Hello,
I play around al little bit with the OpenLDAP 2.5alpha. I'm trying the new overlay for the certificates. I start with the configuration with slapd.conf, because it's faster to change ;-). I started with the two lines from the manpage:
-------- overlay autoca caKeybits 4096 ------- The first start of the slapd failed with the error-message: --------- Oct 20 20:39:47 ldap25 systemd[1]: slapd-current.service: Control process exited, code=exited, status=1/FAILURE Oct 20 20:39:47 ldap25 systemd[1]: slapd-current.service: Failed with result 'exit-code'. --------- I checked the config, everything was ok, I tried it a second time and then the slapd startet without problem. This happens after neatly every change of the parameters for this overlay. First start failed, second start was ok without any change in the configuration.
Now, when I do an ldapsearch I see: --------- dn: dc=example,dc=net objectClass: domain objectClass: dcObject objectClass: autoCA dc: example cACertificate;binary:: MIIFcDCCA1igAwIBAgIJAKh3GIChqUPoMA0GCSqGSIb3DQEBCwUAMC4 ... VYd8XlDNv6d/04FDyEqKH9KAV5RMXiI9GHbQ== ---------
Then I did the following changes in my configuration: --------- overlay autoca caKeybits 4096 userClass inetOrgPerson userKeybits 4096 serverClass ipHost serverKeybits 4096 --------- Because it's a TESTSYSTEM my acl are set: --------- access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to attrs=pKCS8PrivateKey by self ssf=128 write access to * by self write by users read by anonymous auth --------- But when I create a user or a server there is no certificate. In the manpage said: --------- Certificates for users and servers are generated on demand using a Search request ---------
But I never saw any certificate. As a user I search for my own Object, but I don't see any certificate. Can I (if it works ;-) ) the server-certificate for TLS? Where can I find some more information about autoca.
Thanks for any help
Stefan
Stefan Kania wrote:
But when I create a user or a server there is no certificate. In the manpage said:
Certificates for users and servers are generated on demand using a Search request
The manpage says, exactly:
Certificates for users and servers are generated on demand using a Search request returning only the userCertificate;binary and userPri‐ vateKey;binary attributes. Any Search for anything besides exactly these two attributes is ignored by the overlay.
Am 20.10.20 um 22:20 schrieb Howard Chu:
Stefan Kania wrote:
But when I create a user or a server there is no certificate. In the manpage said:
Certificates for users and servers are generated on demand using a Search request
The manpage says, exactly:
Certificates for users and servers are generated on demand using a Search request returning only the userCertificate;binary and userPri‐ vateKey;binary attributes. Any Search for anything besides exactly these two attributes is ignored by the overlay.
That's what I did: ------------------- root@ldap25:~# ldapsearch -x -LLL -D "cn=user1 ldap,ou=users,dc=example,dc=net" -W -H ldap://ldap25 -b dc=example,dc=net "cn=user1 ldap" Enter LDAP Password: dn: cn=user1 ldap,ou=users,dc=example,dc=net objectClass: posixAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person loginShell: /bin/bash homeDirectory: /home/u1-ldap uid: u1-ldap uidNumber: 10000 gidNumber: 10000 sn: ldap givenName: user1 userPassword:: e1NTSEF9L3lXMWxVUXdiVkNiTTNsdk1BK0VxQzhSdG9OUVV6Vlg= cn: user1 ldap
root@ldap25:~# ldapsearch -x -LLL -D "cn=user1 ldap,ou=users,dc=example,dc=net" -W -H ldap://ldap25 -b dc=example,dc=net "cn=user1 ldap" "userCertificate;binary" "userPrivateKey;binary" Enter LDAP Password: dn: cn=user1 ldap,ou=users,dc=example,dc=net
------------------
For the dc-Object it works: ------------------ root@ldap25:~# ldapsearch -x -LLL -D "cn=admin,dc=example,dc=net" -W -H ldap://ldap25 -b dc=example,dc=net "dc=example" "cACertificate;binary" Enter LDAP Password: dn: dc=example,dc=net cACertificate;binary:: MIIFcDCCA1igAwIBAgIJAKh3GIChqUPoMA0GCSqGSIb3DQEBCwUAMC4 .... ------------------
Stefan Kania wrote:
Am 20.10.20 um 22:20 schrieb Howard Chu:
Stefan Kania wrote:
But when I create a user or a server there is no certificate. In the manpage said:
Certificates for users and servers are generated on demand using a Search request
The manpage says, exactly:
Certificates for users and servers are generated on demand using a Search request returning only the userCertificate;binary and userPri‐ vateKey;binary attributes. Any Search for anything besides exactly these two attributes is ignored by the overlay.That's what I did:
I suggest you run test066 in the test suite and follow its steps.
Am 20.10.20 um 22:54 schrieb Howard Chu:
Stefan Kania wrote:
Am 20.10.20 um 22:20 schrieb Howard Chu:
Stefan Kania wrote:
But when I create a user or a server there is no certificate. In the manpage said:
Certificates for users and servers are generated on demand using a Search request
The manpage says, exactly:
Certificates for users and servers are generated on demand using a Search request returning only the userCertificate;binary and userPri‐ vateKey;binary attributes. Any Search for anything besides exactly these two attributes is ignored by the overlay.That's what I did:
I suggest you run test066 in the test suite and follow its steps.
Now it's working. My problem was I tried to override the objectClass for autoca with :
userClass inetOrgPerson
But this was not work. I removed the line from the config now searching for a user or a host the first time with: ------- ldapsearch -xZZ -LLL -D "cn=admin,dc=example,dc=net" -W "cn=user2 ldap" "userCertificate;binary" "userPrivateKey;binary" -------
the certificate and key will be created. Every search for the user the next time the certificate is listed without "userCertificate;binary" "userPrivateKey;binary".
openldap-technical@openldap.org
-
Howard Chu -
Stefan Kania