openldap-technical August 2008

openldap-technical@openldap.org

63 participants
81 discussions

SLAPD 2.4.9 and OpenSSL 0.9.8g on Ubuntu 8.04 server - client certificate not read
by Hauke Coltzau 28 Aug '08

28 Aug '08

Hello everybody, I'm just trying to set up a LDAPS server using my own certification authority, but the ldap server does not accept/understand my client certificate. Instead, the server sais: TLS: can't accept: The peer did not send any certificate.. What I did: 1.) I set up LDAP without SSL/TLS to make sure that it is configured properly. This worked out fine so far, I can use ldapsearch, ldapadd, phpldapadmin ... 2.) I created a self signed certificate for my RootCA, used it to sign my ServerCA and used the ServerCA to sign the certificates for my ldap server and client. The certificates of RootCA and ServerCA have been concatenated into one file <name of ca>.chain.crt 3.) Changed ldap.conf and slapd.conf as described below 4.) Tried to do an ldapsearch on the client -> failed 5.) Tried openssl client -> success Here are the details: Client: ======= # ldapsearch -x -LLL -ZZ -d 1 ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP <serverip>:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying <serverip>:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: can't connect: A TLS packet with unexpected length was received.. ldap_err2string ldap_start_tls: Can't contact LDAP server (-1) Server: ======== # slapd -VV @(#) $OpenLDAP: slapd 2.4.9 (Aug 1 2008 01:09:46) $ buildd@king:/build/buildd/openldap2.3-2.4.9/debian/build/servers/slapd # slapd -h "ldaps://<ip>/" -u openldap -g openldap -d 127 ... ... connection_get(13): got connid=32 connection_read(13): checking for input on id=32 tls_read: want=5, got=5 0000: 16 03 02 00 07 ..... tls_read: want=7, got=7 0000: 0b 00 00 03 00 00 00 ....... TLS: can't accept: The peer did not send any certificate.. connection_read(13): TLS accept failure error=-1 id=32, closing connection_closing: readying conn=32 sd=13 for close connection_close: conn=32 sd=13 daemon: removing 13 But if I use openssl s_client, I get a differnet result: Client: ======= openssl s_client -showcerts -connect <serverfqdn>:636 \ -CAfile cacerts/<ca>.chain.crt -cert certs/<clientfqdn>.cert.pem \ -key private/<clientfqdn>.key.pem CONNECTED(00000003) depth=2 /C=... verify return:1 depth=1 /C=... verify return:1 depth=0 /C=... verify return:1 --- Certificate chain 0 s:/C=... i:/C=... -----BEGIN CERTIFICATE----- <Certificate data> -----END CERTIFICATE----- --- Server certificate subject=/C=... issuer=/C=... --- Acceptable client certificate CA names /C=... /C=... --- SSL handshake has read 1806 bytes and written 4358 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: F63D4DB4A918CC3BC8F8617AD49F6C6EFCB316203466EC91DBCF0C2E3700DE1E Session-ID-ctx: Master-Key: <master key> Key-Arg : None Start Time: 1219848938 Timeout : 300 (sec) Verify return code: 0 (ok) --- And on server side, everything seems to be o.k. There is no error and the last lines of output are: => ldap_dn2bv(16) <= ldap_dn2bv(cn=<cn of client>,ou=<ou>,o=<o>,st=<st>,c=<c>)=0 daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero ldap.conf (partially) --------------------- uri ldaps://132.176.4.6/ ssl yes tls_cacertfile /usr/lib/ssl/cacartes/<ca>.chain.crt tls_ciphers TLSv1 tls_cert /usr/lib/ssl/certs/<clientfqdn>.cert.pem tls_key /usr/lib/ssl/private/<clientfqdn>.key.pem ldap.conf (partially) --------------------- TLSCACertificateFile /usr/lib/ssl/certs/<ca>.chain.crt TLSCertificateFile /usr/lib/ssl/openldap/<serverfqdn>.cert.pem TLSCertificateKeyFile /usr/lib/ssl/openldap/private/<serverfqdn>.key.pem TLSVerifyClient demand What did I do wrong? Best regards, Hauke Coltzau --

