Hi Matt,

I created the certificates following the procedure defined in https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html

I created a CA and signed the certificate as defined the steps.

The ownership is of openldap:openldap for cacert.pem and server.crt and openldap:ssl-cert for server.key.

rwx permission is 644 for all the three.

Thanks for the reply.

-Asimananda

On Fri, Jul 10, 2009 at 7:47 PM, Matt Kassawara battery@writeme.com wrote:

How did you create the certificates? Can slapd read them?

On Fri, Jul 10, 2009 at 5:00 AM, Asimananda Mohanty < asimananda.mohanty@gmail.com> wrote:

...

Hi All,

I am currently busy configuring OpenLdap on my newly installed Ubuntu 9.04.

Here is what I have done till now.

I followed the steps defined in https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html and installation was successful. I installed PhpLdapAdmin also.

After I created certificate, key etc, I created a .ldif file (enable-ca.ldif) with the following content :

*dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem

add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/server.crt

add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/server.key*

Then I executed the command :

*ldapmodify -D "cn=admin,cn=config" -x -w 12345678 -f enable-ca.ldif*

and it was a success.

But after this, when I tried to restart slapd, I got errors like the following :

*main: TLS init def ctx failed: -1*

I noticed that after I executed "ldapmodify -D "cn=admin,cn=config" -x -w 12345678 -f enable-ca.ldif", 3 lines are added to /etc/ldap/slapd.d/cn=config.ldif and when I commented the last two lines like the following, slapd started successfully.

*olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem #olcTLSCertificateFile: /etc/ssl/certs/server.crt #olcTLSCertificateKeyFile: /etc/ssl/private/server.key*

This looks quite strange.

Please help me resolving the same.

-Asimananda

Make sure slapd can read the certs and private key. In addition to typical ownership and permissions, the openldap user should belong to the ssl-cert group and the slapd AppArmor profile must allow access to the directories containing your certs.

On Mon, Jul 13, 2009 at 5:22 AM, Asimananda Mohanty < asimananda.mohanty@gmail.com> wrote:

Hi,

I ran the command "slapd -d 16383" and attached is the output of the same in case it may prove to be useful.

In this output, ldap-company.com.crt is server.crt as defined in in my earlier mails. I have changed it to try some luck, but it was fruitless.

-Asimananda

On Mon, Jul 13, 2009 at 10:55 AM, Asimananda Mohanty < asimananda.mohanty@gmail.com> wrote:

...

Hi Matt,

I created the certificates following the procedure defined in https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html

I created a CA and signed the certificate as defined the steps.

The ownership is of openldap:openldap for cacert.pem and server.crt and openldap:ssl-cert for server.key.

rwx permission is 644 for all the three.

Thanks for the reply.

-Asimananda

On Fri, Jul 10, 2009 at 7:47 PM, Matt Kassawara battery@writeme.comwrote:

...

How did you create the certificates? Can slapd read them?

On Fri, Jul 10, 2009 at 5:00 AM, Asimananda Mohanty < asimananda.mohanty@gmail.com> wrote:

...

Hi All,

I am currently busy configuring OpenLdap on my newly installed Ubuntu 9.04.

Here is what I have done till now.

I followed the steps defined in https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html and installation was successful. I installed PhpLdapAdmin also.

After I created certificate, key etc, I created a .ldif file (enable-ca.ldif) with the following content :

*dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem

add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/server.crt

add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/server.key*

Then I executed the command :

*ldapmodify -D "cn=admin,cn=config" -x -w 12345678 -f enable-ca.ldif*

and it was a success.

But after this, when I tried to restart slapd, I got errors like the following :

*main: TLS init def ctx failed: -1*

I noticed that after I executed "ldapmodify -D "cn=admin,cn=config" -x -w 12345678 -f enable-ca.ldif", 3 lines are added to /etc/ldap/slapd.d/cn=config.ldif and when I commented the last two lines like the following, slapd started successfully.

*olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem #olcTLSCertificateFile: /etc/ssl/certs/server.crt #olcTLSCertificateKeyFile: /etc/ssl/private/server.key*

This looks quite strange.

Please help me resolving the same.

-Asimananda

Hi Matt,

Thank you very much for your kind support so as to resolve the issue that I was facing for so long.

Here is what I did as per Matt's suggestion and it worked.

1. I used certtools to generate the key and certificate files. 2. I used them instead of the old ones that were supposed to be generated by gnutls. 3. Change the ownership and permission of private dire to root:ssl-cert and 755 4. Restart slapd

and slapd restarted without any issues.

I am able to search ldap using ldaps now instead of ldaps.

But I have one issue remaining :

I have the following entry in ldap.conf

TLS_REQCERT allow

The moment I change it to

TLS_REQCERT demand

the search starts throwing error :

--------------------------------------------------------- # ldapsearch -d5 -x -H ldaps://ldap-comany.com -b dc=ldap-comany,dc=com ldap_url_parse_ext(ldaps://ldap-comany.com) ldap_create ldap_url_parse_ext(ldaps://ldap-comany.com:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap-comany.com:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.1.1:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code). ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) ---------------------------------------------------------

The port 636 is listening :

--------------------------------------------------------- tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN tcp6 0 0 :::10636 :::* LISTEN tcp6 0 0 :::636 :::* LISTEN ---------------------------------------------------------

Is there anything else that I need to do further?

Thanks again.

-Asimananda

On Tue, Jul 14, 2009 at 10:52 AM, Asimananda Mohanty < asimananda.mohanty@gmail.com> wrote:

Hi Matt,

openldap user is already a part of ssl-cert group.

Regarding apparmor, I am very much new to this. But I did some research on this and did some changes like :

1. moving the /usr/sbin/slapd profile to complain mode and
2. changing the following lines in /etc/apparmor.d/usr.sbin.slapd from :

/etc/ssl/private/ r, /etc/ssl/private/* r,

to

/etc/ssl/private/ mixr, /etc/ssl/private/* mixr,

After the changes, I did the following :

/etc/init.d/apparmor stop*

• update-rc.d -f apparmor remove*

*/etc/init.d/apparmor start update-rc.d apparmor defaults

But it yields no positive result.

Is there anything else that I need to do?

Please let me know.

Thank you very much for the reply.

-Asimananda

On Mon, Jul 13, 2009 at 8:29 PM, Matt Kassawara battery@writeme.comwrote:

...

Make sure slapd can read the certs and private key. In addition to typical ownership and permissions, the openldap user should belong to the ssl-cert group and the slapd AppArmor profile must allow access to the directories containing your certs.

On Mon, Jul 13, 2009 at 5:22 AM, Asimananda Mohanty < asimananda.mohanty@gmail.com> wrote:

...

