Le mer. 14 déc. 2011 19:39:13 CET, Raffael Sahli a écrit :
On 14.12.2011 16:54, rey sebastien wrote:
Le 13/12/2011 16:48, Raffael Sahli a écrit :
On 12/13/2011 04:34 PM, rey sebastien wrote:
Le mar. 13 déc. 2011 15:16:08 CET, Raffael Sahli a écrit :
On 12/13/2011 02:59 PM, rey sebastien wrote:
Le mar. 13 déc. 2011 13:00:16 CET, Raffael Sahli a écrit : > On 12/13/2011 12:14 PM, rey sebastien wrote: >> Le mar. 13 déc. 2011 11:08:43 CET, Raffael Sahli a écrit : >>> On 12/13/2011 10:12 AM, rey sebastien wrote: >>>> After what, you are right, you and other to point the old >>>> debian package, so i try to recompile the last release with >>>> open-ssl. This is the best solution, i agree. >>>> >>>> I try to compile with this option : >>>> ./configure --with-tls=openssl --with-threads >>>> --with-cyrus-sasl --enable-crypt --enable-debug >>>> --enable-cleartext --enable-spasswd --enable-dynacl >>>> --enable-aci --enable-modules --enable-wrappers >>>> --enable-rewrite --enable-rlookups >>>> >>>> After configure, i make-depend, make, make install; all >>>> execution are ok, >>>> after that, how can i install ldap as a service ? like debian >>>> style => service slapd start | stop | restart ? >>>> >>> If you load the sources with apt-src, there's a debian init >>> script available in the openldap sources (debian folder, just >>> copy the script into you init.d folder and create the symlinks >>> with update-rc.d). >>> That's the simplest way, or find the script online or extract >>> it from the deb package.... >>> >>>> Thanks again, >>>> Sr >>>> >>>> >>>> >>>> Le 12/12/2011 22:17, Raffael Sahli a écrit : >>>>> On 12.12.2011 21:55, rey sebastien wrote: >>>>>> Le 12/12/2011 21:07, Howard Chu a écrit : >>>>>>> rey sebastien wrote: >>>>>>>> Le 12/12/2011 19:24, Howard Chu a écrit : >>>>>>>>> reyman wrote: >>>>>>>>>> You have a self signed certificate, >>>>>>>>> >>>>>>>>> Correct. >>>>>>>>> >>>>>>>>>> so you don't need to verify your certificate. >>>>>>>>>> When you activate the tls on ldap, you only need this >>>>>>>>>> two lines, and you don't >>>>>>>>>> need the line with certificate >>>>>>>>>> verification*olcTLSCACertificateFile : * >>>>>>>>> >>>>>>>>> Wrong. >>>>>>>> It true and false, with debian and openLdap compiled with >>>>>>>> GnuTLS (my case), i >>>>>>>> read this documentation : >>>>>>>> http://wiki.debian.org/LDAP/OpenLDAPSetup and they said : >>>>>>> >>>>>>> Pure garbage. >>>>>>> >>>>>>>> Procedure: >>>>>>>> >>>>>>>> You're going to need the gnutls certificate generator: >>>>>>>> certtool >>>>>>>> http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html. >>>>>>>> >>>>>>>> >>>>>>>> Run these two commands to generate a new self-signed key >>>>>>>> (into the current >>>>>>>> working directory): >>>>>>>> >>>>>>>> certtool --generate-privkey --outfile ca-key.pem >>>>>>>> certtool --generate-self-signed --load-privkey ca-key.pem >>>>>>>> --outfile ca-cert.pem >>>>>>>> >>>>>>>> Then, update your certificate locations in >>>>>>>> /etc/ldap/slapd.conf >>>>>>>> (TLSCertificateFile points to ca-cert.pem and >>>>>>>> TLSCertificateKeyFile points to >>>>>>>> ca-key.pem), *comment out TLSCACertificateFile*, and >>>>>>>> change *TLSVerifyClient >>>>>>>> to never.