openldap-technical

openldap-technical@openldap.org

9 participants
9868 discussions

Help me clear in design
by Phan Dang Duy Thinh 14 Oct '08

14 Oct '08

Hi experts, I'm new member in LDAP. Although I've finished configured a Linux server qmail - ldap but I still have some points unclear, let's I explain: For example, I have a lap using some services require authenticate, ex: qmail, radius, ftp, ... I want to save the user information (username, password, ... ) in only one place, so I decided to using LDAP. (number of users are quite large) But after implement qmail-ldap (it now runs good), I don't know how to continue to implement radius service (or other services). Reason is I can't integrate the radius information into qmail database (although I included qmail.schema and radius.schema in slapd.conf). The question: is there a way to integrate data of one schema in to an existed schema? I want to design a structure like this: [qmail information] [radius information] [other service ....] \ | / \ | / \ | / \ | / [common user information] (username, password) Do I have to write my own schema for doing this? (Schema that include both [qmail service information] and [radius service information]) Please give me an advice how to solve this? Thanks, -- Phan Dang Duy Thinh

1 0

Solaris 10 native Client with TLS to OpenLDAP
by John Gee 13 Oct '08

13 Oct '08

Hello, i have a problem with connecting Solaris10 native LDAP Client to a openLDAP Server (slapd 2.4.11) with TLS. The replication from Server ldap01 to ldap02 works fine with TLS, so i think that the problem must be on client site (Solaris 10 native LDAP Client - latest Patchset). Without TLS it works. Maybe someone can give me a hint - -(slapd - debug)--- >>> slap_listener(ldaps:///) connection_get(11): got connid=207 connection_read(11): checking for input on id=207 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(11): got connid=207 connection_read(11): checking for input on id=207 TLS trace: SSL3 alert read:fatal:bad certificate TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept. TLS: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate s3_pkt.c:1053 connection_read(11): TLS accept failure error=-1 id=207, closing connection_closing: readying conn=207 sd=11 for close connection_close: conn=207 sd=11 -( slapd.conf - tls part)--- TLSCipherSuite HIGH:MEDIUM:-SSLv2 TLSCACertificateFile /opt/openldap/var/openldap-data/ca-cert.pem TLSCertificateFile /opt/openldap/var/openldap-data/ldap01.kleinfeld.ch.pem TLSCertificateKeyFile /opt/openldap/var/openldap-data/ldap01.kleinfeld.ch TLSVerifyClient never -( solaris 10 - client )---- # import the ca-cert certutil -N -d /var/ldap certutil -A -n "ca-cert" -i /tmp/ldap/ca-cert.pem -a -t CT -d /var/ldap/ # import ldap-server certs certutil -A -d /var/ldap/ -n "ldap01.kleinfeld.ch" -t C,, -i ldap01.kleinfeld.ch.pem certutil -A -d /var/ldap/ -n "ldap02.kleinfeld.ch" -t C,, -i ldap02.kleinfeld.ch.pem # list cert-db certutil -L -d /var/ldap ca-cert CT,, ldap02.kleinfeld.ch C,, ldap01.kleinfeld.ch C,, # initialize ldap-client ldapclient manual -v \ -a credentialLevel=proxy \ -a authenticationMethod=tls:simple \ -a serviceAuthenticationMethod=pam_ldap:tls:simple \ -a proxyDN=cn=proxyAgent,ou=profile,o=kleinfeld,c=ch \ -a proxyPassword=xxxxxxxxxxxx \ -a defaultsearchbase=ou=unix,o=kleinfeld,c=ch \ -a defaultServerList="ldap01.kleinfeld.ch ldap02.kleinfeld.ch" \ -a