Hi,

I ran the command "slapd -d 16383" and attached is the output of the same in case it may prove to be useful.

In this output, ldap-company.com.crt is server.crt as defined in in my earlier mails. I have changed it to try some luck, but it was fruitless.

-Asimananda

On Mon, Jul 13, 2009 at 10:55 AM, Asimananda Mohanty < asimananda.mohanty@gmail.com> wrote:

...

Hi Matt,

I created the certificates following the procedure defined in https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html

I created a CA and signed the certificate as defined the steps.

The ownership is of openldap:openldap for cacert.pem and server.crt and openldap:ssl-cert for server.key.

rwx permission is 644 for all the three.

Thanks for the reply.

-Asimananda

On Fri, Jul 10, 2009 at 7:47 PM, Matt Kassawara battery@writeme.comwrote:

...

How did you create the certificates? Can slapd read them?

On Fri, Jul 10, 2009 at 5:00 AM, Asimananda Mohanty < asimananda.mohanty@gmail.com> wrote:

...

Hi All,

I am currently busy configuring OpenLdap on my newly installed Ubuntu 9.04.

Here is what I have done till now.

I followed the steps defined in https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html and installation was successful. I installed PhpLdapAdmin also.

After I created certificate, key etc, I created a .ldif file (enable-ca.ldif) with the following content :

*dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem

add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/server.crt

add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/server.key*

Then I executed the command :

*ldapmodify -D "cn=admin,cn=config" -x -w 12345678 -f enable-ca.ldif*

and it was a success.

But after this, when I tried to restart slapd, I got errors like the following :

*main: TLS init def ctx failed: -1*

I noticed that after I executed "ldapmodify -D "cn=admin,cn=config" -x -w 12345678 -f enable-ca.ldif", 3 lines are added to /etc/ldap/slapd.d/cn=config.ldif and when I commented the last two lines like the following, slapd started successfully.

*olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem #olcTLSCertificateFile: /etc/ssl/certs/server.crt #olcTLSCertificateKeyFile: /etc/ssl/private/server.key*

This looks quite strange.

Please help me resolving the same.

-Asimananda

Hi,

Some reason to smile I think.

After writing the previous mail, I just took a wild guess and recreated the certificates and I got rid of the errors shown :)

Now ldapsearch -Z and ldapsearch -ZZ are no more throwing errors but are asking for some password (with TLS_REQCERT demand in /etc/ldap/ldap.conf)

But again, to my surprise, it doesn't accept the password and shows the the following error.

*res_errno: 49, res_error: <SASL(-13): user not found: no secret in database>, res_matched: <>*

/var/log/debug shows the following :

*Jul 20 13:14:03 ubuntu slapd[2354]: SASL [conn=32] Error: unable to open Berkeley db /etc/sasldb2: No such file or directory Jul 20 13:14:03 ubuntu last message repeated 3 times Jul 20 13:14:03 ubuntu slapd[2354]: SASL [conn=32] Failure: no secret in database*

Please suggest.

-Asimananda

On Mon, Jul 20, 2009 at 11:51 AM, Asimananda Mohanty < asimananda.mohanty@gmail.com> wrote:

Hi,

I ran the following command on my setup and found some error.

openssl s_client -connect ldap-company.com:636 -showcerts -CAfile /etc/ssl/certs/ca-cert.pem

Some of the errors that I saw were :

verify error:num=20:unable to get local issuer certificate verify return:1

verify error:num=27:certificate not trusted verify return:1

verify error:num=21:unable to verify the first certificate verify return:1

But eventually, I got connected with the last few lines as :

SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 52B3C73421E31E563441A84F8149AB5EB7A92D62FB28F3E01CE73707164265A0 Session-ID-ctx: Master-Key: B56391251B286C25A411BDD77DA61299BBC6E9F8899972EB02CB2E82FAE7F3708473B832CECD16D64A64EC1BEAB6DF6D Key-Arg : None Start Time: 1248069588 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate)

---

Is it normal?

If it is normal, then Can I consider that my certificates are Ok and the problem lies somewhere else?

Please suggest.

-Asimananda

On Wed, Jul 15, 2009 at 11:06 AM, Asimananda Mohanty < asimananda.mohanty@gmail.com> wrote:

...

Hi Matt,

Thank you very much for your kind support so as to resolve the issue that I was facing for so long.

Here is what I did as per Matt's suggestion and it worked.

1. I used certtools to generate the key and certificate files.
2. I used them instead of the old ones that were supposed to be generated

by gnutls. 3. Change the ownership and permission of private dire to root:ssl-cert and 755 4. Restart slapd

and slapd restarted without any issues.

I am able to search ldap using ldaps now instead of ldaps.

But I have one issue remaining :

I have the following entry in ldap.conf

TLS_REQCERT allow

The moment I change it to

TLS_REQCERT demand

the search starts throwing error :

---

# ldapsearch -d5 -x -H ldaps://ldap-comany.com -b dc=ldap-comany,dc=com ldap_url_parse_ext(ldaps://ldap-comany.com) ldap_create ldap_url_parse_ext(ldaps://ldap-comany.com:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap-comany.com:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.1.1:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code). ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

---

The port 636 is listening :

---

tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN tcp6 0 0 :::10636 :::* LISTEN tcp6 0 0 :::636 :::* LISTEN

---

Is there anything else that I need to do further?

Thanks again.

-Asimananda

On Tue, Jul 14, 2009 at 10:52 AM, Asimananda Mohanty < asimananda.mohanty@gmail.com> wrote:

...

Hi Matt,

openldap user is already a part of ssl-cert group.

Regarding apparmor, I am very much new to this. But I did some research on this and did some changes like :

1. moving the /usr/sbin/slapd profile to complain mode and
2. changing the following lines in /etc/apparmor.d/usr.sbin.slapd from :

/etc/ssl/private/ r, /etc/ssl/private/* r,

to

/etc/ssl/private/ mixr, /etc/ssl/private/* mixr,

After the changes, I did the following :

/etc/init.d/apparmor stop*

• update-rc.d -f apparmor remove*

*/etc/init.d/apparmor start update-rc.d apparmor defaults

But it yields no positive result.

Is there anything else that I need to do?

Please let me know.

Thank you very much for the reply.

-Asimananda

On Mon, Jul 13, 2009 at 8:29 PM, Matt Kassawara battery@writeme.comwrote:

...

Make sure slapd can read the certs and private key. In addition to typical ownership and permissions, the openldap user should belong to the ssl-cert group and the slapd AppArmor profile must allow access to the directories containing your certs.

On Mon, Jul 13, 2009 at 5:22 AM, Asimananda Mohanty < asimananda.mohanty@gmail.com> wrote:

...

