cert options in ssl/tls connections
by Qiang Xu
Hello All,
Today I came across a strange problem.
I wrote a program to test ldap ssl/tls connection with OpenLDAP library.
Something like the code snippet as follows:
int ret = LDAP_OPT_SUCCESS;
int cert_flag = LDAP_OPT_X_TLS_NEVER;
...
ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_flag);
if (ret != LDAP_OPT_SUCCESS)
{
fprintf(stderr, "unable to set require cert option
(LDAP_OPT_X_TLS_REQUIRE_CERT): %s\n",
ldap_err2string(ret));
}
... // bind to the server
cert_flag = LDAP_OPT_X_TLS_DEMAND;
ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_flag);
if (ret != LDAP_OPT_SUCCESS)
{
fprintf(stderr, "unable to set require cert option
(LDAP_OPT_X_TLS_REQUIRE_CERT): %s\n",
ldap_err2string(ret));
}
... // bind to the server
The first binding is successful, as expected. However, the second binding
is also successful, which is contrary to my expectation, because I didn't
create any cert file yet.
Another observation here is that if the first binding with
LDAP_OPT_X_TLS_NEVER is removed, and the second binding with
LDAP_OPT_X_TLS_DEMAND set is done right from the beginning, then it will
fail, as expected.
So, it seems the first value set to the option LDAP_OPT_X_TLS_REQUIRE_CERT
will override the later values, isn't it? Is it possible to change this
option's value on the fly (means different bindings use different values
for this cert option)?
Thanks,
Qiang
11 years, 7 months
Delta-syncrepl issue
by Abderamane Hamani
Good morning,
Is it possible to use always delta-syncrepl even the replica consumer is too far from the provider ??
Many thanks in advance
11 years, 7 months
Re: Delta-syncrepl issue
by Mauricio Tavares
On Tue, Feb 28, 2012 at 1:24 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Tuesday, February 28, 2012 3:54 PM +0100 Abderamane Hamani
> <ahamani(a)escpeurope.eu> wrote:
>
>> Good morning,
>> Is it possible to use always delta-syncrepl even the replica consumer is
>> too far from the provider ?? Many thanks in advance
>
>
> Your question doesn't make sense as worded. Delta-syncrepl is not limited
> by physical distance.
>
> --Quanah
>
Also, depending on the traffic and connection speed between both
machines, you might experience some slowdown, but it will just catch
up eventually. Unless you keep changing your ldap database all the
time. ;)
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
11 years, 7 months
olcMirrorMode attribute in N-way multimaster
by Christopher Jones
Hi all,
I'm working on an multimaster setup using the LDIF configuration (as opposed to slapd.conf). From my understanding of the documentation, Mirror Mode is distinct from N-way Multimaster in that it is an 'active-active/hot swap' configuration, and writes need to go a single server.
In the admin guide's example found here:
http://www.openldap.org/doc/admin24/replication.html#N-Way%20Multi-Master
the N-way multimaster has this attribute set:
add: olcMirrorMode
olcMirrorMode: TRUE
Could someone clarify what the olcMirrorMode attribute is for in the N-way multimaster configuration?
Thanks for your help in advance,
Chris
11 years, 7 months
slapd/slaptest fail with cyrus-sasl-2.1.25
by Markus Wernig
Hello all
I have openldap-2.4.29 on x86 Solaris 11, compiled from source.
It links against cyrus-sasl libraries, also compiled from source. All
was working well with cyrus-sasl-2.1.23. After upgrading sasl to 2.1.25
slapd refuses to start:
# /usr/local/libexec/slapd -d 8
4f4a8bad @(#) $OpenLDAP: slapd 2.4.29 (Feb 26 2012 19:45:45) $
@xfer-srv01:/opt/build.d/openldap-2/tmp/openldap-2.4.29/servers/slapd
4f4a8bad slap_sasl_init: auxprop add plugin failed
4f4a8bad slapd stopped.
4f4a8bad connections_destroy: nothing to destroy.
If i downgrade cyrus-sasl again to 2.1.23, the error does not occur and
slapd works normally without recompiling.