* >>>>>>>> >>>>>>>> In /etc/ldap/ldap.conf, comment out TLS_CACERT and change >>>>>>>> TLS_REQCERT to never. >>>>>>> >>>>>>> This is utterly bogus. Turning off these checks disables >>>>>>> any spoofing detection; you might as well run without TLS >>>>>>> at all. >>>>>>> >>>>>> IMHO i know this problem but i think this is better than >>>>>> nothing, and actually i have nothing. I wait for valid >>>>>> certificate... >>>>>> And sorry but your RTFM answer doesn't help me to resolve >>>>>> this problem with gnutls and debian, i take many hours to >>>>>> find a valid solution in my use case, and the manual >>>>>> doesn't help me particulary on this point. >>>>>> >>>>> On Debian: You should compile OpenLDAP with OpenSSL Support >>>>> and don't use the dpkg package from the debian apt repos... >>>>> >>>>> >In /etc/ldap/ldap.conf, comment out TLS_CACERT and change >>>>> TLS_REQCERT to never. >>>>> Like Howard Chu said, bad idea, just for testing or what >>>>> else..... >>>>> >>>>> >>>>>> OpenLdap is a great software, but documentation it's a >>>>>> little "cryptic" for beginner like me, so i think it's easy >>>>>> to be rude with beginner on many points. >>>>>> >>>>>> Best regards, >>>>>> SR. >>>>>>>> Since the certificate is self-signed, we can't have >>>>>>>> gnutls trying to verify it >>>>>>>> (hence the never), otherwise it will never run. >>>>>>>> >>>>>>>> And RTFM is a little violent, i try to help with my >>>>>>>> little experience, i'm not >>>>>>>> an expert for sure. >>>>>>> >>>>>>> RTFM is exactly the correct response. >>>>>>> >>>>>>>> Best regards, >>>>>>>> SR. >>>>>>>>> >>>>>>>>> RTFM. >>>>>>>>> >>>>>>>>> http://www.openldap.org/doc/admin24/tls.html >>>>>>>>> >>>>>>>>>> On Mon, Dec 12, 2011 at 12:31 PM, Jayavant Patil >>>>>>>>>> <jayavant.patil82@gmail.com >>>>>>>>>> mailto:jayavant.patil82@gmail.com> wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> >On Mon, Dec 12, 2011 at 4:19 PM, reyman >>>>>>>>>> <reyman64@gmail.com >>>>>>>>>> mailto:reyman64@gmail.com> wrote: >>>>>>>>>> >>>>>>>>>> >With the option -ZZ i think, try this >>>>>>>>>> >>>>>>>>>> |>ldapsearch -x -LLL -ZZ -d 150| >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Yeah, It shows output containing ber_dump, >>>>>>>>>> ldap_write,ldap_read, >>>>>>>>>> tls_write, tls_read etc. But at the end is shows the >>>>>>>>>> following: >>>>>>>>>> >>>>>>>>>> TLS certificate verification: Error, self signed >>>>>>>>>> certificate >>>>>>>>>> TLS: can't connect: error:14090086:SSL >>>>>>>>>> routines:SSL3_GET_SERVER_ >>>>>>>>>> CERTIFICATE:certificate verify failed (self signed >>>>>>>>>> certificate). >>>>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>>>> additional info: error:14090086:SSL >>>>>>>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify >>>>>>>>>> failed (self >>>>>>>>>> signed certificate) >>>>>>>>>> >>>>>>>>>> Why it shows an error ? and how to resolve this? >>>>>>>>>> >>>>>>>>>> and when I do ldapsearch with -ZZ option it gives error >>>>>>>>>> >>>>>>>>>> $ldapsearch -x -v -D "cn=root,dc=abc,dc=com" -w cluster -b >>>>>>>>>> "ou=People,dc=abc,dc=com" "uid=ldap_6" -h n0 -ZZ >>>>>>>>>> ldap_initialize( ldap://n0 ) >>>>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>>>> additional info: error:14090086:SSL >>>>>>>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify >>>>>>>>>> failed >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >On Mon, Dec 12, 2011 at 11:21 AM, Jayavant Patil >>>>>>>>>> <jayavant.patil82@gmail.com >>>>>>>>>> mailto:jayavant.patil82@gmail.com> wrote: >>>>>>>>>> >>>>>>>>>> >>Hi, >>>>>>>>>> >>>>>>>>>> >> I am using openldap-2.4.19-4.x86_64 on fedora 12 >>>>>>>>>> machine. I >>>>>>>>>> have enabled openldap SSL/TLS. How do I know >>(test) >>>>>>>>>> that I am >>>>>>>>>> using SSL/TLS connections instead of normal