Hi,

I ran the command "slapd -d 16383" and attached is the output of the same in case it may prove to be useful.

In this output, ldap-company.com.crt is server.crt as defined in in my earlier mails. I have changed it to try some luck, but it was fruitless.

-Asimananda

On Mon, Jul 13, 2009 at 10:55 AM, Asimananda Mohanty < asimananda.mohanty@gmail.com> wrote:

...

Hi Matt,

I created the certificates following the procedure defined in https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html

I created a CA and signed the certificate as defined the steps.

The ownership is of openldap:openldap for cacert.pem and server.crt and openldap:ssl-cert for server.key.

rwx permission is 644 for all the three.

Thanks for the reply.

-Asimananda

On Fri, Jul 10, 2009 at 7:47 PM, Matt Kassawara battery@writeme.comwrote:

> How did you create the certificates? Can slapd read them? > > On Fri, Jul 10, 2009 at 5:00 AM, Asimananda Mohanty < > asimananda.mohanty@gmail.com> wrote: > >> Hi All, >> >> I am currently busy configuring OpenLdap on my newly installed >> Ubuntu 9.04. >> >> Here is what I have done till now. >> >> I followed the steps defined in >> https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html and >> installation was successful. I installed PhpLdapAdmin also. >> >> After I created certificate, key etc, I created a .ldif file >> (enable-ca.ldif) with the following content : >> >> *dn: cn=config >> add: olcTLSCACertificateFile >> olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem >> - >> add: olcTLSCertificateFile >> olcTLSCertificateFile: /etc/ssl/certs/server.crt >> - >> add: olcTLSCertificateKeyFile >> olcTLSCertificateKeyFile: /etc/ssl/private/server.key* >> >> Then I executed the command : >> >> *ldapmodify -D "cn=admin,cn=config" -x -w 12345678 -f >> enable-ca.ldif* >> >> and it was a success. >> >> But after this, when I tried to restart slapd, I got errors like the >> following : >> >> *main: TLS init def ctx failed: -1* >> >> I noticed that after I executed "ldapmodify -D "cn=admin,cn=config" >> -x -w 12345678 -f enable-ca.ldif", 3 lines are added to >> /etc/ldap/slapd.d/cn=config.ldif and when I commented the last two >> lines like the following, slapd started successfully. >> >> *olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem >> #olcTLSCertificateFile: /etc/ssl/certs/server.crt >> #olcTLSCertificateKeyFile: /etc/ssl/private/server.key* >> >> This looks quite strange. >> >> Please help me resolving the same. >> >> -Asimananda >> > >

Hi Michael,

Thanks for the reply.

I tried with "ldapsearch -x -H ldap://ldap-company.com:636 -ZZ -D dc=ldap-company,dc=com" and got the error :

ber_get_next failed. ldap_start_tls: Can't contact LDAP server (-1)

Using http resulted in error "Could not parse LDAP URI(s)= http://ldapagcf-alcatel-lucent.com:636 (3)"

-Asimananda

2009/7/20 Michael Ströder michael@stroeder.com

Asimananda Mohanty wrote:

...

*res_errno: 49, res_error: <SASL(-13): user not found: no secret in database>, res_matched: <>*

/var/log/debug shows the following :

*Jul 20 13:14:03 ubuntu slapd[2354]: SASL [conn=32] Error: unable to open Berkeley db /etc/sasldb2: No such file or directory Jul 20 13:14:03 ubuntu last message repeated 3 times Jul 20 13:14:03 ubuntu slapd[2354]: SASL [conn=32] Failure: no secret in database*

SASL passwords are not properly set up on your system. You might wanna try first a simple bind (note -x and -D):

ldapsearch -x -H http://ldap-company.com:636 -ZZ -D <bind-DN> ...

Ciao, Michael.

-- Michael Ströder E-Mail: michael@stroeder.com http://www.stroeder.com

Hi Machael,

The first command works fine (ldapsearch -x -H ldap://ldap-company.com -ZZ) but the second one (ldapsearch -x -H ldaps://ldap-company.com:636 -ZZ) is showing error :

*ldap_start_tls: Operations error (1)*

-Asimananda

2009/7/20 Michael Ströder michael@stroeder.com

Asimananda Mohanty wrote:

...

Hi Michael,

Thanks for the reply.

I tried with "ldapsearch -x -H ldap://ldap-company.com:636 http://ldap-company.com:636 -ZZ -D dc=ldap-company,dc=com" and got the error :

ber_get_next failed. ldap_start_tls: Can't contact LDAP server (-1)

Sorry should have been

ldapsearch -x -H ldap://ldap-company.com -ZZ

for LDAP access going to standard port 389 (clear-text) and then using StartTLS extended operation.

Another option is to use LDAPS (LDAP over SSL) to separate port:

ldapsearch -x -H ldaps://ldap-company.com:636 -ZZ

Ciao, Michael.

-- Michael Ströder E-Mail: michael@stroeder.com http://www.stroeder.com

Hi Michael,

Indeed, it's fine now :)

But is there any way that I make the password stuff working as well.

Thanks again....

-Asimananda

2009/7/20 Michael Ströder michael@stroeder.com

Asimananda Mohanty wrote:

...

The first command works fine (ldapsearch -x -H ldap://ldap-company.com http://ldap-company.com/ -ZZ) but the second one (ldapsearch -x -H ldaps://ldap-company.com:636 http://ldap-company.com:636/ -ZZ) is showing error :

*ldap_start_tls: Operations error (1)*

Sorry, stupid copy&paste by me. Should have another coffee. Omit the -ZZ in the second command since LDAPS and StartTLS ext.op. cannot be used together.

See also: http://www.openldap.org/faq/data/cache/605.html

Ciao, Michael.

-- Michael Ströder E-Mail: michael@stroeder.com http://www.stroeder.com

Hi Michael,

I think the LDAP in current form should solve my purpose.

Currently I have client and server on the same machine. I have created one user in LDAP namely asimananda and I am able to login to the server by the same too. But in the auth.log, it shows some error....is it normal ?

