Am 03.10.2011 20:51, schrieb Dan White:
On 03/10/11 19:41 +0200, Andreas Rudat wrote:
Am 03.10.2011 18:04, schrieb Dan White:
On 03/10/11 17:43 +0200, Andreas Rudat wrote:
so tls issn't allowed in my configuration? I added tls on ldap.conf and /etc/default/slapd
Debug says: TLS: can't connect: A TLS packet with unexpected length was received..
What are the contents of your ldap.conf, and your /etc/default/slapd?
What is your TLS configuration on the server? In particular, your TLSVerifyClient/olcTLSVerifyClient setting (which should be something other than the default).
What do you mena with TLS config? of /etc/ssl? I worked with this tutorial for tls https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html
ldap.conf ########################################## # host fs.foo.intern
# The distinguished name of the search base. base dc=foo,dc=intern
# Another way to specify your LDAP server is to provide an uri ldaps://127.0.0.1/ uri ldap://127.0.0.1/
If you really want the ldap utilities to try multiple servers this way, you should do:
uri ldaps://127.0.0.1/ ldap://127.0.0.1/
but I'm guessing what you really want is:
uri ldap://<fqdn>/
in which case the server will attempt to authenticate your TLS client certificate based on its TLSVerifyClient configuration. FQDN should be the server name (cn) corresponding to the certificate you created.
rootbinddn cn=admin,dc=foo,dc=intern
ssl start_tls ssl on
tls_checkpeer yes
Be aware these are not valid (openldap) ldap.conf config items, as specified in ldap.conf(5). They may be used by some other software you have installed.
tls_cacertfile /etc/ssl/certs/ldap_cert.pem tls_cacertdir /etc/ssl/certs
tls_cert tls_key
My mail client may have corrupted this part of your configuration. You'll of course need valid entries here.
These options are defaults in my conf. With some comments, after installing the slapd package
sasl_secprops maxssf=0 # ############################################
default/slapd ############################################ # SLAPD_CONF=
SLAPD_USER="openldap" SLAPD_GROUP="openldap"
SLAPD_SERVICES="ldap:/// ldaps:///" # ############################################
ldaps:// is unnecessary (here, and in your uri statement) unless you have some software which requires it.
And again, you'll need to properly configure TLSVerifyClient/olcTLSVerifyClient in your OpenLDAP server config.
So I added this to cn=config:
|*|add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem|*
I think, thats what you meant?
|
When properly configured, your list of supportedSASLMechanisms should
include 'EXTERNAL'.
For reference, see the manpages for ldap.conf and slapd-config (or slapd.conf), and see the OpenLDAP Administrator's Guide.