN=ldap.example.net
Create certificate for bar:
subjectAltName=DNS:ldap.example.net,DNS:bar.example.net
CN=ldap.example.net
I know that the subjectAltName type DNS is recommended, but RFC 4513
refers to type dNSName. Is there any reason that OpenLDAP requires
type DNS?
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6
9:45 p.m.
New subject: [SOLVED] Re: multiple servers in DNS and TLS
Dieter Kluenter <dieter(a)dkluenter.de> wrote:
I know that the subjectAltName type DNS is recommended, but RFC 4513
refers to type dNSName. Is there any reason that OpenLDAP requires
type DNS?
No idea, I just copied stuff from the result of google queries.
One of them explained that I needed type dNSName and had DNS:fqdn in the
example. Could these be synonym? (Note that I really don't know what I'm
talking about here)
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu(a)netbsd.org
3 a.m.
New subject: [SOLVED] Re: multiple servers in DNS and TLS
Dieter Kluenter wrote:
manu(a)netbsd.org (Emmanuel Dreyfus) writes:
> Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
>
>>> Is there some kind of trick to get this done properly?
>> Use a cert with a correct subjectAltName, or a wildcard cert.
> For future reference:
>
> Assuming we have in the DNS the following RR:
> foo IN A 192.0.2.11
> bar IN A 192.0.2.12
> ldap 1 IN A 192.0.2.11
> ldap 1 IN A 192.0.2.12
>
> Create certificate for foo:
> subjectAltName=DNS:ldap.example.net,DNS:foo.example.net
> CN=ldap.example.net
>
> Create certificate for bar:
> subjectAltName=DNS:ldap.example.net,DNS:bar.example.net
> CN=ldap.example.net
I know that the subjectAltName type DNS is recommended, but RFC 4513
refers to type dNSName. Is there any reason that OpenLDAP requires
type DNS?
They are one and the same. "DNS" is just the way that it is specified in the
OpenSSL tools.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
5421
days inactive
5423
days old
openldap-software@openldap.org
9 comments
5 participants
participants (5)
-
Dieter Kluenter -
Howard Chu -
manu@netbsd.org -
Philip Guenther -
Quanah Gibson-Mount