If "su - asimananda" is done from root : * *------------------------------------------

*PAM unable to dlopen(/lib/security/pam_foreground.so): /lib/security/pam_foreground.so: cannot open shared object file: No such file or directory PAM adding faulty module: /lib/security/pam_foreground.so pam_ldap: ldap_simple_bind Can't contact LDAP server pam_ldap: reconnecting to LDAP server... pam_ldap: ldap_simple_bind Can't contact LDAP server Successful su for asimananda by root + pts/3 root:asimananda pam_unix(su:session): session opened for user asimananda by root(uid=0)*

------------------------------------------

If new session is opened to log in as asimananda :

------------------------------------------

*PAM unable to dlopen(/lib/security/pam_foreground.so): /lib/security/pam_foreground.so: cannot open shared object file: No such file or directory PAM adding faulty module: /lib/security/pam_foreground.so pam_ldap: ldap_simple_bind Can't contact LDAP server pam_ldap: reconnecting to LDAP server... pam_ldap: ldap_simple_bind Can't contact LDAP server pam_ldap: ldap_simple_bind Can't contact LDAP server pam_ldap: reconnecting to LDAP server... pam_ldap: ldap_simple_bind Can't contact LDAP server Accepted password for asimananda from 172.21.141.50 port 4484 ssh2 pam_unix(ssh:session): session opened for user asimananda by (uid=0)*

------------------------------------------

Thanks for the reply.

-Asimananda

2009/7/20 Michael Ströder michael@stroeder.com

Asimananda Mohanty wrote:

...

But is there any way that I make the password stuff working as well.

Yes, but what exactly do you want to do? There are so many options. Simplest thing and most commonly used is simple bind.

But you should read some docs:

http://www.openldap.org/doc/admin24/security.html#Authentication%20Methods http://www.openldap.org/faq/data/cache/419.html

Ciao, Michael.

-- Michael Ströder E-Mail: michael@stroeder.com http://www.stroeder.com

Hi Michael,

The command mentioned by you is running fine and it doesn't show any error.

That means that simple bind works fine.

*By stating "I am able to login to the server", I meant that I am able to establish an ssh session (via putty) with the server by providing user id and password. In that case, I don't really understand the error while logging in by that user id.*

Thanks for your support.

-Asimananda

2009/7/20 Michael Ströder michael@stroeder.com

Asimananda Mohanty wrote:

...

I think the LDAP in current form should solve my purpose.

Currently I have client and server on the same machine. I have created one user in LDAP namely asimananda and I am able to login to the server by the same too.

What does "I am able to login to the server" mean exactly. Did you test with ldapwhoami -x -D <bind-DN of asimananda> -W whether simple bind works?

...

*PAM unable to dlopen(/lib/security/pam_foreground.so): /lib/security/pam_foreground.so: cannot open shared object file: No such file or directory PAM adding faulty module: /lib/security/pam_foreground.so pam_ldap: ldap_simple_bind Can't contact LDAP server pam_ldap: reconnecting to LDAP server... pam_ldap: ldap_simple_bind Can't contact LDAP server Successful su for asimananda by root

• pts/3 root:asimananda

pam_unix(su:session): session opened for user asimananda by root(uid=0)*

Looks like an setup error in your PAM setup. Check the ldap.conf related to the pam_ldap module. I don't know Ubuntu so I can't help here.

Ciao, Michael.

Hi Matt, Thank you very much. I got rid of both the errors by 1. Installing libpam-foreground 2. By changing the uri in /etc/ldap.conf from ldap to ldaps

One last thing is remaining now....

When tried "ldapsearch -ZZ", it asks for some password. When provided with the password, it didn't accept it (the same password what I created during dpkg --configure slapd)

# ldapsearch -ZZ SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49)

Thanks again.

-Asimananda

On Wed, Jul 22, 2009 at 8:42 PM, Matt Kassawara battery@writeme.com wrote:

Installing libpam-foreground or removing the reference to it in /etc/pam.d/common-session will clear up the first error. The second error probably stems from misconfiguration in /etc/ldap.conf... particularly with how PAM tries to contact your LDAP server (uri, port, ssl/tls directives).

2009/7/20 Asimananda Mohanty asimananda.mohanty@gmail.com

Hi Michael,

...

The command mentioned by you is running fine and it doesn't show any error.

That means that simple bind works fine.

*By stating "I am able to login to the server", I meant that I am able to establish an ssh session (via putty) with the server by providing user id and password. In that case, I don't really understand the error while logging in by that user id.*

Thanks for your support.

-Asimananda

2009/7/20 Michael Ströder michael@stroeder.com

...

Asimananda Mohanty wrote:

...

I think the LDAP in current form should solve my purpose.

Currently I have client and server on the same machine. I have created one user in LDAP namely asimananda and I am able to login to the server by the same too.

What does "I am able to login to the server" mean exactly. Did you test with ldapwhoami -x -D <bind-DN of asimananda> -W whether simple bind works?

...

*PAM unable to dlopen(/lib/security/pam_foreground.so): /lib/security/pam_foreground.so: cannot open shared object file: No

such

...

file or directory PAM adding faulty module: /lib/security/pam_foreground.so pam_ldap: ldap_simple_bind Can't contact LDAP server pam_ldap: reconnecting to LDAP server... pam_ldap: ldap_simple_bind Can't contact LDAP server Successful su for asimananda by root

• pts/3 root:asimananda

pam_unix(su:session): session opened for user asimananda by

root(uid=0)*

Looks like an setup error in your PAM setup. Check the ldap.conf related to the pam_ldap module. I don't know Ubuntu so I can't help here.

Ciao, Michael.

Hi Matt, Sorry for the delayed response. I was not at my place for some time.

Yes, using -x with -ZZ works fine.

But without "-x", it gives following error :

*ldapsearch -d8 -ZZ -b dc=ldap-company,dc=com uid=asimananda* *SASL/DIGEST-MD5 authentication started* *Please enter your password:* *ldap_sasl_interactive_bind_s: Invalid credentials (49)*

When used option -d7, it showed the following :

*res_errno: 49, res_error: <SASL(-13): user not found: no secret in database>, res_matched: <>*

I have already installed SASL on the system.

Do I need to do some configuration in order to make it work? Found not much help on net.

Thanks.

-Asimananda

On Thu, Jul 23, 2009 at 7:31 PM, Matt Kassawara battery@writeme.com wrote:

By default, ldapsearch will try authentication via SASL. Either configure slapd to handle the latter or use -x in addition to -ZZ to force simple authentication.

On Wed, Jul 22, 2009 at 11:31 PM, Asimananda Mohanty < asimananda.mohanty@gmail.com> wrote:

...

Hi Matt, Thank you very much. I got rid of both the errors by

1. Installing libpam-foreground
2. By changing the uri in /etc/ldap.conf from ldap to ldaps

One last thing is remaining now....

When tried "ldapsearch -ZZ", it asks for some password. When provided with the password, it didn't accept it (the same password what I created during dpkg --configure slapd)

# ldapsearch -ZZ SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49)

Thanks again.

-Asimananda

On Wed, Jul 22, 2009 at 8:42 PM, Matt Kassawara battery@writeme.comwrote:

...

Installing libpam-foreground or removing the reference to it in /etc/pam.d/common-session will clear up the first error. The second error probably stems from misconfiguration in /etc/ldap.conf... particularly with how PAM tries to contact your LDAP server (uri, port, ssl/tls directives).

