On 12/13/2011 10:12 AM, rey sebastien wrote:
After what, you are right, you and other to point the old debian package, so i try to recompile the last release with open-ssl. This is the best solution, i agree.
I try to compile with this option : ./configure --with-tls=openssl --with-threads --with-cyrus-sasl --enable-crypt --enable-debug --enable-cleartext --enable-spasswd --enable-dynacl --enable-aci --enable-modules --enable-wrappers --enable-rewrite --enable-rlookups
After configure, i make-depend, make, make install; all execution are ok, after that, how can i install ldap as a service ? like debian style => service slapd start | stop | restart ?
If you load the sources with apt-src, there's a debian init script available in the openldap sources (debian folder, just copy the script into you init.d folder and create the symlinks with update-rc.d). That's the simplest way, or find the script online or extract it from the deb package....
Thanks again, Sr
Le 12/12/2011 22:17, Raffael Sahli a écrit :
On 12.12.2011 21:55, rey sebastien wrote:
Le 12/12/2011 21:07, Howard Chu a écrit :
rey sebastien wrote:
Le 12/12/2011 19:24, Howard Chu a écrit :
reyman wrote: > You have a self signed certificate,
Correct.
> so you don't need to verify your certificate. > When you activate the tls on ldap, you only need this two lines, > and you don't > need the line with certificate > verification*olcTLSCACertificateFile : *
Wrong.
It true and false, with debian and openLdap compiled with GnuTLS (my case), i read this documentation : http://wiki.debian.org/LDAP/OpenLDAPSetup and they said :
Pure garbage.
Procedure:You're going to need the gnutls certificate generator: certtool http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html.
Run these two commands to generate a new self-signed key (into the current working directory):
certtool --generate-privkey --outfile ca-key.pem certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem
Then, update your certificate locations in /etc/ldap/slapd.conf (TLSCertificateFile points to ca-cert.pem and TLSCertificateKeyFile points to ca-key.pem), *comment out TLSCACertificateFile*, and change *TLSVerifyClient to never.*
In /etc/ldap/ldap.conf, comment out TLS_CACERT and change TLS_REQCERT to never.
This is utterly bogus. Turning off these checks disables any spoofing detection; you might as well run without TLS at all.
IMHO i know this problem but i think this is better than nothing, and actually i have nothing. I wait for valid certificate... And sorry but your RTFM answer doesn't help me to resolve this problem with gnutls and debian, i take many hours to find a valid solution in my use case, and the manual doesn't help me particulary on this point.
On Debian: You should compile OpenLDAP with OpenSSL Support and don't use the dpkg package from the debian apt repos...
In /etc/ldap/ldap.conf, comment out TLS_CACERT and change
TLS_REQCERT to never. Like Howard Chu said, bad idea, just for testing or what else.....
OpenLdap is a great software, but documentation it's a little "cryptic" for beginner like me, so i think it's easy to be rude with beginner on many points.
Best regards, SR.
Since the certificate is self-signed, we can't have gnutls trying to verify it (hence the never), otherwise it will never run.
And RTFM is a little violent, i try to help with my little experience, i'm not an expert for sure.
RTFM is exactly the correct response.
Best regards, SR.
RTFM.
http://www.openldap.org/doc/admin24/tls.html
> On Mon, Dec 12, 2011 at 12:31 PM, Jayavant Patil > <jayavant.patil82@gmail.com > mailto:jayavant.patil82@gmail.com> wrote: > > > Hi, > > >On Mon, Dec 12, 2011 at 4:19 PM, reyman <reyman64@gmail.com > mailto:reyman64@gmail.com> wrote: > > >With the option -ZZ i think, try this > > |>ldapsearch -x -LLL -ZZ -d 150| > > > Yeah, It shows output containing ber_dump, ldap_write,ldap_read, > tls_write, tls_read etc. But at the end is shows the following: > > TLS certificate verification: Error, self signed certificate > TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_ > CERTIFICATE:certificate verify failed (self signed certificate). > ldap_start_tls: Connect error (-11) > additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > (self > signed certificate) > > Why it shows an error ? and how to resolve this? > > and when I do ldapsearch with -ZZ option it gives error > > $ldapsearch -x -v -D "cn=root,dc=abc,dc=com" -w cluster -b > "ou=People,dc=abc,dc=com" "uid=ldap_6" -h n0 -ZZ > ldap_initialize( ldap://n0 ) > ldap_start_tls: Connect error (-11) > additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > > > >On Mon, Dec 12, 2011 at 11:21 AM, Jayavant Patil > <jayavant.patil82@gmail.com mailto:jayavant.patil82@gmail.com> > wrote: > > >>Hi, > > >> I am using openldap-2.4.19-4.x86_64 on fedora 12 machine. I > have enabled openldap SSL/TLS. How do I know >>(test) that I am > using SSL/TLS connections instead of normal ldap:///? >