At 05:32 PM 1/21/2007, Jean-Yves Avenard wrote:
Is there a way to have OpenLDAP listening on port 389 (standard ldap) but only accept tls encrypted session?
You can require TLS (SSL) via the slapd.conf(5) security directive. The client can then either use ldap:// (to whatever port(s) you have configured slapd(8) to listen on) and initiate TLS via the Start TLS operation or use ldaps:// (to whatever port(s) you have configured slapd(8) on) and initiate TLS upon connecting. If you want to restrict clients to using just the former or the latter, eliminate one or the other listener.
I've searched for quite a while and it seems that the only option is to disable listening on port 389 alltogether and only listen on port 636.
While ldap:// uses 389 by default and ldaps:// uses 636 by default, one can actually use ldap:// or ldaps:// on any port.
But this isn't good for my purpose, as some broken clients only work over TLS on port 389
ldap:// on port 389 and use of Start TLS operation to initiate TLS (SSL) is the standard way of securing LDAP with TLS.
Kurt
Hello
On 1/22/07, Kurt D. Zeilenga Kurt@openldap.org wrote:
connecting. If you want to restrict clients to using just the former or the latter, eliminate one or the other listener.
I guess I didn't explain properly in the first place: If I open port 389, and even though I accept TLS, I can not force client to use an encrypted connection.
Which is what I want to achieve. The aim is to prevent any non-encrypted connection to openldap. And I can't just use port 636 (ldaps) as I have a few clients that only work with a StartTLS operation
Is this something possible?
ldap:// on port 389 and use of Start TLS operation to initiate TLS (SSL) is the standard way of securing LDAP with TLS.
Yes. you are 100% correct, I just want to enforce is. Jean-Yves
Hi
On 1/22/07, Kurt D. Zeilenga Kurt@openldap.org wrote:
You can require TLS (SSL) via the slapd.conf(5) security directive.
I haven't found in the manual any directives that make TLS/SSL compulsory :(
JY
On Mon, Jan 22, 2007 at 04:14:51PM +1100, Jean-Yves Avenard wrote:
Hi
On 1/22/07, Kurt D. Zeilenga Kurt@openldap.org wrote:
You can require TLS (SSL) via the slapd.conf(5) security directive.
I haven't found in the manual any directives that make TLS/SSL compulsory :(
can't you use TLSVerifyClient demand ?
JY
Hi,
Can I use two lewel of groups for flexible rights sharing to users ?
Example :
dn: cn=test1, ou=grupas, ou=roles, ou=tm objectClass: groupOfNames description: 1 testa grupa member: cn=test2,ou=grupas,ou=roles,ou=tm cn: test1
dn: cn=test2, ou=grupas, ou=roles, ou=tm objectClass: groupOfNames description: 2 testa grupa cn: test2 member: uid=eiduks,ou=users,ou=tm
dn: uid=eiduks, ou=users, ou=tm userPassword:: .... uid: eiduks objectClass: inetOrgPerson sn: Eiduks cn: Andris Eiduks
access to dn.exact="ou=mnuLinks,ou=mnuAMM,ou=ui,ou=cl,ou=components,ou=tm" by group="cn=test1,ou=grupas,ou=roles,ou=tm" read by * none
Or it is impossible ?
Thanks in advance,
Andris Eiduks
Andris.Eiduks@tietoenator.com wrote:
Hi,
Can I use two lewel of groups for flexible rights sharing to users ?
Example :
dn: cn=test1, ou=grupas, ou=roles, ou=tm objectClass: groupOfNames description: 1 testa grupa member: cn=test2,ou=grupas,ou=roles,ou=tm cn: test1
dn: cn=test2, ou=grupas, ou=roles, ou=tm objectClass: groupOfNames description: 2 testa grupa cn: test2 member: uid=eiduks,ou=users,ou=tm
dn: uid=eiduks, ou=users, ou=tm userPassword:: .... uid: eiduks objectClass: inetOrgPerson sn: Eiduks cn: Andris Eiduks
access to dn.exact="ou=mnuLinks,ou=mnuAMM,ou=ui,ou=cl,ou=components,ou=tm" by group="cn=test1,ou=grupas,ou=roles,ou=tm" read by * none
No, it's not possible; actually, yes, something like that is possible using dynamic groups (builtin for ACL checking; need slapo-dyngroup(5) or slapo-dynlist(5) for more general use). You need to use groupOfURLs/memberURL instead of groupOfNames/member, and each memberURL must represent a search that selects portions of the members of the dynamic group.
p.
Is there a way to have OpenLDAP listening on port 389 (standard ldap) but only accept tls encrypted session?
You can require TLS (SSL) via the slapd.conf(5) security directive. The client can then either use ldap:// (to whatever port(s) you have configured slapd(8) to listen on) and initiate TLS via the Start TLS operation or use ldaps:// (to whatever port(s) you have configured slapd(8) on) and initiate TLS upon connecting. If you want to restrict clients to using just the former or the latter, eliminate one or the other listener.
I've searched for quite a while and it seems that the only option is to disable listening on port 389 alltogether and only listen on port 636.
While ldap:// uses 389 by default and ldaps:// uses 636 by default, one can actually use ldap:// or ldaps:// on any port.
So the port is independent of the connection type? The clear text authentication and as well as secured connection can be made on both the ports (389,636) ? Then what for the port is being used? I assumed 389 is clear text and 636 is encrypted(ssl/tls) one. Can you please make sure this..