certificatePath=/var/ldap \ -a domainName=kleinfeld.ch \ -a attributeMap=passwd:gecos=cn \ -a objectClassMap=group:posixGroup=posixGroup \ -a objectClassMap=passwd:posixAccount=posixAccount \ -a objectClassMap=shadow:shadowAccount=shadowAccount \ -a serviceSearchDescriptor=passwd:ou=people,ou=unix,o=kleinfeld,c=ch?one \ -a serviceSearchDescriptor=group:ou=groups,ou=unix,o=kleinfeld,c=ch?one \ -a serviceSearchDescriptor=netgroup:ou=netgroup,ou=unix,o=kleinfeld,c=ch?one # output from ldapclient Parsing credentialLevel=proxy Parsing authenticationMethod=tls:simple Parsing serviceAuthenticationMethod=pam_ldap:tls:simple Parsing proxyDN=cn=proxyAgent,ou=profile,o=kleinfeld,c=ch Parsing proxyPassword=UnIXpRoXY Parsing defaultsearchbase=ou=unix,o=kleinfeld,c=ch Parsing defaultServerList=ldap01.kleinfeld.ch Parsing certificatePath=/var/ldap Parsing domainName=kleinfeld.ch Parsing attributeMap=passwd:gecos=cn Parsing objectClassMap=group:posixGroup=posixGroup Parsing objectClassMap=passwd:posixAccount=posixAccount Parsing objectClassMap=shadow:shadowAccount=shadowAccount Parsing serviceSearchDescriptor=passwd:ou=people,ou=unix,o=kleinfeld,c=ch?one Parsing serviceSearchDescriptor=group:ou=groups,ou=unix,o=kleinfeld,c=ch?one Parsing serviceSearchDescriptor=netgroup:ou=netgroup,ou=unix,o=kleinfeld,c=ch?one Arguments parsed: Handling manual option Proxy DN: cn=proxyAgent,ou=profile,o=kleinfeld,c=ch Proxy password: {NS1}xxxxxxxxxxxxxxxxxxxxx Credential level: 1 Authentication method: 3 About to modify this machines configuration by writing the files Stopping network services sendmail not running nscd not running autofs not running Stopping ldap stop: sleep 100000 microseconds stop: sleep 200000 microseconds stop: network/ldap/client:default... success nisd not running nis(yp) not running Removing existing restore directory file_backup: stat(/etc/nsswitch.conf)=0 file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf) file_backup: stat(/etc/defaultdomain)=0 file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain) file_backup: stat(/var/nis/NIS_COLD_START)=-1 file_backup: No /var/nis/NIS_COLD_START file. file_backup: nis domain is "kleinfeld.ch" file_backup: stat(/var/yp/binding/kleinfeld.ch)=-1 file_backup: No /var/yp/binding/kleinfeld.ch directory. file_backup: stat(/var/ldap/ldap_client_file)=0 file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file) file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred) Starting network services start: /usr/bin/domainname kleinfeld.ch... success start: sleep 100000 microseconds start: network/ldap/client:default... success restart: sleep 100000 microseconds restart: milestone/name-services:default... success System successfully configured authenticationMethod: tls:simple serviceAuthenticationMethod: arg[0]: pam_ldap:tls:simple defaultSearchBase: ou=unix,o=kleinfeld,c=ch credentialLevel: proxy domainName: kleinfeld.ch proxyDN: cn=proxyAgent,ou=profile,o=kleinfeld,c=ch objectclassMap: arg[0]: group:posixGroup=posixGroup arg[1]: passwd:posixAccount=posixAccount arg[2]: shadow:shadowAccount=shadowAccount attributeMap: arg[0]: passwd:gecos=cn serviceSearchDescriptor: arg[0]: passwd:ou=people,ou=unix,o=kleinfeld,c=ch?one arg[1]: group:ou=groups,ou=unix,o=kleinfeld,c=ch?one arg[2]: netgroup:ou=netgroup,ou=unix,o=kleinfeld,c=ch?one proxyPassword: xxxxxxxxxxxxx defaultServerList: ldap01.kleinfeld.ch certificatePath: /var/ldap thanks in advance John

