Re: web apps and client certificate authentication
by Kurt Zeilenga
On Jan 11, 2009, at 10:07 AM, Emmanuel Dreyfus wrote:
> Hello
>
> I am not sure this is the right place for that question, but I cannot
> figure a better one. Please point me to the right place if there is a
> better one than here.
[[from openldap-software]]
>
>
> I know how to use x509 certificate to authenticate a client against
> OpenLDAP. It works great with ldap{search|add|modify|delete|
> whatever}.`
>
> Now I would like to do the same with the client being a web browser
> and
> with a web application between the browser and slapd:
>
> browser (client cert) --> apache (PHP web application) --> slapd
>
> Client certificate authentication from the browser to apache is
> strightforward.
Yes, so why complicate it?
>
>
> Therefore I can easily have the client authenticating to the web
> application, and the web application operating on the directory on
> behalf on the client (the web app should bind to the directory as a
> privilegied user that would have authzTo: *)
The web application should just authenticate as itself and then use
proxy authorization to act on behalf of the client.
Of course, it has to be authorized to do so.
>
>
> But it would be nicer to actually have the client authenticate to
> slapd
> using its own client certificate.
Why? Generally, the web application is part of the service which
encompasses the web server and directory service. They should already
have an appropriate trust relationship.
> That is, having the web application
> behaving as a kind of proxy, without any special privilege on the
> directory. Is that possible? If it is, where should I start?
Would require cooperation between the web server and the directory
server. So nothing gained, IMO, except complexity.
>
>
> --
> Emmanuel Dreyfus
> http://hcpnet.free.fr/pubz
> manu(a)netbsd.org
14 years, 8 months
LDAP data for JUnit
by yukti kaura
Hi All,
I am using LDAP as a back end for my application.
Howeve my JUnit have become LDAPServer dependant.
i.e. they read the data from a particular server which I specify as the
ldapUrl
Do we have a mechanism that for the testing purpose alone I can introduce a
static LDIF file ported alongwith the code.
The JUnit will then read from LDIF in a manner that they read from LDAP
Server.
Is there such a method??
Please guide...
Thanks for all your help!!!!
Yukti Kaura
14 years, 8 months
openldap C sdk help
by Sankhadip Sengupta
Hi ,
I am a developer and I have set up openldap2.4.12 and wrote an ldap client in C using the ldap C sdk.
Over lan everything looks fine but when I try to connect and do the same thing over an external IP it fails saying
ldap_bind_s :Can;t contact ldap server(-1).
The server runnign with d127 shows
"
error:broken pipe
connection reset by peer
"
Could you please help me?
Thanks
Sankhadip
14 years, 8 months
Self-signed server cert within our corp = failure
by Jeff Blaine
OpenLDAP 2.4.11 client
How do I subvert this bogusness? The cert is legit.
% /usr/rcf/bin/ldapsearch -d 1 -v -ZZ -h ldap.our.com -p 4890 -D
uid=jblaine -W mail=jblaine(a)our.com emailmailbox
...
res_errno: 0, res_error: <Start TLS request accepted.Server willing to
negotiate SSL.>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (a) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 2, err: 19, subject:
/O=our.com/OU=Certificate Authority/CN=SuperDuper Corporation Root CA-1,
issuer: /O=our.com/OU=Certificate Authority/CN=SuperDuper Corporation
Root CA-1
TLS certificate verification: Error, self signed certificate in
certificate chain
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.
ldap_err2string
ldap_start_tls: Connect error (-11)
14 years, 8 months
ldap_simple_bind_s fails intermittently, when run in an loop
by bharath.venkata@wipro.com
Hi all,
I am trying to use openldap api's to connect to ldap from my code.
I tried to connect to ldap server 1,00,000 times(just intiliazing ,
binding and unbinding)
Intilaly Binding to the ldap server works fine, but after some time say
after reaching more than 10,000 binds. bind continously fails with below
error .