2009/7/20 Asimananda Mohanty asimananda.mohanty@gmail.com

...

Hi Michael,

The command mentioned by you is running fine and it doesn't show any error.

That means that simple bind works fine.

*By stating "I am able to login to the server", I meant that I am able to establish an ssh session (via putty) with the server by providing user id and password. In that case, I don't really understand the error while logging in by that user id.*

Thanks for your support.

-Asimananda

2009/7/20 Michael Ströder michael@stroeder.com

...

Asimananda Mohanty wrote:

...

I think the LDAP in current form should solve my purpose.

Currently I have client and server on the same machine. I have

created

...

one user in LDAP namely asimananda and I am able to login to the

server

...

by the same too.

What does "I am able to login to the server" mean exactly. Did you test with ldapwhoami -x -D <bind-DN of asimananda> -W whether simple bind works?

...

*PAM unable to dlopen(/lib/security/pam_foreground.so): /lib/security/pam_foreground.so: cannot open shared object file: No

such

...

file or directory PAM adding faulty module: /lib/security/pam_foreground.so pam_ldap: ldap_simple_bind Can't contact LDAP server pam_ldap: reconnecting to LDAP server... pam_ldap: ldap_simple_bind Can't contact LDAP server Successful su for asimananda by root

• pts/3 root:asimananda

pam_unix(su:session): session opened for user asimananda by

root(uid=0)*

Looks like an setup error in your PAM setup. Check the ldap.conf related to the pam_ldap module. I don't know Ubuntu so I can't help here.

Ciao, Michael.

Hi Matt, I just changed the permission level of /etc/sasldb2 from 640 to 644 and the command "ldapsearch -d8 -ZZ -b dc=ldap-company,dc=com uid=asimananda" started working fine.

I have one more doubt. The above command works fine and accepts password too but when I changed the option "-b" to "-D", it stopped working. I read somewhere that -D should not be used with SASL. I am bit confused about the same.

Thanks for being so helpful.

Thanks all.

Regards Asimananda

On Mon, Aug 31, 2009 at 6:59 PM, Matt Kassawara battery@writeme.com wrote:

I recommend reading section 15.2.3 through 15.2.6 of the OpenLDAP 2.4 administrator's guide.

On Mon, Aug 31, 2009 at 4:49 AM, Asimananda Mohanty < asimananda.mohanty@gmail.com> wrote:

...

Hi Matt, Sorry for the delayed response. I was not at my place for some time.

Yes, using -x with -ZZ works fine.

But without "-x", it gives following error :

*ldapsearch -d8 -ZZ -b dc=ldap-company,dc=com uid=asimananda* *SASL/DIGEST-MD5 authentication started* *Please enter your password:* *ldap_sasl_interactive_bind_s: Invalid credentials (49)*

When used option -d7, it showed the following :

*res_errno: 49, res_error: <SASL(-13): user not found: no secret in database>, res_matched: <>*

I have already installed SASL on the system.

Do I need to do some configuration in order to make it work? Found not much help on net.

Thanks.

-Asimananda

On Thu, Jul 23, 2009 at 7:31 PM, Matt Kassawara battery@writeme.comwrote:

...

By default, ldapsearch will try authentication via SASL. Either configure slapd to handle the latter or use -x in addition to -ZZ to force simple authentication.

On Wed, Jul 22, 2009 at 11:31 PM, Asimananda Mohanty < asimananda.mohanty@gmail.com> wrote:

...

Hi Matt, Thank you very much. I got rid of both the errors by

1. Installing libpam-foreground
2. By changing the uri in /etc/ldap.conf from ldap to ldaps

One last thing is remaining now....

When tried "ldapsearch -ZZ", it asks for some password. When provided with the password, it didn't accept it (the same password what I created during dpkg --configure slapd)

# ldapsearch -ZZ SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49)

Thanks again.

-Asimananda

On Wed, Jul 22, 2009 at 8:42 PM, Matt Kassawara battery@writeme.comwrote:

...

Installing libpam-foreground or removing the reference to it in /etc/pam.d/common-session will clear up the first error. The second error probably stems from misconfiguration in /etc/ldap.conf... particularly with how PAM tries to contact your LDAP server (uri, port, ssl/tls directives).

2009/7/20 Asimananda Mohanty asimananda.mohanty@gmail.com

...

Hi Michael,

The command mentioned by you is running fine and it doesn't show any error.

That means that simple bind works fine.

*By stating "I am able to login to the server", I meant that I am able to establish an ssh session (via putty) with the server by providing user id and password. In that case, I don't really understand the error while logging in by that user id.*

Thanks for your support.

-Asimananda

2009/7/20 Michael Ströder michael@stroeder.com

> Asimananda Mohanty wrote: > > I think the LDAP in current form should solve my purpose. > > > > Currently I have client and server on the same machine. I have > created > > one user in LDAP namely asimananda and I am able to login to the > server > > by the same too. > > What does "I am able to login to the server" mean exactly. Did you > test > with ldapwhoami -x -D <bind-DN of asimananda> -W whether simple bind > works? > > > *PAM unable to dlopen(/lib/security/pam_foreground.so): > > /lib/security/pam_foreground.so: cannot open shared object file: No > such > > file or directory > > PAM adding faulty module: /lib/security/pam_foreground.so > > pam_ldap: ldap_simple_bind Can't contact LDAP server > > pam_ldap: reconnecting to LDAP server... > > pam_ldap: ldap_simple_bind Can't contact LDAP server > > Successful su for asimananda by root > > + pts/3 root:asimananda > > pam_unix(su:session): session opened for user asimananda by > root(uid=0)* > > Looks like an setup error in your PAM setup. Check the ldap.conf > related > to the pam_ldap module. I don't know Ubuntu so I can't help here. > > Ciao, Michael. >

Hi Howard, I have changed the ownership of /etc/sasldb2 to openldap:openldap and also changed the permission to 640.

For the time being, I may continue with this option and in the future, I will surely shift to the other one i.e. avoiding use of sasldb.

Thank you very much.

Regards Asimananda

On Fri, Sep 11, 2009 at 11:57 AM, Howard Chu hyc@symas.com wrote:

Asimananda Mohanty wrote:

...

Hi Matt,

I just changed the permission level of /etc/sasldb2 from 640 to 644 and the command "ldapsearch -d8 -ZZ -b dc=ldap-company,dc=com uid=asimananda" started working fine.

Generally that's a bad idea, since it exposes all of your SASL passwords to anyone who can access that machine or filesystem. Instead you should just make sure that slapd is running as a user that belongs to the same group as the sasldb file, or is the owner of the file.