4 8

ldap_start_tls_s() usage related errors
by dhiraj.prasad＠tcs.com 12 Oct '08

12 Oct '08

Hello, I have configured LDAP server on linux with TLS support and was able to fetch data from it using the 'ldapsearch' utility. However, when i tried to do this searching via code i got following errors: Error at Server Side: slap_listener_activate(10): >>> slap_listener(ldaps://) connection_get(15): got connid=47 connection_read(15): checking for input on id=47 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write certificate request A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(15): got connid=47 connection_read(15): checking for input on id=47 TLS trace: SSL3 alert read:fatal:unknown CA TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept. TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1053 connection_read(15): TLS accept failure error=-1 id=47, closing connection_closing: readying conn=47 sd=15 for close connection_close: conn=47 sd=15 Error at Client side: [root@localhost LDAP1]# ./ldapSearch ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost.localdomain:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 19, subject: /C=IN/ST=MH/O=TCS/OU=EIS/CN=localhost.localdomain/emailAddress=dhiraj.prasad(a)tcs.com, issuer: /C=IN/ST=MH/O=TCS/OU=EIS/CN=localhost.localdomain/emailAddress=dhiraj.prasad(a)tcs.com TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_err2string Error in ldap_start_tls_s -1:Can't contact LDAP serverTest..1 ldap_bind_s ldap_simple_bind_s ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_send_server_request Test..2: -1 ldap_err2string Failure of LDAP bind -1-Can't contact LDAP server [root@localhost LDAP1]# Snippet of client code for TLS support used by Me: ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version ); ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, "/root/cacert.pem"); ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, "/usr/local/etc/openldap/ldap.client.pem"); ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE, "/usr/local/etc/openldap/ldap.client.key.pem"); ldap_set_option(ld, LDAP_OPT_REFERRALS , LDAP_OPT_ON); val = LDAP_OPT_X_TLS_ALLOW; ldap_set_option (ld, LDAP_OPT_X_TLS, &val); status = ldap_start_tls_s(ld, NULL, NULL); Please let me know as to what is missing in my code that is triggering the above errors. Also if there are any sample TLS client code, please let me know where can i get it. Thanks, Dhiraj Kumar Prasad Tata Consultancy Services Mailto: dhiraj.prasad(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Outsourcing ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

2 1

How to make two attribute unique
by piyush joshi 10 Oct '08

10 Oct '08

Hello All, I wanna know is it possible to make 2 attributes unique Example -: mail and mailAlternateAddress , I mean to say if i have set abc(a)expmple.net in mail attribute as a value and if then I try to add same to the mailAlternateAddress attribute it will prevent me to do this and also vice versa. -- Regards Piyush Joshi 9415414376

2 3

CSN too old
by Paul Lee 10 Oct '08

10 Oct '08

Dear all, I am using openldap version 2.4.9, I am using 4 ldap servers with 4-way master configured. Data can be synronized initially, but when the records is getting more and more, now is around 100k records, I always find data is not synronized between the four ldap servers. I find that "CSN is too old, ignoring" in the LDAP log file. Sep 24 04:04:03 disb01 slapd[28779]: do_syncrep2: cookie=rid=003,sid=001,csn=20080923200403.713637Z#000000#003#000000 Sep 24 04:04:03 disb01 slapd[28779]: do_syncrep2: rid=003 CSN too old, ignoring 20080923200403.713637Z#000000#003#000000 Sep 24 04:04:03 disb01 slapd[28779]: do_syncrep2: cookie=rid=002,sid=001,csn=20080923200403.713637Z#000000#003#000000 Sep 24 04:04:03 disb01 slapd[28779]: do_syncrep2: rid=002 CSN too old, ignoring 20080923200403.713637Z#000000#003#000000 Sep 24 04:04:03 disb01 slapd[28779]: do_syncrep2: cookie=rid=002,sid=001,csn=20080923200403.739461Z#000000#002#000000 Sep 24 04:04:03 disb01 slapd[28779]: syncrepl_entry: rid=002 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_MODIFY) Sep 24 04:04:03 disb01 slapd[28779]: syncrepl_entry: rid=002 be_search (0) Sep 24 04:04:03 disb01 slapd[28779]: syncrepl_entry: rid=002 cn=pwdfail,ou=SCIG,ou=Govt-Dept,o=HKSARG Any idea of this kind of error and how to fixed it ? Thanks Confidential Communication - This e-mail (including any attachments) is confidential and may be legally privileged. If this e-mail has been sent to you by mistake please inform us by reply e-mail and then delete the e-mail, destroy any printed copy and do not disclose or use the information in it.

4 13

Large stack allocations
by Sean Burford 10 Oct '08

10 Oct '08

Hi, bdb_search() allocates space for 128k candidate IDs and 64k scope IDs on the stack (about 768k of memory). bdb_idl_fetch_key() also allocates a large buffer on the stack (262352 bytes). Most other functions allocate roughly 1kB. Using the stack rather than heap limits the size of these structures (idl.h observes: "IDL sizes - likely should be even bigger. limiting factors: sizeof(ID), thread stack size") Using the stack for large allocations also creates the possibility of these arrays straddling the guard page (possibly resulting in local variables ending up in neighboring memory regions). Would the performance cost of using the heap or thread local storage for these allocations outweigh the benefit of being able to use bigger arrays? If you're interested in some statistics about slapd's stack usage, the static analysis perl script on kegel.com matches what I'm seeing from real running slapds: http://www.kegel.com/stackcheck/ -- Thanks, Sean Burford