"Can't connect to the LDAP server - Cannot assign requested address".
and error number is 91
below is my code snapshot.
int main()
{
int ret,version,i;
i=0;
LDAP *ld=0;
while(100000)
{
const char *s=0;
cout<<"count is "<<i++<<endl;
ld=ldap_init(HOSTNAME,PORTNUMBER); // HOSTNAME and PORTNUMBER
are defined
if(ld == NULL)
{
cout<<" error in initiliaze "<<endl;
return 2;
}
ret=ldap_simple_bind_s(ld,"","");
ldap_perror(ld,s);
if(ret != LDAP_SUCCESS)
{
cout<<" error in bin "<<ret<<endl;
cout<<ldap_err2string(ret)<<" is the error"<<endl;
}
else
{
cout<<"bind success "<<endl;
}
ldap_unbind(ld);
ld=NULL;
}
return 0;
}
i am clue less why this happened.
Is there any restriction or bug (already present) that only certain
number of binds are possible in a given time.
Your help will be highly help full in my further proceedings.
Regards,
Bharath.
Please do not print this email unless it is absolutely necessary.
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.
WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
www.wipro.com
14 years, 8 months
openldap syncrepl
by Brad C
Hi There,
Im having trouble with openldap synrepl.
Ive turned on debugging.
http://pastebin.com/d2da66c02
OpenLDAP versions
itshare:~ # rpm -qa | grep -i openldap
openldap2-client-2.4.12-5.3
openldap2-devel-2.4.12-5.3
openldap2-2.4.12-5.4
OpenSUSE 11.1
Linux itshare 2.6.27.7-9-pae #1 SMP 2008-12-04 18:10:04 +0100 i686 i686 i386
GNU/Linux
Any advice would be most welcome.
This is a vanilla system, is it because it has not created the ldap database
locally?Jan 21 16:39:05 itshare slapd[3321]: <= bdb_dn2id: get failed:
DB_NOTFOUND: No matching key/data pair found (-30989)
Kind Regards
Brad
14 years, 8 months
How can I configure overlays during runtime of slapd?
by Andreas Micheler
Hallo all,
I am new to OpenLDAP,
and I am trying to configure slapd during runtime to add/remove one or
more Overlays.
I have already converted slapd.conf to a config directory slapd.d before.
The command I use to add the overlay is:
slapadd -F slapd.d -n 0 -l myovondelta
The ldif file myovondelta is:
dn: olcOverlay=constraint,olcDatabase=bdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcConstraintConfig
olcOverlay: constraint
olcConstraintAttribute: mail regex ^[:alnum:]+@mydomain.com$
olcConstraintAttribute: title uri
ldap:///dc=catalog,dc=example,dc=com?title?su$
But the output I get is:
<= str2entry: str2ad(changetype): attribute type undefined
slapadd: could not parse entry (line=1)
Can anyone please point me in the right direction? Where is my mistake?
Thanks,
Andreas
14 years, 8 months
trailing characters in olcserverids after conversion
by Oliver Liebel
using openldap 2.4.13 (compiled from openldap.org source-package)
i have noticed the following, reproducable behaviour when converting
a slapd.conf to slapd.d:
if slapd.conf contains serverids with ldap-urls, e.g. in this format:
ServerID 1 "ldap://ldapmaster.local.site:9000"
ServerID 2 "ldap://ldapslave.local.site:9000"
the olcserverids always contains some trailing (garbage) characters
after the
conversion, and are base64 encoded. when i set them manually in
cn=config with
ldapmodify, they are displayed "clean".
the serverid-lines in slapd.conf are "clean" (they contain no whsp/tabs
at the end
of the line or similar, invisible chars).
i have tested it without \"\ and without portnumber,
tested conversion with slaptest and slapd,
in virtual and real machines,
result is always the same.
any ideas?
greetings,
oliver
14 years, 8 months