But this isn't good for my purpose, as some broken clients only work over TLS on port 389
ldap:// on port 389 and use of Start TLS operation to initiate TLS (SSL) is the standard way of securing LDAP with TLS.
Kurt
Hi
On 1/22/07, S Kalyanasundaram skalyanasundaram@novell.com wrote:
So the port is independent of the connection type?
The only reason I asked this question was because I haven't found a way to force a TLS connection over 389, without also allowing non-encrypted connection
I found here: http://www.openldap.org/doc/admin23/security.html
That I could use the option : disallow bind_simple_unprotected
However, this option seem to be invalid and give me the error: /usr/local/etc/openldap/slapd.conf: line 31: <disallow> unknown feature bind_simple_unprotected
so either I'm not typing it correctly, or the documentation is incorrect.
in the mean time, security ssf=56 and update_ssf=56 seem to do the trick. I can only authenticate with the ldap server if encryption is used... Finding the right documentation is rather a challenge :(
The clear text authentication and as well as secured connection can be made on both the ports (389,636) ? Then what for the port is being used?
That would be 636. Which would then only allow SSL connection or Start TLS one, never a clear text one
I assumed 389 is clear text and 636 is encrypted(ssl/tls) one. Can you please make sure this..
yes I'm sure :)
Thank you all for your help Regards Jean-Yves
At 09:51 PM 1/21/2007, S Kalyanasundaram wrote:
While ldap:// uses 389 by default and ldaps:// uses 636 by default, one can actually use ldap:// or ldaps:// on any port.
So the port is independent of the connection type?
Yes, ldap://server:636 and ldaps://server:389 are syntactically valid URLs. Of course, they are only valid in use if the server was actually and quite oddly configured to accept ldap:// on 636 and ldaps:// on 389.
The clear text authentication and as well as secured connection can be made on both the ports (389,636) ?
Given the above, and oddly configured clients (and possibly servers), asking about what ports support is confusing.
The point I was trying to make is that configuring a client to use port 636 doesn't necessarily cause it to use ldaps:// instead.
Then what for the port is being used?
Ports, and host addresses, are used to distingusih endpoints in a TCP steam. That is, server:389 and server:636 are different endpoints. Neither server:389 nor server:636 indicate which protocol (or protocol variant) is to be used (or is used).
I assumed 389 is clear text and 636 is encrypted(ssl/tls) one.
389 is the default port for ldap://. 636 is the default port for ldaps://.
However, assuming all communication is on default ports is, well, a bad assumption. This thread started with what appears to be a client using ldap:// on 636, like: if the following had been done: ldapsearch -H ldap://server:636
-- Kurt
Hi,
im runnig openldap-2.3.24 with db-4.4.20.NC when i try to do : slapcat -l output.ldif
i get : slapcat: could not open database.
i get the above error after i run ldapsearch from same linux console if i open a new linux console and run slapcat it works fine
Any suggestions ? im concerned i have problems with my database
Thanks Moe
--------------------------------- No need to miss a message. Get email on-the-go with Yahoo! Mail for Mobile. Get started.
On 1/22/07, Moe moe_w90@yahoo.com wrote:
Hi,
im runnig openldap-2.3.24 with db-4.4.20.NC when i try to do : slapcat -l output.ldif
i get : slapcat: could not open database.
i get the above error after i run ldapsearch from same linux console if i open a new linux console and run slapcat it works fine
Any suggestions ? im concerned i have problems with my database
Maybe you're not referencing the right slapd.conf because one environment uses one ldap.conf and one uses another. Try specifying a -f /path/to/correct/slapd.conf
im sorry, i missed this part: "Try specifying a -f /path/to/correct/slapd.conf" not sure what i should exactly try.
Thanks
moe
matthew sporleder msporleder@gmail.com wrote: On 1/22/07, Moe wrote:
Hi,
im runnig openldap-2.3.24 with db-4.4.20.NC when i try to do : slapcat -l output.ldif
i get : slapcat: could not open database.
i get the above error after i run ldapsearch from same linux console if i open a new linux console and run slapcat it works fine
Any suggestions ? im concerned i have problems with my database
Maybe you're not referencing the right slapd.conf because one environment uses one ldap.conf and one uses another. Try specifying a -f /path/to/correct/slapd.conf
--------------------------------- The fish are biting. Get more visitors on your site using Yahoo! Search Marketing.
Missed to mention that the problem happens random. How can i check the health of my database?. could it possible that i have problem in slapd / berkeley database communication.
Thanks
Moe
matthew sporleder msporleder@gmail.com wrote: On 1/22/07, Moe wrote:
Hi,
im runnig openldap-2.3.24 with db-4.4.20.NC when i try to do : slapcat -l output.ldif
i get : slapcat: could not open database.
i get the above error after i run ldapsearch from same linux console if i open a new linux console and run slapcat it works fine
Any suggestions ? im concerned i have problems with my database
Maybe you're not referencing the right slapd.conf because one environment uses one ldap.conf and one uses another. Try specifying a -f /path/to/correct/slapd.conf
--------------------------------- Bored stiff? Loosen up... Download and play hundreds of games for free on Yahoo! Games.
openldap-software@openldap.org
-
Alex Samad -
Andris.Eiduks@tietoenator.com -
Jean-Yves Avenard -
Kurt D. Zeilenga -
matthew sporleder -
Moe -
Pierangelo Masarati -
S Kalyanasundaram