2 1

slapd.conf and 2 databases
by Kermito le kermit 09 Oct '08

09 Oct '08

hello all, I am new to openldap and i want to now how put 2 databases in slpad.conf, when i make this in my config , slpad start but i see this message : bdb(dc=example,dc=com): PANIC: fatal region error detected; run recovery help please

2 1

Re: AW: Re: AW: Re: AW: StartTLS is not working
by Dat Duong 09 Oct '08

09 Oct '08

Hi Hauke, I've followed the mini tutorial and got stuck at the path for the server certificates in your tutorial. The path is not correct for slapd. Can you verify? TLSCertificateFile /usr/lib/ssl/certs/<fqdn>.cert.pem TLSCertificateKeyFile /usr/lib/ssl/private/<fqdn>.key.pem thanks ----- Original Message ---- From: Hauke Coltzau <hauke.coltzau(a)FernUni-Hagen.de> To: Dat Duong <datduong2000(a)yahoo.com> Cc: openldap-technical <openldap-technical(a)openldap.org> Sent: Thursday, October 9, 2008 12:46:00 AM Subject: AW: Re: AW: Re: AW: StartTLS is not working Hi Dat, > I've added the below to /etc/openldap/ldap.conf on RHEL 5: > TLS_CACERT /etc/openldap/cacerts/ServerCA.chain.pem > TLS_REQCERT demand > > and still getting errors messages... below: > > TLS certificate verification: Error, self signed certificate The LDAP server does not send a server certificate but a self signed certificate. Are you sending the RootCA's certificate? Create a server certificate as described in the tutorial and let your LDAP server use this. I assume that you will have to read a bit more about certificates and openssl to understand all the steps of the mini tutorial. Rergards, Hauke ----- Original Message ---- From: Hauke Coltzau <hauke.coltzau(a)FernUni-Hagen.de> To: openldap-software <openldap-software(a)openldap.org> Cc: Dat Duong <datduong2000(a)yahoo.com> Sent: Wednesday, October 8, 2008 2:09:11 AM Subject: AW: Re: AW: StartTLS is not working Hi Dat, glad to see that the first problem has been solved now. As Dieter already pointed out, we need to know how the certificates have been created. As a rough overview, you will need to run through following steps: 0. Understand the basic idea: At the end of this MiniHowto, you will have three certification authorities: UserCA: For user certificates (usually password protected) ServerCA: For server certificates (usually NOT password protected) RootCA: The CA that everyone has to trust in the end. This CA only exists to create and verify the UserCA and ServerCA. For your LDAP server, you create a server certificate with your ServerCA. The LDAP clients will accept the LDAP certificate as long as they trust the ServerCA. They will trust the ServerCA because they trust the RootCA. To make them do so, you will need the certificates of the ServerCA AND the RootCA on each client. Just to make sure: We are not talking about copying the LDAP certificate to the client. Instead, you will copy the CA certificates to the client. 1. Create directory structure and files containing random numbers (need to be root for this): # Make sure uuencode is installed. On Debian based # systems, type # # apt-get install sharutils # cd /usr/lib/ssl/ for i in RootCA ServerCA UserCA; do mkdir -p $i/newcerts; mkdir $i/certs; mkdir $i/crl; mkdir $i/private; touch $i/index.txt; echo 01 > $i/serial; chmod -R g-rwx,o-rwx $i; done for i in `find /usr/lib/ssl/ -name private` do cat /dev/urandom | uuencode -m bla | head -19 | sed "s/begin.