ldap:///? >>>>>>>>>> >>>>>>> >>>>>> >>>>> >>>>> >>>> >>> >>> >> >> OK thanks, i find the script and re-configure the script, >> >> I search another information to make a good fresh install. >> After removing the debian package, i have an openldap user and >> group, >> Do you think i can delete this user, or it's better to reuse it >> for better security, for example can i install all files for >> ldap into /home/openldap user ( with --prefix option equal to >> /home/openldap ) ? >> Do you have a list/tutorial which indicate the files which need >> an openldap:openldap user to execute ? >> >> Thanks, >> Best regards, >> SR. > /home is not really the directory to install an application. > Better you use the default path located in /usr/local. > And of course you have to create a user named openldap or take > your exists openldap user. Start your daemon with this user > (@see /etc/default/slapd on debian for the init script, (you > have to copy this file from your openldap source installed per > apt-src, or use the file from the installed deb package.)) > And your ok with the default permissions set by "make install". > Only your ssl certificates should be owned by "openldap" and mod > 0400.
There is some modification between the old version i use and the last release, i don't find the slapd file which contain information like : SLAPD_SERVICES, etc. Replacement for this file is slapd.ldif ? This file is an example of configuration, or the default loaded configuration when slapd daemon start ?
There's a different between the default config from debian and the OpenLDAP configuration (in .conf or .ldif format). The default config, located in /etc/default/slapd, contains just "daemon start" related options an has nothing to do with the OpenLDAP configuration. If you download OpenLDAP from the debian sources with apt-src, you will get a directory named debian. There are a slapd.conf (OpenLDAP Example Configuration) and a file named slapd.default (Debian start parameters, copy it to /etc/default/slapd), and last: slapd.init copy it to /etc/init.d/slapd
i have no man for slapd.d, it's a bug, or it doesn't exist ? Thanks, SR.
Ok so i make :
mv slapd.default to /etc/default/slapd mv slapd.init to /etc/init.d/slapd and i change some information with nano :
# wants to can override the path in /etc/default/slapd SLAPD=/usr/local/libexec/slapd
# Load the default location of the slapd config file if [ -z "$SLAPD_CONF" ]; then if [ -e /etc/ldap/slapd.d ]; then SLAPD_CONF=/usr/local/etc/openldap/slapd.d else SLAPD_CONF=/usr/local/etc/openldap/slapd.conf fi fi
I change right for slapd init file :
chmod +x /etc/init.d/slapd
I change the service init level :
ln -s /etc/init.d/slapd /etc/rc3.d/S90slapd ln -s /etc/init.d/slapd /etc/rc4.d/S90slapd ln -s /etc/init.d/slapd /etc/rc5.d/S90slapd ln -s /etc/init.d/slapd /etc/rc0.d/K10slapd ln -s /etc/init.d/slapd /etc/rc6.d/K10slapd
update-rc.d slapd defaults
After that, i change right, else service slapd doesn't start :
chown -R openldap:openldap /usr/local/var/openldap-data/ chown -R openldap:openldap /usr/local/etc/openldap/ chown -R openldap:openldap /usr/local/var/run/
so here the right for the different folder :
/usr/local/var drwxr-sr-x 2 openldap openldap 4096 13 déc. 16:20 openldap-data drwxr-sr-x 2 openldap openldap 4096 13 déc. 16:20 run
/usr/local/libexec -rwxr-xr-x 1 root staff 1891388 13 déc. 13:53 slapd