3 3

How to restrict the simultaneous login
by Praveen Kumar 28 Aug '08

28 Aug '08

Hi, I using the LDAP server for authentication and log into a machine. Now i want the user should not be allowed log into any machine, if it is already logged into one machine using that LDAP server for the login and authentication. Means that there should not be any simultaneous login for the same user. Is this possible using the LDAP or Not. Waiting for the reply. Thanks in advance. Regards.

3 2

Re: How to generate access logs
by Gavin Henry 27 Aug '08

27 Aug '08

----- "Luciano Andre Baramarchi" <luciano_mt(a)terra.com.br> wrote: > Hi, > > I'm using OpenLDAP with HP-UX and LDAP-UX (HP product) to integrate > users and passwords with NSS. The integration works fine but, > sometimes the system lost the username when I run "id" command. In > contact with HP support, they suspect that the problem is in OpenLDAP > > server. I need to generate a log of the all access to LDAP server to > > validate if the problem occurs because the server don't respond or the For search operation logging set your loglevel to 256 or stats. See "man slapd.conf" and: http://www.openldap.org/faq/index.cgi?_highlightWords=syslog&file=358 http://www.openldap.org/faq/index.cgi?_highlightWords=syslog&file=907 http://www.openldap.org/faq/index.cgi?_highlightWords=syslog&file=80 -- Kind Regards, Gavin Henry. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry(a)suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/

1 0

How to generate access logs
by Luciano Andre Baramarchi 27 Aug '08

27 Aug '08

Hi, I'm using OpenLDAP with HP-UX and LDAP-UX (HP product) to integrate users and passwords with NSS. The integration works fine but, sometimes the system lost the username when I run "id" command. In contact with HP support, they suspect that the problem is in OpenLDAP server. I need to generate a log of the all access to LDAP server to validate if the problem occurs because the server don't respond or the client don't query the server Is possible to generate this log? How? Thanks a lot. PS.: Sorry ... I'm brasilian and my english needs to improve ... --------------------------------------------- Luciano A. Baramarchi Multitask Consultoria luciano(a)multitasknet.com.br 47 9911 4484 ---------------------------------------------

1 0

How to import xml file
by İlker Aktuna (Koç.net) 27 Aug '08

27 Aug '08

Hi, I am a new OpenLDAP user. I wonder if there is an easy way of importing an XML file to OpenLDAP server. I've read on some forums that importing LDIF is possible but XML is not. If an XML importer is not available I am also willing to convert my XML file to LDIF but I don't know of a free XML to LDIF converter. Could you please help me ? Thanks, ilker _____________________________________________________________________________________________________________________________________________ Bu e-posta mesaji kisiye ozel olup, gizli bilgiler iceriyor olabilir. Eger bu e-posta mesaji size yanlislikla ulasmissa, icerigini hic bir sekilde kullanmayiniz ve ekli dosyalari acmayiniz. Bu durumda lutfen e-posta mesajini kullaniciya hemen geri gonderiniz ve tum kopyalarini mesaj kutunuzdan siliniz. Bu e-posta mesaji, hic bir sekilde, herhangi bir amac icin cogaltilamaz, yayinlanamaz ve para karsiligi satilamaz. Bu e-posta mesaji viruslere karsi anti-virus sistemleri tarafindan taranmistir. Ancak yollayici, bu e-posta mesajinin - virus koruma sistemleri ile kontrol ediliyor olsa bile - virus icermedigini garanti etmez ve meydana gelebilecek zararlardan dogacak hicbir sorumlulugu kabul etmez. This message is intended solely for the use of the individual or entity to whom it is addressed , and may contain confidential information. If you are not the intended recipient of this message or you receive this mail in error, you should refrain from making any use of the contents and from opening any attachment. In that case, please notify the sender immediately and return the message to the sender, then, delete and destroy all copies. This e-mail message, can not be copied, published or sold for any reason. This e-mail message has been swept by anti-virus systems for the presence of computer viruses. In doing so, however, sender cannot warrant that virus or other forms of data corruption may not be present and do not take any responsibility in any occurrence. _____________________________________________________________________________________________________________________________________________