*//g" | tail -18 | xargs | sed "s/ //g" > $i/.rand chmod 770 $i/.rand ls -l $i/.rand done At the end of this step, you will have three subdirectories in /usr/lib/ssl: RootCA: Contains the root CA's self-signed certificate and private key as well as the certificates created by the root CA. ServerCA: Contains the CA which is used to create server certificates. Again, the directory contains of the server CA's certificate and key as well as the certificates created by the server CA. UserCA: Contains the CA which is used to create user certificates. 2. openssl.cnf Adapt your openssl.cnf (should be in /usr/lib/ssl, too) to have proper entries for each of the CAs: HOME = /usr/lib/ssl [ RootCA ] dir = /usr/lib/ssl/RootCA certs = $dir/certs crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/RootCA.cert.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/private/RootCA.key.pem RANDFILE = $dir/private/.rand policy = policy_match x509_extensions = ca_cert [ ServerCA ] dir = /usr/lib/ssl/ServerCA certs = $dir/certs crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/ServerCA.cert.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/private/ServerCA.key.pem RANDFILE = $dir/private/.rand x509_extensions = usr_cert (Same with [ UserCA ]) There are more options to be set, but they depend on your environment. Have a look at the default_days, default_md, ... parameters. 1. Create a self signed certificate (RootCA): cd /usr/lib/ssl/RootCA # Create the private key first # You will be asked for a new pasword here. Make it a good one and remember it ;-) openssl genrsa -aes256 -out /usr/lib/ssl/RootCA/private/RootCA.key.pem -rand /usr/lib/ssl/RootCA/private/.rand 2048 chmod g-rwx,o-rwx /usr/lib/ssl/RootCA/private/RootCA.key.pem # Now create a certification request. Because the cert is self-signed, this # directly creates the RootCA's certificate. You will be asked for the # password you just created. # # All in one line: openssl req -new -x509 -days 1827 -key /usr/lib/ssl/RootCA/private/RootCA.key.pem -out /usr/lib/ssl/RootCA/RootCA.cert.pem # Copy the certificate to the certs directory and create a link named like # the cert's hash value cp RootCA.cert.pem certs/00.pem cd certs ln -s /usr/lib/ssl/RootCA/certs/00.pem `openssl x509 -hash -noout -in 00.pem`.0 Now you should have the cert (00.pem) and something like 1a2783e8.0 pointing to /usr/lib/ssl/RootCA/00.pem 2. Create the ServerCA cd /usr/lib/ssl/ServerCA # Create the private key for the ServerCA # You will be asked for a new password here. Do not make it the same as the RootCA's # password, but still - make it a good one. # openssl genrsa -aes256 -out /usr/lib/ssl/ServerCA/private/ServerCA.key.pem -rand /usr/lib/ssl/ServerCA/private/.rand 2048 chmod g-rwx,o-rwx /usr/lib/ssl/ServerCA/private/ServerCA.key.pem # Create the certification request. You will be asked for the # newly created password. # (All in one line) openssl req -new -days 1827 -key /usr/lib/ssl/ServerCA/private/ServerCA.key.pem -out /usr/lib/ssl/ServerCA/ServerCA.req.pem # Let the RootCA sign the request and create the certificate. # You will need the RootCA's password for this. # openssl ca -name RootCA -in /usr/lib/ssl/ServerCA/ServerCA.req.pem -out /usr/lib/ssl/ServerCA/ServerCA.cert.pem # Copy and link the certificate. # mv /usr/lib/ssl/RootCA/newcerts/01.pem /usr/lib/ssl/RootCA/certs/ cd /usr/lib/ssl/RootCA/certs/ ln -s 01.pem `openssl x509 -in 01.pem -hash -noout`.0 # And copy