And of course, the better approach when using SASL is not to use a sasldb file at all, and just store the SASL secrets in the LDAP directory.

I have one more doubt. The above command works fine and accepts password

...

too but when I changed the option "-b" to "-D", it stopped working. I read somewhere that -D should not be used with SASL. I am bit confused about the same.

Thanks for being so helpful.

Thanks all.

Regards Asimananda

On Mon, Aug 31, 2009 at 6:59 PM, Matt Kassawara <battery@writeme.com mailto:battery@writeme.com> wrote:

I recommend reading section 15.2.3 through 15.2.6 of the OpenLDAP 2.4 administrator's guide.

-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

Hi Mathias, I have done the same. Thanks.

I have one more question.

I have my apache https server on solaris 10 x86 machine that does access my openldap server on an ubuntu machine so as to do the required authentication.

It actually checks for the username, password and an attribute so as to grant access to the user. The attribute defines the kind of controls user can see in the gui.

Now the issue is that httpd.conf contains ldaps url in AuthLDAPUrl parameter. If I change it to ldap, it works fine but with ldaps, it doesn't.

The link http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapurl says "For regular ldap, use the string ldap. For secure LDAP, use ldaps instead. Secure LDAP is only available if Apache was linked to an LDAP library with SSL support."

My openldap server has ssl support with it (I can use ldapsearch with ldaps url OR ldap url with -ZZ option successfully).

Please let me know what needs to be done in order to use ldaps url in AuthLDAPUrl in httpd.conf

Regards Asimananda

On Fri, Sep 11, 2009 at 8:01 PM, Mathias Gug mathiaz@ubuntu.com wrote:

Hi,

On Fri, Sep 11, 2009 at 2:27 AM, Howard Chu hyc@symas.com wrote:

...

Asimananda Mohanty wrote:

...

I just changed the permission level of /etc/sasldb2 from 640 to 644 and the command "ldapsearch -d8 -ZZ -b dc=ldap-company,dc=com uid=asimananda" started working fine.

Generally that's a bad idea, since it exposes all of your SASL passwords

to

...

anyone who can access that machine or filesystem. Instead you should just make sure that slapd is running as a user that belongs to the same group

as

...

the sasldb file, or is the owner of the file.

The default group of /etc/sasldb2 should be sasl. Thus adding the openldap user to the sasl group should fix the problem without having to change permissions:

$ adduser openldap sasl

-- Mathias Gug Ubuntu Developer http://www.ubuntu.com

Hi Dieter,

Indeed, I thought so. But before going there, I just wanted to confirm that is there anything that I might be missing while configuring my openLDAP using SASL because : the link http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapurl says "For regular ldap, use the string ldap. For secure LDAP, use ldaps instead. Secure LDAP is only available if Apache was linked to an LDAP library with SSL support."

*This simply states that if LDAP is equipped with SSL support, ldaps url can be used. Does that mean that my openLDAP is not equipped with SSL support because I am getting success with ldap and not with ldaps?*

Once I am sure that my openLDAP configuration is Ok, I can start exploring other things.

Thanks for the reply.

Regards Asimananda

On Thu, Sep 17, 2009 at 1:16 PM, Dieter Kluenter dieter@dkluenter.dewrote:

Asimananda Mohanty asimananda.mohanty@gmail.com writes:

...

Hi Mathias,

I have done the same. Thanks.

I have one more question.

I have my apache https server on solaris 10 x86 machine that does access

my

...

openldap server on an ubuntu machine so as to do the required authentication.

[...]

...

Now the issue is that httpd.conf contains ldaps url in AuthLDAPUrl

parameter.

...

If I change it to ldap, it works fine but with ldaps, it doesn't.

The link

http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapurl

...

says "For regular ldap, use the string ldap. For secure LDAP, use ldaps instead. Secure LDAP is only available if Apache was linked to

an

...

LDAP library with SSL support."

In fact this would be a question on a solaris 10 related mailinglist or news group. The question actually is, with which ldap library apache has been built and has this library been built with a Transport Layer Security library.

-Dieter

-- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:8EF7B6C6 53°37'09,95"N 10°08'02,42"E

Hi Dieter, Here is the result.

#which slapd /usr/sbin/slapd # cd /usr/sbin #ldd slapd linux-gate.so.1 => (0xb7f6d000) libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2 (0xb7f19000) liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0xb7f0b000) libdb-4.7.so => /usr/lib/libdb-4.7.so (0xb7db6000) libodbc.so.1 => /usr/lib/libodbc.so.1 (0xb7d4f000) libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0xb7d36000) libslp.so.1 => /usr/lib/libslp.so.1 (0xb7d26000) libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0xb7d0d000) libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7cf5000) libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0xb7c57000) libtasn1.so.3 => /usr/lib/libtasn1.so.3 (0xb7c45000) libz.so.1 => /lib/libz.so.1 (0xb7c2f000) libgcrypt.so.11 => /lib/libgcrypt.so.11 (0xb7bc6000) libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1 (0xb7b94000) libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7b7d000) libltdl.so.7 => /usr/lib/libltdl.so.7 (0xb7b74000) libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7b70000) libwrap.so.0 => /lib/libwrap.so.0 (0xb7b67000) libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7a04000) /lib/ld-linux.so.2 (0xb7f6e000) libgpg-error.so.0 => /lib/libgpg-error.so.0 (0xb7a00000)

Regards Asimananda

On Thu, Sep 17, 2009 at 2:39 PM, Dieter Kluenter dieter@dkluenter.dewrote:

Asimananda Mohanty asimananda.mohanty@gmail.com writes:

...

Hi Dieter,

Indeed, I thought so. But before going there, I just wanted to confirm

that is

...

there anything that I might be missing while configuring my openLDAP

using

...

SASL because :

the link

http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapurl

...

says "For regular ldap, use the string ldap. For secure LDAP, use ldaps instead. Secure LDAP is only available if Apache was

linked to

...

an LDAP library with SSL support."

This simply states that if LDAP is equipped with SSL support, ldaps url

can be

...

used. Does that mean that my openLDAP is not equipped with SSL support

because

...

I am getting success with ldap and not with ldaps?

Once I am sure that my openLDAP configuration is Ok, I can start

exploring

...

other things.

The easiest way is 'ldd slapd', which will show you the linked libraries, check for libssl.so or libgnutls.so.

-Dieter

-- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:8EF7B6C6 53°37'09,95"N 10°08'02,42"E

Hi Dieter, Does that mean that my openLDAP has been configured correctly so as to be used with the required applications as I described in my previous mails today? Or do I need to do something else for the same?

Thank you very much.

