Hi, Thanks for your help. I create my own OID in a .schema file that i include in slapd.conf and it works great !
attributetype ( 1.3.6.1.4.1.4203.2.3.159562 NAME 'sbzoneid' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) with "159562" a number of my choice that is not already used by openldap.
Now i'm trying to get a ldaps connection with the backend ldap server. I want my openldap proxy to check the backend certificate with the CA certificate that i put after TLSCACertificateFile. The issue is that the ldaps connection works everytime without checking the backend server certificate. The configuration line with TLSCACertificateFile has no effect on the ssl connection !
I saw that TLSVerifyClient enable to force the certificate check of the client conneting to my openldap proxy but i don't see how to force the openldap proxy to check the backend server certificate. Then, i had 2 .cer CA certificate (a root and an intermediate) that i concat in 1 certificate. Does openldap support .cer ? or should i rename it in .pem ? my slapd.conf:
TLSCACertificateFile /usr/local/etc/openldap/CAcert.cer #TLSVerifyClient never
database ldap suffix ou=personnes,o=sg uri ldaps://192.168.239.210:1636
thank you for your help jerrrry
Message du 30/11/06 à 17h52 De : "Kurt D. Zeilenga" A : jerrrry@voila.fr Copie à : openldap-software@openldap.org Objet : Re: openldap proxy: schema issue
At 02:09 AM 11/30/2006, jerrrry@voila.fr wrote:
Hi everybody,
I'am configuring slapd(8) 2.3.27 for use as a proxy to another LDAP server.
Unfortunately this (non-OpenLDAP) LDAP directory uses non standard attributes stored in a .ldif file.
i have to use one of this non standard attributes in the slapd.conf file for binddn:
database ldap
uri ldap://192.168.239.210:1389
suffix ou=personnes,o=sg
binddn "sbzoneid=appli_test,ou=exploit,ou=personnes,o=sb"
bindpw secret
maybe i have to convert this file in the openldap .schema format and include it in slapd.conf.
If the LDIF contains RFC 4512 conformant schema descriptions, that conversion is straight forward. However, it seems that descriptions provided in the LDIF do not conform to RFC 4512.
A big issue seems to be that this ldif file doesn't use numericOIDs but string OID like:
attributetype ( sbzoneid-oid NAME 'sbzoneid' SYNTAX 1.3.6.1.4.1.1466.115.12
slapd(8) requires either an OID, or a valid OID macro (which will expand to the OID before the description is published in the schema)... because LDAP does (see RFC 4512).
so when runing "sladp -d 1" i get the error: OID could not be expanded: "sbzoneid-oid"
As "sbzoneid-oid" isn't a numbericoid, it assumed it was an OID macro. But there is no such OID macro, hence the error.
or maybe with a more liberal parsing could be helpful ?
The input is parsed just fine. The problem is semantics. The field requires an OID. "sbzoneid-oid" is neither an OID, nor something that represents an OID. Without an OID, slapd(8) wouldn't be able to publish valid schema descriptions for the schema element.
Do you have any idea to solve this problem ?
Locate the proper OIDs for these schema elements and use them. Or, assign your own OIDs (from your own name space).
Kurt
At 06:50 AM 12/1/2006, jerrrry@voila.fr wrote:
Thanks for your help. I create my own OID in a .schema file that i include in slapd.conf and it works great !
attributetype ( 1.3.6.1.4.1.4203.2.3.159562 NAME 'sbzoneid' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' )
with "159562" a number of my choice that is not already used by openldap.
Do not hijack OID namespace. Get your own OID arc (from IANA or your national authority).
"jerrrry@voila.fr" jerrrry@voila.fr writes:
Hi,
Thanks for your help.
[...]
Now i'm trying to get a ldaps connection with the backend ldap server. I want my openldap proxy to check the backend certificate with the CA certificate that i put after TLSCACertificateFile.
The issue is that the ldaps connection works everytime without checking the backend server certificate.
The configuration line with TLSCACertificateFile has no effect on the ssl connection !
I saw that TLSVerifyClient enable to force the certificate check of the client conneting to my openldap proxy but i don't see how to force the openldap proxy to check the backend server certificate.:p>
In this particular case back-ldap acts as a client, thus client specific configurations are read from ldap.conf
Then, i had 2 .cer CA certificate (a root and an intermediate) that i concat in 1 certificate. Does openldap support .cer ? or should i rename it in .pem ?
OpenLDAP only supports pem format.
-Dieter
openldap-software@openldap.org
-
Dieter Kluenter -
jerrrry@voila.fr -
Kurt D. Zeilenga