the part neccessary for browser integration into # another file (this is the part between BEGIN CERTIFICATE and END CERTIFICATE) # cd /usr/lib/ssl/ServerCA sed -n '/-----BEGIN CERTIFICATE-----/,$p' ServerCA.cert.pem > ServerCA.crt # Create the CACerts file used on the client side to verify a server cert mkdir /usr/lib/ssl/cacerts/ cat /usr/lib/ssl/RootCA/RootCA.cert.pem /usr/lib/ssl/ServerCA/ServerCA.cert.pem > /usr/lib/ssl/cacerts/ServerCA.chain.pem # The newly created file (ServerCA.chain.pem) is the CACertsFile which has to be copied # to every client. Create a /usr/lib/ssl/cacerts/ directory on the client side and copy # the file to that location. 3. Do the same with the User CA 4. Create your LDAP server certificate. As for the name in your cert, use the fqdn of the machine you are running the server on. cd /usr/lib/ssl/ServerCA # You will NOT need a password here # openssl genrsa -out <fqdn-of-your-server>.key.pem -rand ./private/.rand 2048 openssl req -new -key <fqdn-of-your-server>.key.pem -out <fqdn-of-your-server>.req.pem # But here, you will be asked for the ServerCA's password openssl ca -name ServerCA -in <fqdn-of-your-server>.req.pem -out <fqdn-of-your-server>.cert.pem Move and link the new certificate (in newcerts) as above. 5. Configure LDAP server and clients Make sure that your ldap server can read its own private key. If your ldap server is running as user openldap, make sure that this user owns the private key in /usr/lib/ssl/ServerCA/private/ Normal users should never be allowed to read the key! This would break the whole security mechanism. In your slapd.conf, you will have TLSCertificateFile /usr/lib/ssl/certs/<fqdn>.cert.pem TLSCertificateKeyFile /usr/lib/ssl/private/<fqdn>.key.pem And on client side ldap.conf: TLS_CACERT /usr/lib/ssl/cacerts/ServerCA.chain.pem TLS_REQCERT demand Hope this helps, Hauke p.s.: The description is strongly influenced by Frank Steidl's tutorial as it can be found at http://fra.nksteidl.de/Erinnerungen/OpenSSL.php ----- Ursprüngliche Mail ----- Von: "Dieter Kluenter" < dieter(a)dkluenter.de > An: openldap-technical(a)openldap.org Gesendet: Dienstag, 7. Oktober 2008 22:34:14 GMT +01:00 Amsterdam/Berlin/Bern/Rom/Stockholm/Wien Betreff: Re: AW: StartTLS is not working Dat Duong < datduong2000(a)yahoo.com > writes: > Hi Hauke, > > I still can't get TLS to work. Here is the error message. > > TLS certificate verification: Error, self signed certificate > tls_write: want=7, written=7 > 0000: 15 03 01 00 02 02 30 ......0 > TLS trace: SSL3 alert write:fatal:unknown CA > TLS trace: SSL_connect:error in SSLv3 read server certificate B > TLS trace: SSL_connect:error in SSLv3 read server certificate B > TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Please describe the parameters to create your certificate chain. I presume you have not signed your certificates with a known certificate authority. -Dieter -- Dieter Klünter | Systemberatung http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6 53°08'09,95"N 10°08'02,42"E -- ------------------------------------ Fernuniversität in Hagen Lehrgebiet Kommunikationsnetze http://www.fernuni-hagen.de/kn Fon/Fax: +49 2331 987 -1142 / -353 ------------------------------------ -- ------------------------------------ Fernuniversität in Hagen Lehrgebiet Kommunikationsnetze http://www.fernuni-hagen.de/kn Fon/Fax: +49 2331 987 -1142 / -353 ------------------------------------