Regards Asimananda

On Thu, Sep 17, 2009 at 3:25 PM, Dieter Kluenter dieter@dkluenter.dewrote:

Asimananda Mohanty asimananda.mohanty@gmail.com writes:

...

Hi Dieter,

Here is the result.

#which slapd /usr/sbin/slapd # cd /usr/sbin #ldd slapd

[...]

...

    libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0xb7c57000)

[...]

OK, so slapd has been compiled with gnutls.

-Dieter

-- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:8EF7B6C6 53°37'09,95"N 10°08'02,42"E

Hi Dieter, I already have the certificates and here is my ldap.conf :

*TLS_REQCERT demand* *TLS_CACERT /etc/ssl/certs/ca-cert.pem*

With these settings, it's working fine. As I already mentioned, ldapsearch command runs fine with *"ldaps" url* and also with *"ldap" url WITH "-ZZ" option*.

I think that indicates that TLS is enabled on the server.

Is there any difference in behavior when slapd used libgnutls and when it uses libssl ? Or they both serve the same purpose (this was my idea till now)?

Does apache expect slapd to use libssl and not libgnutls ?

Regards Asimananda

On Thu, Sep 17, 2009 at 4:53 PM, Dieter Kluenter dieter@dkluenter.dewrote:

Asimananda Mohanty asimananda.mohanty@gmail.com writes:

...

Hi Dieter,

Does that mean that my openLDAP has been configured correctly so as to be

used with the

...

required applications as I described in my previous mails today? Or do I

need to do

...

something else for the same?

You have to create certificates of course and configure slapd to read this certificates and listen on a secure port. http://www.openldap.org/doc/admin24/tls.html

-Dieter

Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:8EF7B6C6 53°37'09,95"N 10°08'02,42"E

Hi Dieter, I understand. But my concern is if ssl was not enabled properly, then I should not be able to use -ZZ or ldaps url in commands like ldapsearch. Please correct me if I am wrong.

If ssl is enabled already, then I am unable to understand why ldaps doesn't work from apache point of view.

Regards Asimananda

On Thu, Sep 17, 2009 at 5:27 PM, Dieter Kluenter dieter@dkluenter.dewrote:

Asimananda Mohanty asimananda.mohanty@gmail.com writes:

...

Hi Dieter,

I already have the certificates and here is my ldap.conf :

TLS_REQCERT demand TLS_CACERT /etc/ssl/certs/ca-cert.pem

With these settings, it's working fine. As I already mentioned,

ldapsearch

...

command runs fine with "ldaps" url and also with "ldap" url WITH "-ZZ"

option.

...

I think that indicates that TLS is enabled on the server.

Is there any difference in behavior when slapd used libgnutls and when it

uses

...

libssl ? Or they both serve the same purpose (this was my idea till now)?

Does apache expect slapd to use libssl and not libgnutls ?

Apache doesn't know anything about slapd, all it does is, to connect to a defined port and tries to verify the certificate presented and establish a secured ldap session. If apache fails to verify the certificate or is otherwise not able to establish a secured ldap session it will not connect, unless the configuration allows to establish an unsecured session.

-Dieter

-- Dieter Klünter | Systemberatung sip: +49.180.1555.7770535 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6

Hi Dieter, Thanks for the reply.

My Apache is built with openldap lib only.

I am able to connect to ubuntu host my my solaris client on ports 389 and 636.

Then I guess, apache is not able to verify the certificates presented. In that case, please let me know how do I debug slapd to watch apache connection.

Thanks again.

Regards Asimananda

On Thu, Sep 17, 2009 at 6:23 PM, Dieter Kluenter dieter@dkluenter.dewrote:

Asimananda Mohanty asimananda.mohanty@gmail.com writes:

...

Hi Dieter,

I understand. But my concern is if ssl was not enabled properly, then I

should not be

...

able to use -ZZ or ldaps url in commands like ldapsearch. Please correct

me if I am

...

wrong.

If you can connect to slapd via startTLS or TLS than slapd has been setup correctly.

...

If ssl is enabled already, then I am unable to understand why ldaps

doesn't work from

...

apache point of view.

Back to my first mail. Ths is a question you have to raise on a solaris related mailing list or news group.

• Check the libraries apache has been built with,
• check whether you can connect from solaris host to ubuntu host on

port 389 and 636 ,

• check whether apache is able to verify the certificate presented,
• debug slapd to whatch the apache connection.

-Dieter

-- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:8EF7B6C6 53°37'09,95"N 10°08'02,42"E

Hi Dieter, I will try to look it from a different angle. Once I am able to solve it, I will post it here.

I have one more query.

On my server, I am able to get the result by :

# ldapsearch -d8 -H ldaps://ldap-company.com -b dc=ldap-company,dc=com uid=asimananda SASL/DIGEST-MD5 authentication started Please enter your password:

<Result>

But the following query doesn't show any result and throws error.

# ldapsearch -d8 -H ldaps://ldap-company.com -D dc=ldap-company,dc=com uid=asimananda -W Enter LDAP Password: ldap_bind: Invalid credentials (49) #

Does this mean that I have still some configuration to do?

Please comment.

Regards Asimananda

On Mon, Sep 21, 2009 at 10:54 AM, Dieter Kluenter dieter@dkluenter.dewrote:

Asimananda Mohanty asimananda.mohanty@gmail.com writes:

...

Hi Dieter,

Thanks for the reply.

My Apache is built with openldap lib only.

I am able to connect to ubuntu host my my solaris client on ports 389 and

...

Then I guess, apache is not able to verify the certificates presented. In

that case, please let me know how do I debug

...

slapd to watch apache connection.

As I mentioned many times, this topip is neither OpenLDAP nor Ubuntu related, it is just a question of how to properly set up Apache on Sun Solaris 10. Did you configure mod_auth_ldap and mod_ldap to use TLS? There are two sources of information, Sun Bigadmin and Apache documentation. Lot of documentation is referring to *.der or cert7.db files, note that OpenLDAP only handles *.pem files. For mor information on this topic read openssl documentation.

http://httpd.apache.org/docs/2.0/mod/mod_ldap.html http://www.sun.com/bigadmin/home/index.jsp

-Dieter

-- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:8EF7B6C6 53°37'09,95"N 10°08'02,42"E

Hi, Regarding the apache issue, as I expected, fingers raised towards the certificate file even if I have clarified that the same certificate works fine with the local client (installed along with the server).

Is there any way so as to prove that certificate file is Ok?

Regards Asimananda

On Mon, Sep 21, 2009 at 3:53 PM, Asimananda Mohanty < asimananda.mohanty@gmail.com> wrote:

I think I am supposed to provide the bind DN with "-D" option i.e. cn=admin,dc=ldap-company,dc=com. With this value, it works fine.

Sorry for the mistake.