2 1

Help Regarding Multi master replication
by piyush joshi 27 Aug '08

27 Aug '08

Dear All, I am configuring OpenLDAP with multi master replication. I have configured both server's slapd.conf file and as well as loaded syncprov module and following is the syncrepl configuration First LDAP Server IP - 192.168.1.8 Second LDAP Server IP - 192.168.1.12 On first server syncrepl rid=001 provider=ldap://192.168.1.12 type=refreshAndPersist retry="5 5 300 +" searchbase="dc=***,dc=com" attrs=* bindmethod=simple binddn="cn=root,dc=***,dc=com" credentials=*** overlay syncprov syncprov-checkpoint 50 10 and on second server syncrepl rid=001 provider=ldap://192.168.1.8 type=refreshAndPersist retry="5 5 300 +" searchbase="dc=***,dc=com" attrs=* bindmethod=simple binddn="cn=root,dc=***,dc=com" credentials=*** overlay syncprov syncprov-checkpoint 50 10 But Now I am unable to modify, add or delete any record so what is the proper solution to make it work . I need your support to make it work. Thanks Regards Piyush Joshi 9415414376

2 1

Re: RHEL 5 cannot authenticate thru ldap
by Santosh Balan 26 Aug '08

26 Aug '08

Hi, If you are using pam.d for authentication then i beleive that the below site is a very good reference material for installation. http://coewww.rutgers.edu/www1/linuxclass2003/lessons/lecture8.html I have referred to the above site and done for authentication and automounting a partition. Kindly refer and revert if it was of any support to you. Thanks and regards Santosh Balan +91-9819419509 (Open Source is the technology for future) > ----- Original Message ----- > From: "Dat Duong" <datduong2000(a)yahoo.com> > To: "Santosh Balan" <santosh.balan(a)linuxmail.org>, openldap-technical(a)openldap.org > Subject: Re: RHEL 5 cannot authenticate thru ldap > Date: Tue, 26 Aug 2008 07:55:03 -0700 (PDT) > > > Hi, > > Thanks for a quick respond. I did use the GUI within GNOME called > "Athentication". I think I'm using pam.d I haven't try to copy > anything yet. Also, I can't do the ldapsearch using -ZZ for TLS on > RHEL 5. However, I get some errors. I was able to do the ldapsearch > for -ZZ on Solaris. > > > thanks again, > > > > ----- Original Message ---- > From: Santosh Balan <santosh.balan(a)linuxmail.org> > To: Dat Duong <datduong2000(a)yahoo.com>; openldap-technical(a)openldap.org > Sent: Monday, August 25, 2008 10:05:01 PM > Subject: Re: RHEL 5 cannot authenticate thru ldap > > Hi, > > > From where r u taking data for authentication. Is it using pamd > > or creating a new ldap bdb or ldbm. > > Have u configured your client machine to connect to the ldap server > for authentication using system-config-authentication. > > In case you are using the pamd authentication module then you need > to copy the following files from /usr/share/doc/nss_ldap-253/pam.d/ > directory namely login, passwd, su, ssh to /etc/pam.d . > > Then u need to try to authenticate. > > Try googling through for the other method of authentication i.e. > using ldbm or bdb database. As scripts needs to be executed to load > your users data. > > Kindly check and revert. > > Thanks and Regards > Santosh Balan > +91-9819419509. > > > > > ----- Original Message ----- > > From: "Dat Duong" <datduong2000(a)yahoo.com> > > To: openldap-technical(a)openldap.org > > Subject: RHEL 5 cannot authenticate thru ldap > > Date: Mon, 25 Aug 2008 11:01:16 -0700 (PDT) > > > > > > Hi, > > > > I don't know what is the reason why i can't authenticate thru the > > ldap server from RHEL 5. I can do ldapsearch -x -LLL and it > > listed the data. Any help who be appreciated...thanks > > > > > > > > > > > > > > = > > > -- > Powered by Outblaze > > > > > = -- Powered by Outblaze