2 1

AW: Re: AW: Re: AW: StartTLS is not working
by Hauke Coltzau 09 Oct '08

09 Oct '08

Hi Dat, > I've added the below to /etc/openldap/ldap.conf on RHEL 5: > TLS_CACERT /etc/openldap/cacerts/ServerCA.chain.pem > TLS_REQCERT demand > > and still getting errors messages... below: > > TLS certificate verification: Error, self signed certificate The LDAP server does not send a server certificate but a self signed certificate. Are you sending the RootCA's certificate? Create a server certificate as described in the tutorial and let your LDAP server use this. I assume that you will have to read a bit more about certificates and openssl to understand all the steps of the mini tutorial. Rergards, Hauke ----- Original Message ---- From: Hauke Coltzau <hauke.coltzau(a)FernUni-Hagen.de> To: openldap-software <openldap-software(a)openldap.org> Cc: Dat Duong <datduong2000(a)yahoo.com> Sent: Wednesday, October 8, 2008 2:09:11 AM Subject: AW: Re: AW: StartTLS is not working Hi Dat, glad to see that the first problem has been solved now. As Dieter already pointed out, we need to know how the certificates have been created. As a rough overview, you will need to run through following steps: 0. Understand the basic idea: At the end of this MiniHowto, you will have three certification authorities: UserCA: For user certificates (usually password protected) ServerCA: For server certificates (usually NOT password protected) RootCA: The CA that everyone has to trust in the end. This CA only exists to create and verify the UserCA and ServerCA. For your LDAP server, you create a server certificate with your ServerCA. The LDAP clients will accept the LDAP certificate as long as they trust the ServerCA. They will trust the ServerCA because they trust the RootCA. To make them do so, you will need the certificates of the ServerCA AND the RootCA on each client. Just to make sure: We are not talking about copying the LDAP certificate to the client. Instead, you will copy the CA certificates to the client. 1. Create directory structure and files containing random numbers (need to be root for this): # Make sure uuencode is installed. On Debian based # systems, type # # apt-get install sharutils # cd /usr/lib/ssl/ for i in RootCA ServerCA UserCA; do mkdir -p $i/newcerts; mkdir $i/certs; mkdir $i/crl; mkdir $i/private; touch $i/index.txt; echo 01 > $i/serial; chmod -R g-rwx,o-rwx $i; done for i in `find /usr/lib/ssl/ -name private` do cat /dev/urandom | uuencode -m bla | head -19 | sed "s/begin.*//g" | tail -18 | xargs | sed "s/ //g" > $i/.rand chmod 770 $i/.rand ls -l $i/.rand done At the end of this step, you will have three subdirectories in /usr/lib/ssl: RootCA: Contains the root CA's self-signed certificate and private key as well as the certificates created by the root CA. ServerCA: Contains the CA which is used to create server certificates. Again, the directory contains of the server CA's certificate and key as well as the certificates created by the server CA. UserCA: Contains the CA which is used to create user certificates. 2. openssl.cnf Adapt your openssl.cnf (should be in /usr/lib/ssl, too) to have proper entries for each of the CAs: HOME = /usr/lib/ssl [ RootCA ] dir = /usr/lib/ssl/RootCA certs = $dir/certs crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/RootCA.cert.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/private/RootCA.key.pem RANDFILE = $dir/private/.rand policy = policy_match x509_extensions = ca_cert [ ServerCA ] dir = /usr/lib/ssl/ServerCA certs = $dir/certs crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/ServerCA.cert.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/private/ServerCA.key.pem RANDFILE = $dir/private/.rand x509_extensions = usr_cert (Same with [ UserCA ]) There are more options to be set, but they depend on your environment. Have a look at the default_days, default_md, ... parameters. 1. Create a self signed certificate (RootCA): cd /usr/lib/ssl/RootCA # Create the private key first # You will be asked for a new pasword here. Make it a good one and remember it ;-) openssl genrsa -aes256 -out /usr/lib/ssl/RootCA/private/RootCA.key.pem -rand /usr/lib/ssl/RootCA/private/.rand 2048 chmod g-rwx,o-rwx /usr/lib/ssl/RootCA/private/RootCA.key.pem # Now create a certification request. Because the cert is self-signed, this # directly creates the RootCA's certificate. You will be asked for the # password you just created. # # All in one line: openssl req -new -x509 -days 1827 -key /usr/lib/ssl/RootCA/private/RootCA.key.pem -out /usr/lib/ssl/RootCA/RootCA.cert.pem # Copy the certificate to the certs directory and create a link named like # the cert's hash value cp RootCA.cert.pem certs/00.pem cd certs ln -s /usr/lib/ssl/RootCA/certs/00.pem `openssl x509 -hash -noout -in 00.pem`.0 Now you should have the cert (00.pem) and something like 1a2783e8.0 pointing to /usr/lib/ssl/RootCA/00.pem 2. Create the ServerCA cd /usr/lib/ssl/ServerCA # Create the private key for the