/usr/local/etc/openldap -rw------- 1 openldap openldap 845 13 déc. 13:53 DB_CONFIG.example -rw-r--r-- 1 openldap openldap 245 13 déc. 09:48 ldap.conf -rw-r--r-- 1 openldap openldap 245 13 déc. 13:53 ldap.conf.default drwxr-sr-x 2 openldap openldap 4096 13 déc. 13:53 schema drwxr-sr-x 2 openldap openldap 4096 13 déc. 11:15 schema.17116 drwxr-sr-x 2 openldap openldap 4096 13 déc. 09:48 schema.8962 -rw------- 1 openldap openldap 2129 13 déc. 09:48 slapd.conf -rw------- 1 openldap openldap 2129 13 déc. 13:53 slapd.conf.default -rw------- 1 openldap openldap 2614 13 déc. 09:48 slapd.ldif -rw------- 1 openldap openldap 2614 13 déc. 13:53 slapd.ldif.default
/usr/local/var/openldap-data/ -rw-r--r-- 1 openldap openldap 2048 13 déc. 16:20 alock -rw------- 1 openldap openldap 24576 13 déc. 16:20 __db.001 -rw------- 1 openldap openldap 180224 13 déc. 16:20 __db.002 -rw------- 1 openldap openldap 270336 13 déc. 16:20 __db.003 -rw------- 1 openldap openldap 163840 13 déc. 16:20 __db.004 -rw------- 1 openldap openldap 540672 13 déc. 16:20 __db.005 -rw------- 1 openldap openldap 32768 13 déc. 16:20 __db.006 -rw------- 1 openldap openldap 845 13 déc. 13:53 DB_CONFIG.example -rw------- 1 openldap openldap 8192 13 déc. 16:20 dn2id.bdb -rw------- 1 openldap openldap 32768 13 déc. 16:20 id2entry.bdb -rw------- 1 openldap openldap 10485760 13 déc. 16:20 log.0000000001
I have one warning but openldap start correctly :)
Dec 13 16:20:44 claroline slapd[17039]: bdb_db_open: warning - no DB_CONFIG file found in directory /usr/local/var/openldap-data: (2).#012Expect poor performance for suffix "dc=my-domain,dc=com".
the file DB_CONFIG (Berkeley db configuration) is also available in your "debian" folder, just copy that into your ldap data directory /usr/local/var/openldap-data. "(You should move the ldap data directory to /srv)"
Now i try to make some global configuration with load of sldap.ldif and after i try to work with dynamic slapd.d folder, i don't want to use slapd.conf :/
Yep, that's a good idea ;)
Thanks a lot, SR
Hi! It's not easy to start with zero configuration with cn=config new openldap administration .. I create my bd.ldif based on the slapd.ldif example in the /usr/local/etc/openldap directory. But how can i insert this ldif with
ldapadd -Y EXTERNAL -H ldapi:/// -f myldiffile.ldif
if i cannot run slapd without configuration ? How do you start a fresh install of openldap in this case? there is an option to run slapd without zero configuration? Thanks a lot, SR.
The best way is to create an initial configuration based on the old way (slapd.conf) and convert it into the online configuration. /path/to/slapd -u openldap -g openldap -f /path/to/offlineconfig.conf -F /path/to/newonlinedirectory -d-1
After that step you have to change the daemon start parameters in /etc/default/slapd. Point the offline config to your new online config directory.
OK, it's work, i have a fonctionnal slapd.d/cn=config folder, but i don't understand why i can't access to openldap with cn=admin,dc=parisgeo,dc=cnrs,dc=fr and good password generated by
My slapd.conf before conversion contain the SSHA password generated by slappasswd for rootDn : -----
database bdb suffix "dc=parisgeo,dc=cnrs,dc=fr" rootdn "cn=admin,dc=parisgeo,dc=cnrs,dc=fr" rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxx
---- I try this : root@xxxxx:/usr/local/etc/openldap/slapd.d# ldapsearch -D cn=admin,dc=parisgeo,dc=cnrs,dc=fr -W -x 'userName=*' Enter LDAP Password: ldap_bind: Invalid credentials (49)
Bizarre ... Perhaps i can try to redefine the rootdn, because it disapear with conversion ? Do you have an idea about this ?
Thanks, SR.