1 0

Re: RHEL 5 cannot authenticate thru ldap
by Dat Duong 26 Aug '08

26 Aug '08

Hi, Thanks for a quick respond. I did use the GUI within GNOME called "Athentication". I think I'm using pam.d I haven't try to copy anything yet. Also, I can't do the ldapsearch using -ZZ for TLS on RHEL 5. However, I get some errors. I was able to do the ldapsearch for -ZZ on Solaris. thanks again, ----- Original Message ---- From: Santosh Balan <santosh.balan(a)linuxmail.org> To: Dat Duong <datduong2000(a)yahoo.com>; openldap-technical(a)openldap.org Sent: Monday, August 25, 2008 10:05:01 PM Subject: Re: RHEL 5 cannot authenticate thru ldap Hi, >From where r u taking data for authentication. Is it using pamd or creating a new ldap bdb or ldbm. Have u configured your client machine to connect to the ldap server for authentication using system-config-authentication. In case you are using the pamd authentication module then you need to copy the following files from /usr/share/doc/nss_ldap-253/pam.d/ directory namely login, passwd, su, ssh to /etc/pam.d . Then u need to try to authenticate. Try googling through for the other method of authentication i.e. using ldbm or bdb database. As scripts needs to be executed to load your users data. Kindly check and revert. Thanks and Regards Santosh Balan +91-9819419509. > ----- Original Message ----- > From: "Dat Duong" <datduong2000(a)yahoo.com> > To: openldap-technical(a)openldap.org > Subject: RHEL 5 cannot authenticate thru ldap > Date: Mon, 25 Aug 2008 11:01:16 -0700 (PDT) > > > Hi, > > I don't know what is the reason why i can't authenticate thru the > ldap server from RHEL 5. I can do ldapsearch -x -LLL and it listed > the data. Any help who be appreciated...thanks > > > > > = -- Powered by Outblaze

1 0

RHEL 5 cannot authenticate thru ldap
by Dat Duong 26 Aug '08

26 Aug '08

Hi, I don't know what is the reason why i can't authenticate thru the ldap server from RHEL 5. I can do ldapsearch -x -LLL and it listed the data. Any help who be appreciated...thanks

2 1

Re: RHEL 5 cannot authenticate thru ldap
by Santosh Balan 25 Aug '08

25 Aug '08

Hi, >From where r u taking data for authentication. Is it using pamd or creating a new ldap bdb or ldbm. Have u configured your client machine to connect to the ldap server for authentication using system-config-authentication. In case you are using the pamd authentication module then you need to copy the following files from /usr/share/doc/nss_ldap-253/pam.d/ directory namely login, passwd, su, ssh to /etc/pam.d . Then u need to try to authenticate. Try googling through for the other method of authentication i.e. using ldbm or bdb database. As scripts needs to be executed to load your users data. Kindly check and revert. Thanks and Regards Santosh Balan +91-9819419509. > ----- Original Message ----- > From: "Dat Duong" <datduong2000(a)yahoo.com> > To: openldap-technical(a)openldap.org > Subject: RHEL 5 cannot authenticate thru ldap > Date: Mon, 25 Aug 2008 11:01:16 -0700 (PDT) > > > Hi, > > I don't know what is the reason why i can't authenticate thru the > ldap server from RHEL 5. I can do ldapsearch -x -LLL and it listed > the data. Any help who be appreciated...thanks > > > > > = -- Powered by Outblaze

1 0

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2008