Reg Apache issue, I will post it here once it is solved.

Regards Asimananda

On Mon, Sep 21, 2009 at 3:42 PM, Asimananda Mohanty < asimananda.mohanty@gmail.com> wrote:

...

Hi Dieter, I will try to look it from a different angle. Once I am able to solve it, I will post it here.

I have one more query.

On my server, I am able to get the result by :

# ldapsearch -d8 -H ldaps://ldap-company.com -b dc=ldap-company,dc=com uid=asimananda SASL/DIGEST-MD5 authentication started Please enter your password:

<Result>

But the following query doesn't show any result and throws error.

# ldapsearch -d8 -H ldaps://ldap-company.com -D dc=ldap-company,dc=com uid=asimananda -W Enter LDAP Password: ldap_bind: Invalid credentials (49) #

Does this mean that I have still some configuration to do?

Please comment.

Regards Asimananda

On Mon, Sep 21, 2009 at 10:54 AM, Dieter Kluenter dieter@dkluenter.dewrote:

...

Asimananda Mohanty asimananda.mohanty@gmail.com writes:

...

Hi Dieter,

Thanks for the reply.

My Apache is built with openldap lib only.

I am able to connect to ubuntu host my my solaris client on ports 389

and 636.

...

Then I guess, apache is not able to verify the certificates presented.

In that case, please let me know how do I debug

...

slapd to watch apache connection.

As I mentioned many times, this topip is neither OpenLDAP nor Ubuntu related, it is just a question of how to properly set up Apache on Sun Solaris 10. Did you configure mod_auth_ldap and mod_ldap to use TLS? There are two sources of information, Sun Bigadmin and Apache documentation. Lot of documentation is referring to *.der or cert7.db files, note that OpenLDAP only handles *.pem files. For mor information on this topic read openssl documentation.

http://httpd.apache.org/docs/2.0/mod/mod_ldap.html http://www.sun.com/bigadmin/home/index.jsp

-Dieter

-- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:8EF7B6C6 53°37'09,95"N 10°08'02,42"E

Hi All, Finally, I am able to solve the issue.

I just replaced the IP address used in AuthLDAPUrl in httpd.conf of apache with the hostname that has been used during creating the certificate (CN) and that worked for me.

Thank you very much for all the support.

Regards Asimananda

On Tue, Sep 22, 2009 at 10:49 AM, Asimananda Mohanty < asimananda.mohanty@gmail.com> wrote:

Hi, I did run some openssl commands and here is what I saw.

# openssl s_client -connect <ldap server ip>:636

verify error:num=20:unable to get local issuer certificate verify return:1

verify error:num=21:unable to verify the first certificate verify return:1

No client certificate CA names sent

SSL handshake has read 1162 bytes and written 450 bytes

Verify return code: 21 (unable to verify the first certificate)

The same thing I got when I ran the command on local ldap server too.

Are the certificates not OK? If this is so, how am I able to run ldapsearch with "-ZZ" option.

Regards Asimananda

On Tue, Sep 22, 2009 at 10:15 AM, Asimananda Mohanty < asimananda.mohanty@gmail.com> wrote:

...

Hi, Regarding the apache issue, as I expected, fingers raised towards the certificate file even if I have clarified that the same certificate works fine with the local client (installed along with the server).

Is there any way so as to prove that certificate file is Ok?

Regards Asimananda

On Mon, Sep 21, 2009 at 3:53 PM, Asimananda Mohanty < asimananda.mohanty@gmail.com> wrote:

...

I think I am supposed to provide the bind DN with "-D" option i.e. cn=admin,dc=ldap-company,dc=com. With this value, it works fine.

Sorry for the mistake.

Reg Apache issue, I will post it here once it is solved.

Regards Asimananda

On Mon, Sep 21, 2009 at 3:42 PM, Asimananda Mohanty < asimananda.mohanty@gmail.com> wrote:

...

Hi Dieter, I will try to look it from a different angle. Once I am able to solve it, I will post it here.

I have one more query.

On my server, I am able to get the result by :

# ldapsearch -d8 -H ldaps://ldap-company.com -b dc=ldap-company,dc=com uid=asimananda SASL/DIGEST-MD5 authentication started Please enter your password:

<Result>

But the following query doesn't show any result and throws error.

# ldapsearch -d8 -H ldaps://ldap-company.com -D dc=ldap-company,dc=com uid=asimananda -W Enter LDAP Password: ldap_bind: Invalid credentials (49) #

Does this mean that I have still some configuration to do?

Please comment.

Regards Asimananda

On Mon, Sep 21, 2009 at 10:54 AM, Dieter Kluenter dieter@dkluenter.dewrote:

...

Asimananda Mohanty asimananda.mohanty@gmail.com writes:

...

Hi Dieter,

Thanks for the reply.

My Apache is built with openldap lib only.

I am able to connect to ubuntu host my my solaris client on ports 389

and 636.

...

Then I guess, apache is not able to verify the certificates

presented. In that case, please let me know how do I debug

...

slapd to watch apache connection.

As I mentioned many times, this topip is neither OpenLDAP nor Ubuntu related, it is just a question of how to properly set up Apache on Sun Solaris 10. Did you configure mod_auth_ldap and mod_ldap to use TLS? There are two sources of information, Sun Bigadmin and Apache documentation. Lot of documentation is referring to *.der or cert7.db files, note that OpenLDAP only handles *.pem files. For mor information on this topic read openssl documentation.

http://httpd.apache.org/docs/2.0/mod/mod_ldap.html http://www.sun.com/bigadmin/home/index.jsp

-Dieter

-- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:8EF7B6C6 53°37'09,95"N 10°08'02,42"E

Hi Mathias,

I can only see the following audit messages in kern.log

type=1505 audit(1247115970.253:20): operation="profile_replace" name="/usr/sbin/slapd" name2="default"

I don't see any messages in kern.log while restarting slapd too.

Thanks for the reply.

-Asimananda

On Fri, Jul 10, 2009 at 9:18 PM, Mathias Gug mathiaz@ubuntu.com wrote:

Hi Asimananda,

On Fri, Jul 10, 2009 at 7:00 AM, Asimananda Mohantyasimananda.mohanty@gmail.com wrote:

...

But after this, when I tried to restart slapd, I got errors like the following :

main: TLS init def ctx failed: -1

olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem #olcTLSCertificateFile: /etc/ssl/certs/server.crt #olcTLSCertificateKeyFile: /etc/ssl/private/server.key

You may have run into apparmor issues. Do you see any apparmor audit messages related to slapd in the logs?

See https://wiki.ubuntu.com/DebuggingApparmor for more information on debugging apparmor profiles.

-- Mathias Gug Ubuntu Developer http://www.ubuntu.com