List,
It would be great if someone can share doc on TLS with OpenLDAP configuration on SLES 11, I tried all the possible ways to make it happen but no luck.
I tried with both yast2 and by CA.pl and openssl commands, but no luck, When i do netstat .lnap |grep ldap it shows both 636 and 389 port listtening to the hostname, When i check the logs it shows the destination port its showing is 389.
But when i try ldapsearch -x -H ldaps://hostname, its also showing me the ldap contents, dont know whats wrong, I also tried to open /etc/sysconfig/openldap and assigned the LDAP service to run on 127.0.0.1, but if i do so then its not able to get the server.
Please help.
Regards, Neo
Hello,
I don't clearly understand what you're trying to achieve?
There are two possible ways to do encrypted connections: - with StartTLS via Port 389 (ldap:// - non-encrypted connections are still possible, if onfigured in your slapd config) - with SSL/TLS via 639 (ldaps://)
You can disable/enable each way in your /etc/sysconfig/openldap file.
Please read this: http://www.openldap.org/faq/data/cache/185.html
Bye, Benjamin
On Sat, Aug 27, 2011 at 12:00, pradyumna dash neomatrixgem@gmail.comwrote:
List,
It would be great if someone can share doc on TLS with OpenLDAP configuration on SLES 11, I tried all the possible ways to make it happen but no luck.
I tried with both yast2 and by CA.pl and openssl commands, but no luck, When i do netstat .lnap |grep ldap it shows both 636 and 389 port listtening to the hostname, When i check the logs it shows the destination port its showing is 389.
But when i try ldapsearch -x -H ldaps://hostname, its also showing me the ldap contents, dont know whats wrong, I also tried to open /etc/sysconfig/openldap and assigned the LDAP service to run on 127.0.0.1, but if i do so then its not able to get the server.
Please help.
Regards, Neo
Hi,
I want to achieve ldaps, that means all the communication should use 636 port, i have changed the parameters in the /etc/openldap/sysconfig file, but no luck.
Regards, Pradyumna
On Sat, Aug 27, 2011 at 12:11 PM, Benjamin Griese der.darude@gmail.comwrote:
Hello,
I don't clearly understand what you're trying to achieve?
There are two possible ways to do encrypted connections:
- with StartTLS via Port 389 (ldap:// - non-encrypted connections are still
possible, if onfigured in your slapd config)
- with SSL/TLS via 639 (ldaps://)
You can disable/enable each way in your /etc/sysconfig/openldap file.
Please read this: http://www.openldap.org/faq/data/cache/185.html
Bye, Benjamin
On Sat, Aug 27, 2011 at 12:00, pradyumna dash neomatrixgem@gmail.comwrote:
List,
It would be great if someone can share doc on TLS with OpenLDAP configuration on SLES 11, I tried all the possible ways to make it happen but no luck.
I tried with both yast2 and by CA.pl and openssl commands, but no luck, When i do netstat .lnap |grep ldap it shows both 636 and 389 port listtening to the hostname, When i check the logs it shows the destination port its showing is 389.
But when i try ldapsearch -x -H ldaps://hostname, its also showing me the ldap contents, dont know whats wrong, I also tried to open /etc/sysconfig/openldap and assigned the LDAP service to run on 127.0.0.1, but if i do so then its not able to get the server.
Please help.
Regards, Neo
-- To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To be is to do -- Sartre | Do be do be do -- Sinatra
Hi,
pradyumna dash schrieb am 27.08.2011 12:23 Uhr:
I want to achieve ldaps, that means all the communication should use 636 port, i have changed the parameters in the /etc/openldap/sysconfig file, but no luck.
I don't understand what you want, either. As you wrote "netstat .lnap |grep ldap it shows both 636 and 389 port listtening" and "ldapsearch -x -H ldaps://hostname, its also showing me the ldap contents" which is what you wand: ldaps.
If you do not like to open port 389 - what you did not write - you should check /etc/sysconfig/openldap:
# If set to "no" the LDAP server will not accept any "normal" LDAP connections # but just connections over "ldaps" or "ldapi". Setting this to "no" does only # make sense when either OPENLDAP_START_LDAPS or OPENLDAP_START_LDAPI is set # "yes". # OPENLDAP_START_LDAP="yes"
Marc
On Saturday, 27 August 2011 12:23:38 pradyumna dash wrote:
Hi,
I want to achieve ldaps, that means all the communication should use 636 port,
You had done the configuration to *allow* encrypted communication.
i have changed the parameters in the /etc/openldap/sysconfig file, but no luck.
Well, I don't know which of the following two you are trying to achieve:
1)Force all communication to be to a process listening on port 636 2)Force all communication to be via ldaps:/// 3)Force all communication to be encrypted to a specific strength
Note that (1) may not achieve (3), and (2) might prevent clients that are capable of achieving (3) but not (2) from working.
Most likely you want to look at the 'security' statement covered in slapd.conf(5) to achieve (3).
Regards, Buchan
Hi,
Thanks for your valuable comments,
What i would like to configure is ldaps:// , I did it with RHAT distribution before, but dont know why its not working in SLES. I am sure am doing something wrong.
I am just trying the steps once again, and will update you all.
But if you have any good URL for the above, please share.
Regards, Pradyumna
On Mon, Aug 29, 2011 at 1:25 PM, Buchan Milne bgmilne@staff.telkomsa.netwrote:
On Saturday, 27 August 2011 12:23:38 pradyumna dash wrote:
Hi,
I want to achieve ldaps, that means all the communication should use 636 port,
You had done the configuration to *allow* encrypted communication.
i have changed the parameters in the /etc/openldap/sysconfig file, but no luck.
Well, I don't know which of the following two you are trying to achieve:
1)Force all communication to be to a process listening on port 636 2)Force all communication to be via ldaps:/// 3)Force all communication to be encrypted to a specific strength
Note that (1) may not achieve (3), and (2) might prevent clients that are capable of achieving (3) but not (2) from working.
Most likely you want to look at the 'security' statement covered in slapd.conf(5) to achieve (3).
Regards, Buchan
Hi,
Thanks for your suggestions, now able to fix this issue.
The issue was in my ldap.conf file, I just did "ssl on", and now everything seems to be working. and also modified the /etc/sysconfig/openldap file.
Regards, Pradyumna
On Mon, Aug 29, 2011 at 1:34 PM, pradyumna dash neomatrixgem@gmail.comwrote:
Hi,
Thanks for your valuable comments,
What i would like to configure is ldaps:// , I did it with RHAT distribution before, but dont know why its not working in SLES. I am sure am doing something wrong.
I am just trying the steps once again, and will update you all.
But if you have any good URL for the above, please share.
Regards, Pradyumna
On Mon, Aug 29, 2011 at 1:25 PM, Buchan Milne bgmilne@staff.telkomsa.netwrote:
On Saturday, 27 August 2011 12:23:38 pradyumna dash wrote:
Hi,
I want to achieve ldaps, that means all the communication should use 636 port,
You had done the configuration to *allow* encrypted communication.
i have changed the parameters in the /etc/openldap/sysconfig file, but no luck.
Well, I don't know which of the following two you are trying to achieve:
1)Force all communication to be to a process listening on port 636 2)Force all communication to be via ldaps:/// 3)Force all communication to be encrypted to a specific strength
Note that (1) may not achieve (3), and (2) might prevent clients that are capable of achieving (3) but not (2) from working.
Most likely you want to look at the 'security' statement covered in slapd.conf(5) to achieve (3).
Regards, Buchan
openldap-technical@openldap.org
-
Benjamin Griese -
Buchan Milne -
Marc Patermann -
pradyumna dash