I have seen bug reports about a similar problem with debian, and from
that report (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628237) it
seemed that the problem lies with the sasl library, but should be fixed
in the meantime.
But still, I keep getting that error, and no configuration or
compilation option (apart from totally disabling sasl) will help.
Does anybody have an idea of how I could debug this further? Is this
still a known issue?
Thanks
/markus
11 years, 7 months
Re: the root of the directory tree
by stefano
ok, thanks
other question:
i'm working on a lan with students, teachers, some guests and a pair of
administrators.
i need that everyone can authenticate himself on the lan. there are some
computers in a room and i want they will be powered on will appear a
display to log in. the same thing for every computer that will be
connect to our local network. every user will have his permissions to
visit different sites, to see server resources, etc. i don't know how
prepare this but for the moment am preparing the server populating it
with every user.
Now i need to know one thing. with the my configuration idea, is it
enough to have the Simple Binding inserting only the userPassword of
Person objectClass? do i need also account and simpleSecurityObject classes?
On 02/28/2012 10:11 AM, Turbo Fredriksson wrote:
> On Tue, 28 Feb 2012 08:02:42 +0100, stefano wrote:
>> I am preparing an ldap server to allow every user to access the LAN
>> only with his username and password. the root of the directorytree can
>> be invented? i invented a domain amahoro.bi, can be correct?
>
> Sure. As long as you don't plan on publish it in any way and ONLY use
> it internally,
> that would work.
>
> Your base DN would then be: 'dc=amahora,dc=bi'.
>
> It's not the best of ideas (best is to register a domain name and use
> that), but
> functionally perfectly fine.
> --
> ... but you know as soon as Oracle starts waving its wallet at a
> Company it's time to run - fast.
> /illumos mailing list
>
11 years, 7 months
the root of the directory tree
by stefano
good morning.
i have a simple question for you.
I am preparinganldapserverto allowevery user toaccess theLANonly withhis
usernameand password.therootof thedirectorytreecanbeinvented?iinventeda
domainamahoro.bi, canbecorrect?
thanks
11 years, 7 months
Mozilla NSS -- how to deploy intermediate certificate
by Aaron Bennett
Hello,
I need to publish the GeoTrust intermediate certificate; I'm using 2.4.29 built against Mozilla NSS. In OpenSSL world, I'd use -- I think -- TLSCACertificateFile /path/to/CA-certificates. Here's what I've tried:
Download GeoTrust cert from https://knowledge.geotrust.com/support/knowledge-base/index?page=content&... ; save as intermediate.crt
Import with:
# certutil -d /etc/openldap/nssdb/ -A -t ",," -n geotrust-intermediate -i intermediate.crt
Certutil -L now shows:
# certutil -d /etc/openldap/nssdb/ -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
geotrust-intermediate ,,
ds.clarku.edu Pu,Pu,Pu
cn=config looks like this:
olcTLSCACertificateFile: geotrust-intermediate
olcTLSCACertificatePath: /etc/openldap/nssdb
olcTLSCertificateFile: ds.clarku.edu
But still clients cannot verify the cert.
Any Mozilla NSS guru's know what I'm going wrong?
Thanks,
Aaron
11 years, 7 months
Resync DEL
by Marc Patermann
Hi,
due to the "DEL don't get replicated" issue, I have inconsistent data on
the consumers.
I set up a test pair with a provider with current master data and a
consumer with current slave data.
The data set differs in a few entries which DEL were not replicated.
Is there any way to get the two server on sync again other then
completely delete the database and refill (by slapadd from master or
full resync) on the consumer?
I tried (with various combinations of 2.4.26, 2.4.28 and current pre
2.4.30) to start the consumer with "-c rid=xxx,csn=" which starts a full
sync, but the (on the master not existing) objects don't get deleted (on
the slave).
Marc
11 years, 7 months
require StartTLS
by Daniel Pocock
Is there some way to ensure that a client who connects on port 389 can
do nothing without StartTLS?
Or is it necessary to just disable port 389 and only listen for ldaps:/// ?
11 years, 7 months