ServerCA # You will be asked for a new password here. Do not make it the same as the RootCA's # password, but still - make it a good one. # openssl genrsa -aes256 -out /usr/lib/ssl/ServerCA/private/ServerCA.key.pem -rand /usr/lib/ssl/ServerCA/private/.rand 2048 chmod g-rwx,o-rwx /usr/lib/ssl/ServerCA/private/ServerCA.key.pem # Create the certification request. You will be asked for the # newly created password. # (All in one line) openssl req -new -days 1827 -key /usr/lib/ssl/ServerCA/private/ServerCA.key.pem -out /usr/lib/ssl/ServerCA/ServerCA.req.pem # Let the RootCA sign the request and create the certificate. # You will need the RootCA's password for this. # openssl ca -name RootCA -in /usr/lib/ssl/ServerCA/ServerCA.req.pem -out /usr/lib/ssl/ServerCA/ServerCA.cert.pem # Copy and link the certificate. # mv /usr/lib/ssl/RootCA/newcerts/01.pem /usr/lib/ssl/RootCA/certs/ cd /usr/lib/ssl/RootCA/certs/ ln -s 01.pem `openssl x509 -in 01.pem -hash -noout`.0 # And copy the part neccessary for browser integration into # another file (this is the part between BEGIN CERTIFICATE and END CERTIFICATE) # cd /usr/lib/ssl/ServerCA sed -n '/-----BEGIN CERTIFICATE-----/,$p' ServerCA.cert.pem > ServerCA.crt # Create the CACerts file used on the client side to verify a server cert mkdir /usr/lib/ssl/cacerts/ cat /usr/lib/ssl/RootCA/RootCA.cert.pem /usr/lib/ssl/ServerCA/ServerCA.cert.pem > /usr/lib/ssl/cacerts/ServerCA.chain.pem # The newly created file (ServerCA.chain.pem) is the CACertsFile which has to be copied # to every client. Create a /usr/lib/ssl/cacerts/ directory on the client side and copy # the file to that location. 3. Do the same with the User CA 4. Create your LDAP server certificate. As for the name in your cert, use the fqdn of the machine you are running the server on. cd /usr/lib/ssl/ServerCA # You will NOT need a password here # openssl genrsa -out <fqdn-of-your-server>.key.pem -rand ./private/.rand 2048 openssl req -new -key <fqdn-of-your-server>.key.pem -out <fqdn-of-your-server>.req.pem # But here, you will be asked for the ServerCA's password openssl ca -name ServerCA -in <fqdn-of-your-server>.req.pem -out <fqdn-of-your-server>.cert.pem Move and link the new certificate (in newcerts) as above. 5. Configure LDAP server and clients Make sure that your ldap server can read its own private key. If your ldap server is running as user openldap, make sure that this user owns the private key in /usr/lib/ssl/ServerCA/private/ Normal users should never be allowed to read the key! This would break the whole security mechanism. In your slapd.conf, you will have TLSCertificateFile /usr/lib/ssl/certs/<fqdn>.cert.pem TLSCertificateKeyFile /usr/lib/ssl/private/<fqdn>.key.pem And on client side ldap.conf: TLS_CACERT /usr/lib/ssl/cacerts/ServerCA.chain.pem TLS_REQCERT demand Hope this helps, Hauke p.s.: The description is strongly influenced by Frank Steidl's tutorial as it can be found at http://fra.nksteidl.de/Erinnerungen/OpenSSL.php ----- Ursprüngliche Mail ----- Von: "Dieter Kluenter" < dieter(a)dkluenter.de > An: openldap-technical(a)openldap.org Gesendet: Dienstag, 7. Oktober 2008 22:34:14 GMT +01:00 Amsterdam/Berlin/Bern/Rom/Stockholm/Wien Betreff: Re: AW: StartTLS is not working Dat Duong < datduong2000(a)yahoo.com > writes: > Hi Hauke, > > I still can't get TLS to work. Here is the error message. > > TLS certificate verification: Error, self signed certificate > tls_write: want=7, written=7 > 0000: 15 03 01 00 02 02 30 ......0 > TLS trace: SSL3 alert write:fatal:unknown CA > TLS trace: SSL_connect:error in SSLv3 read server certificate B > TLS trace: SSL_connect:error in SSLv3 read server certificate B > TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Please describe the parameters to create your certificate chain. I presume you have not signed your certificates with a known certificate authority. -Dieter -- Dieter Klünter | Systemberatung http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6 53°08'09,95"N 10°08'02,42"E -- ------------------------------------ Fernuniversität in Hagen Lehrgebiet Kommunikationsnetze http://www.fernuni-hagen.de/kn Fon/Fax: +49 2331 987 -1142 / -353 ------------------------------------ -- ------------------------------------ Fernuniversität in Hagen Lehrgebiet Kommunikationsnetze http://www.fernuni-hagen.de/kn Fon/Fax: +49 2331 987 -1142 / -353 ------------------------------------

1 0

ldapadd error
by Kermito le kermit 08 Oct '08

08 Oct '08

hello all i am new to openldap and i have some problem to use, i follow the exemple in quick start guide to make my slpad.conf but when i what to populta my data base i have error in the log i see conn=0 op=0 BIND dn="cn=Manager,dc=example,dc=com" method=128 conn=0 op=0 BIND dn="cn=Manager,dc=example,dc=com" mech=SIMPLE ssf=0 conn=0 op=0 RESULT tag=97 err=0 text= conn=0 op=1 ADD dn="dc=example,dc=com" Erreur de segmentation i am to debian help me please

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical