You have a self signed certificate, so you don't need to verify your certificate. When you activate the tls on ldap, you only need this two lines, and you don't need the line with certificate verification* olcTLSCACertificateFile : *

dn: cn=config add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/myKey/{name_of_your_server}_slapd_cert.pem dn: cn=config add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/myKey/{name_of_your_server}_slapd_key.pem

On Mon, Dec 12, 2011 at 12:31 PM, Jayavant Patil <jayavant.patil82@gmail.com

wrote:

Hi,

...

On Mon, Dec 12, 2011 at 4:19 PM, reyman reyman64@gmail.com wrote:

...

...

With the option -ZZ i think, try this

...

ldapsearch -x -LLL -ZZ -d 150

Yeah, It shows output containing ber_dump, ldap_write,ldap_read, tls_write, tls_read etc. But at the end is shows the following:

TLS certificate verification: Error, self signed certificate TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_ CERTIFICATE:certificate verify failed (self signed certificate). ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate)

Why it shows an error ? and how to resolve this?

and when I do ldapsearch with -ZZ option it gives error

$ldapsearch -x -v -D "cn=root,dc=abc,dc=com" -w cluster -b "ou=People,dc=abc,dc=com" "uid=ldap_6" -h n0 -ZZ ldap_initialize( ldap://n0 ) ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

...

...

On Mon, Dec 12, 2011 at 11:21 AM, Jayavant Patil <

jayavant.patil82@gmail.com> wrote:

...

...

...

Hi,

...

...

I am using openldap-2.4.19-4.x86_64 on fedora 12 machine. I have

enabled openldap SSL/TLS. How do I know >>(test) that I am using SSL/TLS connections instead of normal ldap:///?

--

Thanks & Regards, Jayavant Ningoji Patil Engineer: System Software Computational Research Laboratories Ltd. Pune-411 004. Maharashtra, India. +91 9923536030.

-- http://stackoverflow.com/users/385881/reyman64

--

Thanks & Regards, Jayavant Ningoji Patil Engineer: System Software Computational Research Laboratories Ltd. Pune-411 004. Maharashtra, India. +91 9923536030.

Le 12/12/2011 19:24, Howard Chu a écrit :

reyman wrote:

...

You have a self signed certificate,

Correct.

...

so you don't need to verify your certificate. When you activate the tls on ldap, you only need this two lines, and you don't need the line with certificate verification*olcTLSCACertificateFile : *

Wrong.

It true and false, with debian and openLdap compiled with GnuTLS (my case), i read this documentation : http://wiki.debian.org/LDAP/OpenLDAPSetup and they said :

Procedure:

You're going to need the gnutls certificate generator: certtool http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html.

Run these two commands to generate a new self-signed key (into the current working directory):

certtool --generate-privkey --outfile ca-key.pem certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem

Then, update your certificate locations in /etc/ldap/slapd.conf (TLSCertificateFile points to ca-cert.pem and TLSCertificateKeyFile points to ca-key.pem), *comment out TLSCACertificateFile*, and change *TLSVerifyClient to never.*

In /etc/ldap/ldap.conf, comment out TLS_CACERT and change TLS_REQCERT to never.

Since the certificate is self-signed, we can't have gnutls trying to verify it (hence the never), otherwise it will never run.

And RTFM is a little violent, i try to help with my little experience, i'm not an expert for sure. Best regards, SR.

RTFM.

http://www.openldap.org/doc/admin24/tls.html

...

On Mon, Dec 12, 2011 at 12:31 PM, Jayavant Patil <jayavant.patil82@gmail.com mailto:jayavant.patil82@gmail.com> wrote:

Hi,

...

On Mon, Dec 12, 2011 at 4:19 PM, reyman <reyman64@gmail.com

mailto:reyman64@gmail.com> wrote:

...

With the option -ZZ i think, try this

    |>ldapsearch -x -LLL -ZZ -d 150|


Yeah, It shows output containing ber_dump, ldap_write,ldap_read,
tls_write, tls_read etc. But at the end is shows the following:

TLS certificate verification: Error, self signed certificate
TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_
CERTIFICATE:certificate verify failed (self signed certificate).
ldap_start_tls: Connect error (-11)
     additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self
signed certificate)

Why it shows an error ? and how to resolve this?

and when I do ldapsearch with -ZZ option it gives error

$ldapsearch -x -v  -D "cn=root,dc=abc,dc=com" -w cluster -b
"ou=People,dc=abc,dc=com" "uid=ldap_6" -h n0 -ZZ
ldap_initialize( ldap://n0 )
ldap_start_tls: Connect error (-11)
     additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

...

On Mon, Dec 12, 2011 at 11:21 AM, Jayavant Patil

<jayavant.patil82@gmail.com mailto:jayavant.patil82@gmail.com> wrote:

...

...

Hi,

...

...

I am using openldap-2.4.19-4.x86_64 on fedora 12 machine. I

        have enabled openldap SSL/TLS. How do I know >>(test) 

that I am using SSL/TLS connections instead of normal ldap:///?

        --

        Thanks & Regards,
        Jayavant Ningoji Patil
        Engineer: System Software
        Computational Research Laboratories Ltd.
        Pune-411 004.
        Maharashtra, India.
        +91 9923536030 <tel:%2B91%209923536030>.

Le 12/12/2011 21:07, Howard Chu a écrit :

rey sebastien wrote:

...

Le 12/12/2011 19:24, Howard Chu a écrit :

...

reyman wrote:

...

You have a self signed certificate,

Correct.

...

so you don't need to verify your certificate. When you activate the tls on ldap, you only need this two lines, and you don't need the line with certificate verification*olcTLSCACertificateFile : *

Wrong.

It true and false, with debian and openLdap compiled with GnuTLS (my case), i read this documentation : http://wiki.debian.org/LDAP/OpenLDAPSetup and they said :

Pure garbage.

...

    Procedure:

You're going to need the gnutls certificate generator: certtool http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html.

Run these two commands to generate a new self-signed key (into the current working directory):

certtool --generate-privkey --outfile ca-key.pem certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem

Then, update your certificate locations in /etc/ldap/slapd.conf (TLSCertificateFile points to ca-cert.pem and TLSCertificateKeyFile points to ca-key.pem), *comment out TLSCACertificateFile*, and change *TLSVerifyClient to never.*

In /etc/ldap/ldap.conf, comment out TLS_CACERT and change TLS_REQCERT to never.

This is utterly bogus. Turning off these checks disables any spoofing detection; you might as well run without TLS at all.

IMHO i know this problem but i think this is better than nothing, and actually i have nothing. I wait for valid certificate... And sorry but your RTFM answer doesn't help me to resolve this problem with gnutls and debian, i take many hours to find a valid solution in my use case, and the manual doesn't help me particulary on this point.

OpenLdap is a great software, but documentation it's a little "cryptic" for beginner like me, so i think it's easy to be rude with beginner on many points.

Best regards, SR.

...

Since the certificate is self-signed, we can't have gnutls trying to verify it (hence the never), otherwise it will never run.

And RTFM is a little violent, i try to help with my little experience, i'm not an expert for sure.

RTFM is exactly the correct response.

...

Best regards, SR.

...

RTFM.

http://www.openldap.org/doc/admin24/tls.html

...

On Mon, Dec 12, 2011 at 12:31 PM, Jayavant Patil <jayavant.patil82@gmail.com mailto:jayavant.patil82@gmail.com> wrote:

Hi,

...

On Mon, Dec 12, 2011 at 4:19 PM, reyman <reyman64@gmail.com

mailto:reyman64@gmail.com> wrote:

...

With the option -ZZ i think, try this

|>ldapsearch -x -LLL -ZZ -d 150|

Yeah, It shows output containing ber_dump, ldap_write,ldap_read, tls_write, tls_read etc. But at the end is shows the following:

TLS certificate verification: Error, self signed certificate TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_ CERTIFICATE:certificate verify failed (self signed certificate). ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate)

Why it shows an error ? and how to resolve this?

and when I do ldapsearch with -ZZ option it gives error

$ldapsearch -x -v -D "cn=root,dc=abc,dc=com" -w cluster -b "ou=People,dc=abc,dc=com" "uid=ldap_6" -h n0 -ZZ ldap_initialize( ldap://n0 ) ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

...

On Mon, Dec 12, 2011 at 11:21 AM, Jayavant Patil

<jayavant.patil82@gmail.com mailto:jayavant.patil82@gmail.com> wrote:

...

...

Hi,

...

...

I am using openldap-2.4.19-4.x86_64 on fedora 12 machine. I

have enabled openldap SSL/TLS. How do I know >>(test) that I am using SSL/TLS connections instead of normal ldap:///?

After what, you are right, you and other to point the old debian package, so i try to recompile the last release with open-ssl. This is the best solution, i agree.

I try to compile with this option : ./configure --with-tls=openssl --with-threads --with-cyrus-sasl --enable-crypt --enable-debug --enable-cleartext --enable-spasswd --enable-dynacl --enable-aci --enable-modules --enable-wrappers --enable-rewrite --enable-rlookups

After configure, i make-depend, make, make install; all execution are ok, after that, how can i install ldap as a service ? like debian style => service slapd start | stop | restart ?

Thanks again, Sr

Le 12/12/2011 22:17, Raffael Sahli a écrit :

On 12.12.2011 21:55, rey sebastien wrote:

...

Le 12/12/2011 21:07, Howard Chu a écrit :

...

rey sebastien wrote:

...

Le 12/12/2011 19:24, Howard Chu a écrit :

...

reyman wrote:

...

You have a self signed certificate,

Correct.

...

so you don't need to verify your certificate. When you activate the tls on ldap, you only need this two lines, and you don't need the line with certificate verification*olcTLSCACertificateFile : *

Wrong.

It true and false, with debian and openLdap compiled with GnuTLS (my case), i read this documentation : http://wiki.debian.org/LDAP/OpenLDAPSetup and they said :

Pure garbage.

...

    Procedure:

You're going to need the gnutls certificate generator: certtool http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html.

Run these two commands to generate a new self-signed key (into the current working directory):

certtool --generate-privkey --outfile ca-key.pem certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem

Then, update your certificate locations in /etc/ldap/slapd.conf (TLSCertificateFile points to ca-cert.pem and TLSCertificateKeyFile points to ca-key.pem), *comment out TLSCACertificateFile*, and change *TLSVerifyClient to never.*

In /etc/ldap/ldap.conf, comment out TLS_CACERT and change TLS_REQCERT to never.

This is utterly bogus. Turning off these checks disables any spoofing detection; you might as well run without TLS at all.

IMHO i know this problem but i think this is better than nothing, and actually i have nothing. I wait for valid certificate... And sorry but your RTFM answer doesn't help me to resolve this problem with gnutls and debian, i take many hours to find a valid solution in my use case, and the manual doesn't help me particulary on this point.

On Debian: You should compile OpenLDAP with OpenSSL Support and don't use the dpkg package from the debian apt repos...

...

In /etc/ldap/ldap.conf, comment out TLS_CACERT and change TLS_REQCERT

to never. Like Howard Chu said, bad idea, just for testing or what else.....

...

OpenLdap is a great software, but documentation it's a little "cryptic" for beginner like me, so i think it's easy to be rude with beginner on many points.

Best regards, SR.

...

...

Since the certificate is self-signed, we can't have gnutls trying to verify it (hence the never), otherwise it will never run.

And RTFM is a little violent, i try to help with my little experience, i'm not an expert for sure.

RTFM is exactly the correct response.

...

Best regards, SR.

...

RTFM.

http://www.openldap.org/doc/admin24/tls.html

...

On Mon, Dec 12, 2011 at 12:31 PM, Jayavant Patil <jayavant.patil82@gmail.com mailto:jayavant.patil82@gmail.com> wrote:

Hi,

>On Mon, Dec 12, 2011 at 4:19 PM, reyman <reyman64@gmail.com mailto:reyman64@gmail.com> wrote:

>With the option -ZZ i think, try this

|>ldapsearch -x -LLL -ZZ -d 150|

Yeah, It shows output containing ber_dump, ldap_write,ldap_read, tls_write, tls_read etc. But at the end is shows the following:

TLS certificate verification: Error, self signed certificate TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_ CERTIFICATE:certificate verify failed (self signed certificate). ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate)

Why it shows an error ? and how to resolve this?

and when I do ldapsearch with -ZZ option it gives error

$ldapsearch -x -v -D "cn=root,dc=abc,dc=com" -w cluster -b "ou=People,dc=abc,dc=com" "uid=ldap_6" -h n0 -ZZ ldap_initialize( ldap://n0 ) ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

>On Mon, Dec 12, 2011 at 11:21 AM, Jayavant Patil <jayavant.patil82@gmail.com mailto:jayavant.patil82@gmail.com> wrote:

>>Hi,

>> I am using openldap-2.4.19-4.x86_64 on fedora 12 machine. I have enabled openldap SSL/TLS. How do I know >>(test) that I am using SSL/TLS connections instead of normal ldap:///?

Le mar. 13 déc. 2011 11:08:43 CET, Raffael Sahli a écrit :

On 12/13/2011 10:12 AM, rey sebastien wrote:

...

After what, you are right, you and other to point the old debian package, so i try to recompile the last release with open-ssl. This is the best solution, i agree.

I try to compile with this option : ./configure --with-tls=openssl --with-threads --with-cyrus-sasl --enable-crypt --enable-debug --enable-cleartext --enable-spasswd --enable-dynacl --enable-aci --enable-modules --enable-wrappers --enable-rewrite --enable-rlookups

After configure, i make-depend, make, make install; all execution are ok, after that, how can i install ldap as a service ? like debian style => service slapd start | stop | restart ?

If you load the sources with apt-src, there's a debian init script available in the openldap sources (debian folder, just copy the script into you init.d folder and create the symlinks with update-rc.d). That's the simplest way, or find the script online or extract it from the deb package....

...

Thanks again, Sr

Le 12/12/2011 22:17, Raffael Sahli a écrit :

...

On 12.12.2011 21:55, rey sebastien wrote:

...

Le 12/12/2011 21:07, Howard Chu a écrit :

...

rey sebastien wrote:

...

Le 12/12/2011 19:24, Howard Chu a écrit : > reyman wrote: >> You have a self signed certificate, > > Correct. > >> so you don't need to verify your certificate. >> When you activate the tls on ldap, you only need this two >> lines, and you don't >> need the line with certificate >> verification*olcTLSCACertificateFile : * > > Wrong. It true and false, with debian and openLdap compiled with GnuTLS (my case), i read this documentation : http://wiki.debian.org/LDAP/OpenLDAPSetup and they said :

Pure garbage.

...

Procedure:

You're going to need the gnutls certificate generator: certtool http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html.

Run these two commands to generate a new self-signed key (into the current working directory):

certtool --generate-privkey --outfile ca-key.pem certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem

Then, update your certificate locations in /etc/ldap/slapd.conf (TLSCertificateFile points to ca-cert.pem and TLSCertificateKeyFile points to ca-key.pem), *comment out TLSCACertificateFile*, and change *TLSVerifyClient to never.*

In /etc/ldap/ldap.conf, comment out TLS_CACERT and change TLS_REQCERT to never.

This is utterly bogus. Turning off these checks disables any spoofing detection; you might as well run without TLS at all.

IMHO i know this problem but i think this is better than nothing, and actually i have nothing. I wait for valid certificate... And sorry but your RTFM answer doesn't help me to resolve this problem with gnutls and debian, i take many hours to find a valid solution in my use case, and the manual doesn't help me particulary on this point.

On Debian: You should compile OpenLDAP with OpenSSL Support and don't use the dpkg package from the debian apt repos...

...

In /etc/ldap/ldap.conf, comment out TLS_CACERT and change

TLS_REQCERT to never. Like Howard Chu said, bad idea, just for testing or what else.....

...

OpenLdap is a great software, but documentation it's a little "cryptic" for beginner like me, so i think it's easy to be rude with beginner on many points.

Best regards, SR.

...

...

Since the certificate is self-signed, we can't have gnutls trying to verify it (hence the never), otherwise it will never run.

And RTFM is a little violent, i try to help with my little experience, i'm not an expert for sure.

RTFM is exactly the correct response.

...

Best regards, SR. > > RTFM. > > http://www.openldap.org/doc/admin24/tls.html > >> On Mon, Dec 12, 2011 at 12:31 PM, Jayavant Patil >> <jayavant.patil82@gmail.com >> mailto:jayavant.patil82@gmail.com> wrote: >> >> >> Hi, >> >> >On Mon, Dec 12, 2011 at 4:19 PM, reyman <reyman64@gmail.com >> mailto:reyman64@gmail.com> wrote: >> >> >With the option -ZZ i think, try this >> >> |>ldapsearch -x -LLL -ZZ -d 150| >> >> >> Yeah, It shows output containing ber_dump, ldap_write,ldap_read, >> tls_write, tls_read etc. But at the end is shows the following: >> >> TLS certificate verification: Error, self signed certificate >> TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_ >> CERTIFICATE:certificate verify failed (self signed certificate). >> ldap_start_tls: Connect error (-11) >> additional info: error:14090086:SSL >> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >> (self >> signed certificate) >> >> Why it shows an error ? and how to resolve this? >> >> and when I do ldapsearch with -ZZ option it gives error >> >> $ldapsearch -x -v -D "cn=root,dc=abc,dc=com" -w cluster -b >> "ou=People,dc=abc,dc=com" "uid=ldap_6" -h n0 -ZZ >> ldap_initialize( ldap://n0 ) >> ldap_start_tls: Connect error (-11) >> additional info: error:14090086:SSL >> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >> >> >> >> >On Mon, Dec 12, 2011 at 11:21 AM, Jayavant Patil >> <jayavant.patil82@gmail.com >> mailto:jayavant.patil82@gmail.com> wrote: >> >> >>Hi, >> >> >> I am using openldap-2.4.19-4.x86_64 on fedora 12 machine. I >> have enabled openldap SSL/TLS. How do I know >>(test) that I am >> using SSL/TLS connections instead of normal ldap:///? >>

OK thanks, i find the script and re-configure the script,

I search another information to make a good fresh install. After removing the debian package, i have an openldap user and group, Do you think i can delete this user, or it's better to reuse it for better security, for example can i install all files for ldap into /home/openldap user ( with --prefix option equal to /home/openldap ) ? Do you have a list/tutorial which indicate the files which need an openldap:openldap user to execute ?

Thanks, Best regards, SR.

Le mar. 13 déc. 2011 13:00:16 CET, Raffael Sahli a écrit :

On 12/13/2011 12:14 PM, rey sebastien wrote:

...

Le mar. 13 déc. 2011 11:08:43 CET, Raffael Sahli a écrit :

...

On 12/13/2011 10:12 AM, rey sebastien wrote:

...

After what, you are right, you and other to point the old debian package, so i try to recompile the last release with open-ssl. This is the best solution, i agree.

I try to compile with this option : ./configure --with-tls=openssl --with-threads --with-cyrus-sasl --enable-crypt --enable-debug --enable-cleartext --enable-spasswd --enable-dynacl --enable-aci --enable-modules --enable-wrappers --enable-rewrite --enable-rlookups

After configure, i make-depend, make, make install; all execution are ok, after that, how can i install ldap as a service ? like debian style => service slapd start | stop | restart ?

If you load the sources with apt-src, there's a debian init script available in the openldap sources (debian folder, just copy the script into you init.d folder and create the symlinks with update-rc.d). That's the simplest way, or find the script online or extract it from the deb package....

...

Thanks again, Sr

Le 12/12/2011 22:17, Raffael Sahli a écrit :

...

On 12.12.2011 21:55, rey sebastien wrote:

...

Le 12/12/2011 21:07, Howard Chu a écrit : > rey sebastien wrote: >> Le 12/12/2011 19:24, Howard Chu a écrit : >>> reyman wrote: >>>> You have a self signed certificate, >>> >>> Correct. >>> >>>> so you don't need to verify your certificate. >>>> When you activate the tls on ldap, you only need this two >>>> lines, and you don't >>>> need the line with certificate >>>> verification*olcTLSCACertificateFile : * >>> >>> Wrong. >> It true and false, with debian and openLdap compiled with >> GnuTLS (my case), i >> read this documentation : >> http://wiki.debian.org/LDAP/OpenLDAPSetup and they said : > > Pure garbage. > >> Procedure: >> >> You're going to need the gnutls certificate generator: certtool >> http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html. >> >> >> Run these two commands to generate a new self-signed key (into >> the current >> working directory): >> >> certtool --generate-privkey --outfile ca-key.pem >> certtool --generate-self-signed --load-privkey ca-key.pem >> --outfile ca-cert.pem >> >> Then, update your certificate locations in /etc/ldap/slapd.conf >> (TLSCertificateFile points to ca-cert.pem and >> TLSCertificateKeyFile points to >> ca-key.pem), *comment out TLSCACertificateFile*, and change >> *TLSVerifyClient >> to never.* >> >> In /etc/ldap/ldap.conf, comment out TLS_CACERT and change >> TLS_REQCERT to never. > > This is utterly bogus. Turning off these checks disables any > spoofing detection; you might as well run without TLS at all. > IMHO i know this problem but i think this is better than nothing, and actually i have nothing. I wait for valid certificate... And sorry but your RTFM answer doesn't help me to resolve this problem with gnutls and debian, i take many hours to find a valid solution in my use case, and the manual doesn't help me particulary on this point.

On Debian: You should compile OpenLDAP with OpenSSL Support and don't use the dpkg package from the debian apt repos...

...

In /etc/ldap/ldap.conf, comment out TLS_CACERT and change

TLS_REQCERT to never. Like Howard Chu said, bad idea, just for testing or what else.....

...

OpenLdap is a great software, but documentation it's a little "cryptic" for beginner like me, so i think it's easy to be rude with beginner on many points.

Best regards, SR. >> Since the certificate is self-signed, we can't have gnutls >> trying to verify it >> (hence the never), otherwise it will never run. >> >> And RTFM is a little violent, i try to help with my little >> experience, i'm not >> an expert for sure. > > RTFM is exactly the correct response. > >> Best regards, >> SR. >>> >>> RTFM. >>> >>> http://www.openldap.org/doc/admin24/tls.html >>> >>>> On Mon, Dec 12, 2011 at 12:31 PM, Jayavant Patil >>>> <jayavant.patil82@gmail.com >>>> mailto:jayavant.patil82@gmail.com> wrote: >>>> >>>> >>>> Hi, >>>> >>>> >On Mon, Dec 12, 2011 at 4:19 PM, reyman <reyman64@gmail.com >>>> mailto:reyman64@gmail.com> wrote: >>>> >>>> >With the option -ZZ i think, try this >>>> >>>> |>ldapsearch -x -LLL -ZZ -d 150| >>>> >>>> >>>> Yeah, It shows output containing ber_dump, ldap_write,ldap_read, >>>> tls_write, tls_read etc. But at the end is shows the following: >>>> >>>> TLS certificate verification: Error, self signed certificate >>>> TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_ >>>> CERTIFICATE:certificate verify failed (self signed certificate). >>>> ldap_start_tls: Connect error (-11) >>>> additional info: error:14090086:SSL >>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify >>>> failed (self >>>> signed certificate) >>>> >>>> Why it shows an error ? and how to resolve this? >>>> >>>> and when I do ldapsearch with -ZZ option it gives error >>>> >>>> $ldapsearch -x -v -D "cn=root,dc=abc,dc=com" -w cluster -b >>>> "ou=People,dc=abc,dc=com" "uid=ldap_6" -h n0 -ZZ >>>> ldap_initialize( ldap://n0 ) >>>> ldap_start_tls: Connect error (-11) >>>> additional info: error:14090086:SSL >>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>>> >>>> >>>> >>>> >On Mon, Dec 12, 2011 at 11:21 AM, Jayavant Patil >>>> <jayavant.patil82@gmail.com >>>> mailto:jayavant.patil82@gmail.com> wrote: >>>> >>>> >>Hi, >>>> >>>> >> I am using openldap-2.4.19-4.x86_64 on fedora 12 machine. I >>>> have enabled openldap SSL/TLS. How do I know >>(test) that I am >>>> using SSL/TLS connections instead of normal ldap:///? >>>> >

OK thanks, i find the script and re-configure the script,

I search another information to make a good fresh install. After removing the debian package, i have an openldap user and group, Do you think i can delete this user, or it's better to reuse it for better security, for example can i install all files for ldap into /home/openldap user ( with --prefix option equal to /home/openldap ) ? Do you have a list/tutorial which indicate the files which need an openldap:openldap user to execute ?

Thanks, Best regards, SR.

/home is not really the directory to install an application. Better you use the default path located in /usr/local. And of course you have to create a user named openldap or take your exists openldap user. Start your daemon with this user (@see /etc/default/slapd on debian for the init script, (you have to copy this file from your openldap source installed per apt-src, or use the file from the installed deb package.)) And your ok with the default permissions set by "make install". Only your ssl certificates should be owned by "openldap" and mod 0400.

There is some modification between the old version i use and the last release, i don't find the slapd file which contain information like : SLAPD_SERVICES, etc.

Replacement for this file is slapd.ldif ? This file is an example of configuration, or the default loaded configuration when slapd daemon start ? i have no man for slapd.d, it's a bug, or it doesn't exist ?

Thanks, SR.

Le mar. 13 déc. 2011 15:16:08 CET, Raffael Sahli a écrit :

On 12/13/2011 02:59 PM, rey sebastien wrote:

...

Le mar. 13 déc. 2011 13:00:16 CET, Raffael Sahli a écrit :

...

On 12/13/2011 12:14 PM, rey sebastien wrote:

...

Le mar. 13 déc. 2011 11:08:43 CET, Raffael Sahli a écrit :

...

On 12/13/2011 10:12 AM, rey sebastien wrote:

...

After what, you are right, you and other to point the old debian package, so i try to recompile the last release with open-ssl. This is the best solution, i agree.

I try to compile with this option : ./configure --with-tls=openssl --with-threads --with-cyrus-sasl --enable-crypt --enable-debug --enable-cleartext --enable-spasswd --enable-dynacl --enable-aci --enable-modules --enable-wrappers --enable-rewrite --enable-rlookups

After configure, i make-depend, make, make install; all execution are ok, after that, how can i install ldap as a service ? like debian style => service slapd start | stop | restart ?

If you load the sources with apt-src, there's a debian init script available in the openldap sources (debian folder, just copy the script into you init.d folder and create the symlinks with update-rc.d). That's the simplest way, or find the script online or extract it from the deb package....

...

Thanks again, Sr

Le 12/12/2011 22:17, Raffael Sahli a écrit : > On 12.12.2011 21:55, rey sebastien wrote: >> Le 12/12/2011 21:07, Howard Chu a écrit : >>> rey sebastien wrote: >>>> Le 12/12/2011 19:24, Howard Chu a écrit : >>>>> reyman wrote: >>>>>> You have a self signed certificate, >>>>> >>>>> Correct. >>>>> >>>>>> so you don't need to verify your certificate. >>>>>> When you activate the tls on ldap, you only need this two >>>>>> lines, and you don't >>>>>> need the line with certificate >>>>>> verification*olcTLSCACertificateFile : * >>>>> >>>>> Wrong. >>>> It true and false, with debian and openLdap compiled with >>>> GnuTLS (my case), i >>>> read this documentation : >>>> http://wiki.debian.org/LDAP/OpenLDAPSetup and they said : >>> >>> Pure garbage. >>> >>>> Procedure: >>>> >>>> You're going to need the gnutls certificate generator: certtool >>>> http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html. >>>> >>>> >>>> Run these two commands to generate a new self-signed key >>>> (into the current >>>> working directory): >>>> >>>> certtool --generate-privkey --outfile ca-key.pem >>>> certtool --generate-self-signed --load-privkey ca-key.pem >>>> --outfile ca-cert.pem >>>> >>>> Then, update your certificate locations in /etc/ldap/slapd.conf >>>> (TLSCertificateFile points to ca-cert.pem and >>>> TLSCertificateKeyFile points to >>>> ca-key.pem), *comment out TLSCACertificateFile*, and change >>>> *TLSVerifyClient >>>> to never.* >>>> >>>> In /etc/ldap/ldap.conf, comment out TLS_CACERT and change >>>> TLS_REQCERT to never. >>> >>> This is utterly bogus. Turning off these checks disables any >>> spoofing detection; you might as well run without TLS at all. >>> >> IMHO i know this problem but i think this is better than >> nothing, and actually i have nothing. I wait for valid >> certificate... >> And sorry but your RTFM answer doesn't help me to resolve this >> problem with gnutls and debian, i take many hours to find a >> valid solution in my use case, and the manual doesn't help me >> particulary on this point. >> > On Debian: You should compile OpenLDAP with OpenSSL Support and > don't use the dpkg package from the debian apt repos... > > >In /etc/ldap/ldap.conf, comment out TLS_CACERT and change > TLS_REQCERT to never. > Like Howard Chu said, bad idea, just for testing or what else..... > > >> OpenLdap is a great software, but documentation it's a little >> "cryptic" for beginner like me, so i think it's easy to be rude >> with beginner on many points. >> >> Best regards, >> SR. >>>> Since the certificate is self-signed, we can't have gnutls >>>> trying to verify it >>>> (hence the never), otherwise it will never run. >>>> >>>> And RTFM is a little violent, i try to help with my little >>>> experience, i'm not >>>> an expert for sure. >>> >>> RTFM is exactly the correct response. >>> >>>> Best regards, >>>> SR. >>>>> >>>>> RTFM. >>>>> >>>>> http://www.openldap.org/doc/admin24/tls.html >>>>> >>>>>> On Mon, Dec 12, 2011 at 12:31 PM, Jayavant Patil >>>>>> <jayavant.patil82@gmail.com >>>>>> mailto:jayavant.patil82@gmail.com> wrote: >>>>>> >>>>>> >>>>>> Hi, >>>>>> >>>>>> >On Mon, Dec 12, 2011 at 4:19 PM, reyman <reyman64@gmail.com >>>>>> mailto:reyman64@gmail.com> wrote: >>>>>> >>>>>> >With the option -ZZ i think, try this >>>>>> >>>>>> |>ldapsearch -x -LLL -ZZ -d 150| >>>>>> >>>>>> >>>>>> Yeah, It shows output containing ber_dump, >>>>>> ldap_write,ldap_read, >>>>>> tls_write, tls_read etc. But at the end is shows the >>>>>> following: >>>>>> >>>>>> TLS certificate verification: Error, self signed certificate >>>>>> TLS: can't connect: error:14090086:SSL >>>>>> routines:SSL3_GET_SERVER_ >>>>>> CERTIFICATE:certificate verify failed (self signed >>>>>> certificate). >>>>>> ldap_start_tls: Connect error (-11) >>>>>> additional info: error:14090086:SSL >>>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify >>>>>> failed (self >>>>>> signed certificate) >>>>>> >>>>>> Why it shows an error ? and how to resolve this? >>>>>> >>>>>> and when I do ldapsearch with -ZZ option it gives error >>>>>> >>>>>> $ldapsearch -x -v -D "cn=root,dc=abc,dc=com" -w cluster -b >>>>>> "ou=People,dc=abc,dc=com" "uid=ldap_6" -h n0 -ZZ >>>>>> ldap_initialize( ldap://n0 ) >>>>>> ldap_start_tls: Connect error (-11) >>>>>> additional info: error:14090086:SSL >>>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>>>>> >>>>>> >>>>>> >>>>>> >On Mon, Dec 12, 2011 at 11:21 AM, Jayavant Patil >>>>>> <jayavant.patil82@gmail.com >>>>>> mailto:jayavant.patil82@gmail.com> wrote: >>>>>> >>>>>> >>Hi, >>>>>> >>>>>> >> I am using openldap-2.4.19-4.x86_64 on fedora 12 machine. I >>>>>> have enabled openldap SSL/TLS. How do I know >>(test) that >>>>>> I am >>>>>> using SSL/TLS connections instead of normal ldap:///? >>>>>> >>> >> > >

OK thanks, i find the script and re-configure the script,

I search another information to make a good fresh install. After removing the debian package, i have an openldap user and group, Do you think i can delete this user, or it's better to reuse it for better security, for example can i install all files for ldap into /home/openldap user ( with --prefix option equal to /home/openldap ) ? Do you have a list/tutorial which indicate the files which need an openldap:openldap user to execute ?

Thanks, Best regards, SR.

/home is not really the directory to install an application. Better you use the default path located in /usr/local. And of course you have to create a user named openldap or take your exists openldap user. Start your daemon with this user (@see /etc/default/slapd on debian for the init script, (you have to copy this file from your openldap source installed per apt-src, or use the file from the installed deb package.)) And your ok with the default permissions set by "make install". Only your ssl certificates should be owned by "openldap" and mod 0400.

There is some modification between the old version i use and the last release, i don't find the slapd file which contain information like : SLAPD_SERVICES, etc. Replacement for this file is slapd.ldif ? This file is an example of configuration, or the default loaded configuration when slapd daemon start ?

There's a different between the default config from debian and the OpenLDAP configuration (in .conf or .ldif format). The default config, located in /etc/default/slapd, contains just "daemon start" related options an has nothing to do with the OpenLDAP configuration. If you download OpenLDAP from the debian sources with apt-src, you will get a directory named debian. There are a slapd.conf (OpenLDAP Example Configuration) and a file named slapd.default (Debian start parameters, copy it to /etc/default/slapd), and last: slapd.init copy it to /etc/init.d/slapd

...

i have no man for slapd.d, it's a bug, or it doesn't exist ? Thanks, SR.

Ok so i make :

mv slapd.default to /etc/default/slapd mv slapd.init to /etc/init.d/slapd and i change some information with nano :

# wants to can override the path in /etc/default/slapd SLAPD=/usr/local/libexec/slapd

# Load the default location of the slapd config file if [ -z "$SLAPD_CONF" ]; then if [ -e /etc/ldap/slapd.d ]; then SLAPD_CONF=/usr/local/etc/openldap/slapd.d else SLAPD_CONF=/usr/local/etc/openldap/slapd.conf fi fi

I change right for slapd init file :

chmod +x /etc/init.d/slapd

I change the service init level :

ln -s /etc/init.d/slapd /etc/rc3.d/S90slapd ln -s /etc/init.d/slapd /etc/rc4.d/S90slapd ln -s /etc/init.d/slapd /etc/rc5.d/S90slapd ln -s /etc/init.d/slapd /etc/rc0.d/K10slapd ln -s /etc/init.d/slapd /etc/rc6.d/K10slapd

update-rc.d slapd defaults

After that, i change right, else service slapd doesn't start :

chown -R openldap:openldap /usr/local/var/openldap-data/ chown -R openldap:openldap /usr/local/etc/openldap/ chown -R openldap:openldap /usr/local/var/run/

so here the right for the different folder :

/usr/local/var drwxr-sr-x 2 openldap openldap 4096 13 déc. 16:20 openldap-data drwxr-sr-x 2 openldap openldap 4096 13 déc. 16:20 run

/usr/local/libexec -rwxr-xr-x 1 root staff 1891388 13 déc. 13:53 slapd

/usr/local/etc/openldap -rw------- 1 openldap openldap 845 13 déc. 13:53 DB_CONFIG.example -rw-r--r-- 1 openldap openldap 245 13 déc. 09:48 ldap.conf -rw-r--r-- 1 openldap openldap 245 13 déc. 13:53 ldap.conf.default drwxr-sr-x 2 openldap openldap 4096 13 déc. 13:53 schema drwxr-sr-x 2 openldap openldap 4096 13 déc. 11:15 schema.17116 drwxr-sr-x 2 openldap openldap 4096 13 déc. 09:48 schema.8962 -rw------- 1 openldap openldap 2129 13 déc. 09:48 slapd.conf -rw------- 1 openldap openldap 2129 13 déc. 13:53 slapd.conf.default -rw------- 1 openldap openldap 2614 13 déc. 09:48 slapd.ldif -rw------- 1 openldap openldap 2614 13 déc. 13:53 slapd.ldif.default

/usr/local/var/openldap-data/ -rw-r--r-- 1 openldap openldap 2048 13 déc. 16:20 alock -rw------- 1 openldap openldap 24576 13 déc. 16:20 __db.001 -rw------- 1 openldap openldap 180224 13 déc. 16:20 __db.002 -rw------- 1 openldap openldap 270336 13 déc. 16:20 __db.003 -rw------- 1 openldap openldap 163840 13 déc. 16:20 __db.004 -rw------- 1 openldap openldap 540672 13 déc. 16:20 __db.005 -rw------- 1 openldap openldap 32768 13 déc. 16:20 __db.006 -rw------- 1 openldap openldap 845 13 déc. 13:53 DB_CONFIG.example -rw------- 1 openldap openldap 8192 13 déc. 16:20 dn2id.bdb -rw------- 1 openldap openldap 32768 13 déc. 16:20 id2entry.bdb -rw------- 1 openldap openldap 10485760 13 déc. 16:20 log.0000000001

I have one warning but openldap start correctly :)

Dec 13 16:20:44 claroline slapd[17039]: bdb_db_open: warning - no DB_CONFIG file found in directory /usr/local/var/openldap-data: (2).#012Expect poor performance for suffix "dc=my-domain,dc=com".

Now i try to make some global configuration with load of sldap.ldif and after i try to work with dynamic slapd.d folder, i don't want to use slapd.conf :/

Thanks a lot, SR

Le 13/12/2011 16:48, Raffael Sahli a écrit :

On 12/13/2011 04:34 PM, rey sebastien wrote:

...

Le mar. 13 déc. 2011 15:16:08 CET, Raffael Sahli a écrit :

...

On 12/13/2011 02:59 PM, rey sebastien wrote:

...

Le mar. 13 déc. 2011 13:00:16 CET, Raffael Sahli a écrit :

...

On 12/13/2011 12:14 PM, rey sebastien wrote:

...

Le mar. 13 déc. 2011 11:08:43 CET, Raffael Sahli a écrit : > On 12/13/2011 10:12 AM, rey sebastien wrote: >> After what, you are right, you and other to point the old >> debian package, so i try to recompile the last release with >> open-ssl. This is the best solution, i agree. >> >> I try to compile with this option : >> ./configure --with-tls=openssl --with-threads --with-cyrus-sasl >> --enable-crypt --enable-debug --enable-cleartext >> --enable-spasswd --enable-dynacl --enable-aci --enable-modules >> --enable-wrappers --enable-rewrite --enable-rlookups >> >> After configure, i make-depend, make, make install; all >> execution are ok, >> after that, how can i install ldap as a service ? like debian >> style => service slapd start | stop | restart ? >> > If you load the sources with apt-src, there's a debian init > script available in the openldap sources (debian folder, just > copy the script into you init.d folder and create the symlinks > with update-rc.d). > That's the simplest way, or find the script online or extract it > from the deb package.... > >> Thanks again, >> Sr >> >> >> >> Le 12/12/2011 22:17, Raffael Sahli a écrit : >>> On 12.12.2011 21:55, rey sebastien wrote: >>>> Le 12/12/2011 21:07, Howard Chu a écrit : >>>>> rey sebastien wrote: >>>>>> Le 12/12/2011 19:24, Howard Chu a écrit : >>>>>>> reyman wrote: >>>>>>>> You have a self signed certificate, >>>>>>> >>>>>>> Correct. >>>>>>> >>>>>>>> so you don't need to verify your certificate. >>>>>>>> When you activate the tls on ldap, you only need this two >>>>>>>> lines, and you don't >>>>>>>> need the line with certificate >>>>>>>> verification*olcTLSCACertificateFile : * >>>>>>> >>>>>>> Wrong. >>>>>> It true and false, with debian and openLdap compiled with >>>>>> GnuTLS (my case), i >>>>>> read this documentation : >>>>>> http://wiki.debian.org/LDAP/OpenLDAPSetup and they said : >>>>> >>>>> Pure garbage. >>>>> >>>>>> Procedure: >>>>>> >>>>>> You're going to need the gnutls certificate generator: >>>>>> certtool >>>>>> http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html. >>>>>> >>>>>> >>>>>> Run these two commands to generate a new self-signed key >>>>>> (into the current >>>>>> working directory): >>>>>> >>>>>> certtool --generate-privkey --outfile ca-key.pem >>>>>> certtool --generate-self-signed --load-privkey ca-key.pem >>>>>> --outfile ca-cert.pem >>>>>> >>>>>> Then, update your certificate locations in >>>>>> /etc/ldap/slapd.conf >>>>>> (TLSCertificateFile points to ca-cert.pem and >>>>>> TLSCertificateKeyFile points to >>>>>> ca-key.pem), *comment out TLSCACertificateFile*, and change >>>>>> *TLSVerifyClient >>>>>> to never.* >>>>>> >>>>>> In /etc/ldap/ldap.conf, comment out TLS_CACERT and change >>>>>> TLS_REQCERT to never. >>>>> >>>>> This is utterly bogus. Turning off these checks disables any >>>>> spoofing detection; you might as well run without TLS at all. >>>>> >>>> IMHO i know this problem but i think this is better than >>>> nothing, and actually i have nothing. I wait for valid >>>> certificate... >>>> And sorry but your RTFM answer doesn't help me to resolve >>>> this problem with gnutls and debian, i take many hours to >>>> find a valid solution in my use case, and the manual doesn't >>>> help me particulary on this point. >>>> >>> On Debian: You should compile OpenLDAP with OpenSSL Support >>> and don't use the dpkg package from the debian apt repos... >>> >>> >In /etc/ldap/ldap.conf, comment out TLS_CACERT and change >>> TLS_REQCERT to never. >>> Like Howard Chu said, bad idea, just for testing or what >>> else..... >>> >>> >>>> OpenLdap is a great software, but documentation it's a little >>>> "cryptic" for beginner like me, so i think it's easy to be >>>> rude with beginner on many points. >>>> >>>> Best regards, >>>> SR. >>>>>> Since the certificate is self-signed, we can't have gnutls >>>>>> trying to verify it >>>>>> (hence the never), otherwise it will never run. >>>>>> >>>>>> And RTFM is a little violent, i try to help with my little >>>>>> experience, i'm not >>>>>> an expert for sure. >>>>> >>>>> RTFM is exactly the correct response. >>>>> >>>>>> Best regards, >>>>>> SR. >>>>>>> >>>>>>> RTFM. >>>>>>> >>>>>>> http://www.openldap.org/doc/admin24/tls.html >>>>>>> >>>>>>>> On Mon, Dec 12, 2011 at 12:31 PM, Jayavant Patil >>>>>>>> <jayavant.patil82@gmail.com >>>>>>>> mailto:jayavant.patil82@gmail.com> wrote: >>>>>>>> >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> >On Mon, Dec 12, 2011 at 4:19 PM, reyman <reyman64@gmail.com >>>>>>>> mailto:reyman64@gmail.com> wrote: >>>>>>>> >>>>>>>> >With the option -ZZ i think, try this >>>>>>>> >>>>>>>> |>ldapsearch -x -LLL -ZZ -d 150| >>>>>>>> >>>>>>>> >>>>>>>> Yeah, It shows output containing ber_dump, >>>>>>>> ldap_write,ldap_read, >>>>>>>> tls_write, tls_read etc. But at the end is shows the >>>>>>>> following: >>>>>>>> >>>>>>>> TLS certificate verification: Error, self signed certificate >>>>>>>> TLS: can't connect: error:14090086:SSL >>>>>>>> routines:SSL3_GET_SERVER_ >>>>>>>> CERTIFICATE:certificate verify failed (self signed >>>>>>>> certificate). >>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>> additional info: error:14090086:SSL >>>>>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify >>>>>>>> failed (self >>>>>>>> signed certificate) >>>>>>>> >>>>>>>> Why it shows an error ? and how to resolve this? >>>>>>>> >>>>>>>> and when I do ldapsearch with -ZZ option it gives error >>>>>>>> >>>>>>>> $ldapsearch -x -v -D "cn=root,dc=abc,dc=com" -w cluster -b >>>>>>>> "ou=People,dc=abc,dc=com" "uid=ldap_6" -h n0 -ZZ >>>>>>>> ldap_initialize( ldap://n0 ) >>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>> additional info: error:14090086:SSL >>>>>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify >>>>>>>> failed >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >On Mon, Dec 12, 2011 at 11:21 AM, Jayavant Patil >>>>>>>> <jayavant.patil82@gmail.com >>>>>>>> mailto:jayavant.patil82@gmail.com> wrote: >>>>>>>> >>>>>>>> >>Hi, >>>>>>>> >>>>>>>> >> I am using openldap-2.4.19-4.x86_64 on fedora 12 >>>>>>>> machine. I >>>>>>>> have enabled openldap SSL/TLS. How do I know >>(test) >>>>>>>> that I am >>>>>>>> using SSL/TLS connections instead of normal ldap:///? >>>>>>>> >>>>> >>>> >>> >>> >> > >

OK thanks, i find the script and re-configure the script,

I search another information to make a good fresh install. After removing the debian package, i have an openldap user and group, Do you think i can delete this user, or it's better to reuse it for better security, for example can i install all files for ldap into /home/openldap user ( with --prefix option equal to /home/openldap ) ? Do you have a list/tutorial which indicate the files which need an openldap:openldap user to execute ?

Thanks, Best regards, SR.

/home is not really the directory to install an application. Better you use the default path located in /usr/local. And of course you have to create a user named openldap or take your exists openldap user. Start your daemon with this user (@see /etc/default/slapd on debian for the init script, (you have to copy this file from your openldap source installed per apt-src, or use the file from the installed deb package.)) And your ok with the default permissions set by "make install". Only your ssl certificates should be owned by "openldap" and mod 0400.

There is some modification between the old version i use and the last release, i don't find the slapd file which contain information like : SLAPD_SERVICES, etc. Replacement for this file is slapd.ldif ? This file is an example of configuration, or the default loaded configuration when slapd daemon start ?

There's a different between the default config from debian and the OpenLDAP configuration (in .conf or .ldif format). The default config, located in /etc/default/slapd, contains just "daemon start" related options an has nothing to do with the OpenLDAP configuration. If you download OpenLDAP from the debian sources with apt-src, you will get a directory named debian. There are a slapd.conf (OpenLDAP Example Configuration) and a file named slapd.default (Debian start parameters, copy it to /etc/default/slapd), and last: slapd.init copy it to /etc/init.d/slapd

...

i have no man for slapd.d, it's a bug, or it doesn't exist ? Thanks, SR.

...

Ok so i make :

mv slapd.default to /etc/default/slapd mv slapd.init to /etc/init.d/slapd and i change some information with nano :

# wants to can override the path in /etc/default/slapd SLAPD=/usr/local/libexec/slapd

# Load the default location of the slapd config file if [ -z "$SLAPD_CONF" ]; then if [ -e /etc/ldap/slapd.d ]; then SLAPD_CONF=/usr/local/etc/openldap/slapd.d else SLAPD_CONF=/usr/local/etc/openldap/slapd.conf fi fi

...

I change right for slapd init file :

chmod +x /etc/init.d/slapd

...

I change the service init level :

ln -s /etc/init.d/slapd /etc/rc3.d/S90slapd ln -s /etc/init.d/slapd /etc/rc4.d/S90slapd ln -s /etc/init.d/slapd /etc/rc5.d/S90slapd ln -s /etc/init.d/slapd /etc/rc0.d/K10slapd ln -s /etc/init.d/slapd /etc/rc6.d/K10slapd

update-rc.d slapd defaults

...

After that, i change right, else service slapd doesn't start :

chown -R openldap:openldap /usr/local/var/openldap-data/ chown -R openldap:openldap /usr/local/etc/openldap/ chown -R openldap:openldap /usr/local/var/run/

...

so here the right for the different folder :

/usr/local/var drwxr-sr-x 2 openldap openldap 4096 13 déc. 16:20 openldap-data drwxr-sr-x 2 openldap openldap 4096 13 déc. 16:20 run

/usr/local/libexec -rwxr-xr-x 1 root staff 1891388 13 déc. 13:53 slapd

/usr/local/etc/openldap -rw------- 1 openldap openldap 845 13 déc. 13:53 DB_CONFIG.example -rw-r--r-- 1 openldap openldap 245 13 déc. 09:48 ldap.conf -rw-r--r-- 1 openldap openldap 245 13 déc. 13:53 ldap.conf.default drwxr-sr-x 2 openldap openldap 4096 13 déc. 13:53 schema drwxr-sr-x 2 openldap openldap 4096 13 déc. 11:15 schema.17116 drwxr-sr-x 2 openldap openldap 4096 13 déc. 09:48 schema.8962 -rw------- 1 openldap openldap 2129 13 déc. 09:48 slapd.conf -rw------- 1 openldap openldap 2129 13 déc. 13:53 slapd.conf.default -rw------- 1 openldap openldap 2614 13 déc. 09:48 slapd.ldif -rw------- 1 openldap openldap 2614 13 déc. 13:53 slapd.ldif.default

/usr/local/var/openldap-data/ -rw-r--r-- 1 openldap openldap 2048 13 déc. 16:20 alock -rw------- 1 openldap openldap 24576 13 déc. 16:20 __db.001 -rw------- 1 openldap openldap 180224 13 déc. 16:20 __db.002 -rw------- 1 openldap openldap 270336 13 déc. 16:20 __db.003 -rw------- 1 openldap openldap 163840 13 déc. 16:20 __db.004 -rw------- 1 openldap openldap 540672 13 déc. 16:20 __db.005 -rw------- 1 openldap openldap 32768 13 déc. 16:20 __db.006 -rw------- 1 openldap openldap 845 13 déc. 13:53 DB_CONFIG.example -rw------- 1 openldap openldap 8192 13 déc. 16:20 dn2id.bdb -rw------- 1 openldap openldap 32768 13 déc. 16:20 id2entry.bdb -rw------- 1 openldap openldap 10485760 13 déc. 16:20 log.0000000001

I have one warning but openldap start correctly :)

Dec 13 16:20:44 claroline slapd[17039]: bdb_db_open: warning - no DB_CONFIG file found in directory /usr/local/var/openldap-data: (2).#012Expect poor performance for suffix "dc=my-domain,dc=com".

the file DB_CONFIG (Berkeley db configuration) is also available in your "debian" folder, just copy that into your ldap data directory /usr/local/var/openldap-data. "(You should move the ldap data directory to /srv)"

...

Now i try to make some global configuration with load of sldap.ldif and after i try to work with dynamic slapd.d folder, i don't want to use slapd.conf :/

Yep, that's a good idea ;)

...

Thanks a lot, SR

Hi! It's not easy to start with zero configuration with cn=config new openldap administration .. I create my bd.ldif based on the slapd.ldif example in the /usr/local/etc/openldap directory. But how can i insert this ldif with

ldapadd -Y EXTERNAL -H ldapi:/// -f myldiffile.ldif

if i cannot run slapd without configuration ? How do you start a fresh install of openldap in this case? there is an option to run slapd without zero configuration? Thanks a lot, SR.

Le mer. 14 déc. 2011 19:39:13 CET, Raffael Sahli a écrit :

On 14.12.2011 16:54, rey sebastien wrote:

...

Le 13/12/2011 16:48, Raffael Sahli a écrit :

...

On 12/13/2011 04:34 PM, rey sebastien wrote:

...

Le mar. 13 déc. 2011 15:16:08 CET, Raffael Sahli a écrit :

...

On 12/13/2011 02:59 PM, rey sebastien wrote:

...

Le mar. 13 déc. 2011 13:00:16 CET, Raffael Sahli a écrit : > On 12/13/2011 12:14 PM, rey sebastien wrote: >> Le mar. 13 déc. 2011 11:08:43 CET, Raffael Sahli a écrit : >>> On 12/13/2011 10:12 AM, rey sebastien wrote: >>>> After what, you are right, you and other to point the old >>>> debian package, so i try to recompile the last release with >>>> open-ssl. This is the best solution, i agree. >>>> >>>> I try to compile with this option : >>>> ./configure --with-tls=openssl --with-threads >>>> --with-cyrus-sasl --enable-crypt --enable-debug >>>> --enable-cleartext --enable-spasswd --enable-dynacl >>>> --enable-aci --enable-modules --enable-wrappers >>>> --enable-rewrite --enable-rlookups >>>> >>>> After configure, i make-depend, make, make install; all >>>> execution are ok, >>>> after that, how can i install ldap as a service ? like debian >>>> style => service slapd start | stop | restart ? >>>> >>> If you load the sources with apt-src, there's a debian init >>> script available in the openldap sources (debian folder, just >>> copy the script into you init.d folder and create the symlinks >>> with update-rc.d). >>> That's the simplest way, or find the script online or extract >>> it from the deb package.... >>> >>>> Thanks again, >>>> Sr >>>> >>>> >>>> >>>> Le 12/12/2011 22:17, Raffael Sahli a écrit : >>>>> On 12.12.2011 21:55, rey sebastien wrote: >>>>>> Le 12/12/2011 21:07, Howard Chu a écrit : >>>>>>> rey sebastien wrote: >>>>>>>> Le 12/12/2011 19:24, Howard Chu a écrit : >>>>>>>>> reyman wrote: >>>>>>>>>> You have a self signed certificate, >>>>>>>>> >>>>>>>>> Correct. >>>>>>>>> >>>>>>>>>> so you don't need to verify your certificate. >>>>>>>>>> When you activate the tls on ldap, you only need this >>>>>>>>>> two lines, and you don't >>>>>>>>>> need the line with certificate >>>>>>>>>> verification*olcTLSCACertificateFile : * >>>>>>>>> >>>>>>>>> Wrong. >>>>>>>> It true and false, with debian and openLdap compiled with >>>>>>>> GnuTLS (my case), i >>>>>>>> read this documentation : >>>>>>>> http://wiki.debian.org/LDAP/OpenLDAPSetup and they said : >>>>>>> >>>>>>> Pure garbage. >>>>>>> >>>>>>>> Procedure: >>>>>>>> >>>>>>>> You're going to need the gnutls certificate generator: >>>>>>>> certtool >>>>>>>> http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html. >>>>>>>> >>>>>>>> >>>>>>>> Run these two commands to generate a new self-signed key >>>>>>>> (into the current >>>>>>>> working directory): >>>>>>>> >>>>>>>> certtool --generate-privkey --outfile ca-key.pem >>>>>>>> certtool --generate-self-signed --load-privkey ca-key.pem >>>>>>>> --outfile ca-cert.pem >>>>>>>> >>>>>>>> Then, update your certificate locations in >>>>>>>> /etc/ldap/slapd.conf >>>>>>>> (TLSCertificateFile points to ca-cert.pem and >>>>>>>> TLSCertificateKeyFile points to >>>>>>>> ca-key.pem), *comment out TLSCACertificateFile*, and >>>>>>>> change *TLSVerifyClient >>>>>>>> to never.* >>>>>>>> >>>>>>>> In /etc/ldap/ldap.conf, comment out TLS_CACERT and change >>>>>>>> TLS_REQCERT to never. >>>>>>> >>>>>>> This is utterly bogus. Turning off these checks disables >>>>>>> any spoofing detection; you might as well run without TLS >>>>>>> at all. >>>>>>> >>>>>> IMHO i know this problem but i think this is better than >>>>>> nothing, and actually i have nothing. I wait for valid >>>>>> certificate... >>>>>> And sorry but your RTFM answer doesn't help me to resolve >>>>>> this problem with gnutls and debian, i take many hours to >>>>>> find a valid solution in my use case, and the manual >>>>>> doesn't help me particulary on this point. >>>>>> >>>>> On Debian: You should compile OpenLDAP with OpenSSL Support >>>>> and don't use the dpkg package from the debian apt repos... >>>>> >>>>> >In /etc/ldap/ldap.conf, comment out TLS_CACERT and change >>>>> TLS_REQCERT to never. >>>>> Like Howard Chu said, bad idea, just for testing or what >>>>> else..... >>>>> >>>>> >>>>>> OpenLdap is a great software, but documentation it's a >>>>>> little "cryptic" for beginner like me, so i think it's easy >>>>>> to be rude with beginner on many points. >>>>>> >>>>>> Best regards, >>>>>> SR. >>>>>>>> Since the certificate is self-signed, we can't have >>>>>>>> gnutls trying to verify it >>>>>>>> (hence the never), otherwise it will never run. >>>>>>>> >>>>>>>> And RTFM is a little violent, i try to help with my >>>>>>>> little experience, i'm not >>>>>>>> an expert for sure. >>>>>>> >>>>>>> RTFM is exactly the correct response. >>>>>>> >>>>>>>> Best regards, >>>>>>>> SR. >>>>>>>>> >>>>>>>>> RTFM. >>>>>>>>> >>>>>>>>> http://www.openldap.org/doc/admin24/tls.html >>>>>>>>> >>>>>>>>>> On Mon, Dec 12, 2011 at 12:31 PM, Jayavant Patil >>>>>>>>>> <jayavant.patil82@gmail.com >>>>>>>>>> mailto:jayavant.patil82@gmail.com> wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> >On Mon, Dec 12, 2011 at 4:19 PM, reyman >>>>>>>>>> <reyman64@gmail.com >>>>>>>>>> mailto:reyman64@gmail.com> wrote: >>>>>>>>>> >>>>>>>>>> >With the option -ZZ i think, try this >>>>>>>>>> >>>>>>>>>> |>ldapsearch -x -LLL -ZZ -d 150| >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Yeah, It shows output containing ber_dump, >>>>>>>>>> ldap_write,ldap_read, >>>>>>>>>> tls_write, tls_read etc. But at the end is shows the >>>>>>>>>> following: >>>>>>>>>> >>>>>>>>>> TLS certificate verification: Error, self signed >>>>>>>>>> certificate >>>>>>>>>> TLS: can't connect: error:14090086:SSL >>>>>>>>>> routines:SSL3_GET_SERVER_ >>>>>>>>>> CERTIFICATE:certificate verify failed (self signed >>>>>>>>>> certificate). >>>>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>>>> additional info: error:14090086:SSL >>>>>>>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify >>>>>>>>>> failed (self >>>>>>>>>> signed certificate) >>>>>>>>>> >>>>>>>>>> Why it shows an error ? and how to resolve this? >>>>>>>>>> >>>>>>>>>> and when I do ldapsearch with -ZZ option it gives error >>>>>>>>>> >>>>>>>>>> $ldapsearch -x -v -D "cn=root,dc=abc,dc=com" -w cluster -b >>>>>>>>>> "ou=People,dc=abc,dc=com" "uid=ldap_6" -h n0 -ZZ >>>>>>>>>> ldap_initialize( ldap://n0 ) >>>>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>>>> additional info: error:14090086:SSL >>>>>>>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify >>>>>>>>>> failed >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >On Mon, Dec 12, 2011 at 11:21 AM, Jayavant Patil >>>>>>>>>> <jayavant.patil82@gmail.com >>>>>>>>>> mailto:jayavant.patil82@gmail.com> wrote: >>>>>>>>>> >>>>>>>>>> >>Hi, >>>>>>>>>> >>>>>>>>>> >> I am using openldap-2.4.19-4.x86_64 on fedora 12 >>>>>>>>>> machine. I >>>>>>>>>> have enabled openldap SSL/TLS. How do I know >>(test) >>>>>>>>>> that I am >>>>>>>>>> using SSL/TLS connections instead of normal ldap:///? >>>>>>>>>> >>>>>>> >>>>>> >>>>> >>>>> >>>> >>> >>> >> >> OK thanks, i find the script and re-configure the script, >> >> I search another information to make a good fresh install. >> After removing the debian package, i have an openldap user and >> group, >> Do you think i can delete this user, or it's better to reuse it >> for better security, for example can i install all files for >> ldap into /home/openldap user ( with --prefix option equal to >> /home/openldap ) ? >> Do you have a list/tutorial which indicate the files which need >> an openldap:openldap user to execute ? >> >> Thanks, >> Best regards, >> SR. > /home is not really the directory to install an application. > Better you use the default path located in /usr/local. > And of course you have to create a user named openldap or take > your exists openldap user. Start your daemon with this user > (@see /etc/default/slapd on debian for the init script, (you > have to copy this file from your openldap source installed per > apt-src, or use the file from the installed deb package.)) > And your ok with the default permissions set by "make install". > Only your ssl certificates should be owned by "openldap" and mod > 0400.

There is some modification between the old version i use and the last release, i don't find the slapd file which contain information like : SLAPD_SERVICES, etc. Replacement for this file is slapd.ldif ? This file is an example of configuration, or the default loaded configuration when slapd daemon start ?

There's a different between the default config from debian and the OpenLDAP configuration (in .conf or .ldif format). The default config, located in /etc/default/slapd, contains just "daemon start" related options an has nothing to do with the OpenLDAP configuration. If you download OpenLDAP from the debian sources with apt-src, you will get a directory named debian. There are a slapd.conf (OpenLDAP Example Configuration) and a file named slapd.default (Debian start parameters, copy it to /etc/default/slapd), and last: slapd.init copy it to /etc/init.d/slapd

...

i have no man for slapd.d, it's a bug, or it doesn't exist ? Thanks, SR.

...

Ok so i make :

mv slapd.default to /etc/default/slapd mv slapd.init to /etc/init.d/slapd and i change some information with nano :

# wants to can override the path in /etc/default/slapd SLAPD=/usr/local/libexec/slapd

# Load the default location of the slapd config file if [ -z "$SLAPD_CONF" ]; then if [ -e /etc/ldap/slapd.d ]; then SLAPD_CONF=/usr/local/etc/openldap/slapd.d else SLAPD_CONF=/usr/local/etc/openldap/slapd.conf fi fi

...

I change right for slapd init file :

chmod +x /etc/init.d/slapd

...

I change the service init level :

ln -s /etc/init.d/slapd /etc/rc3.d/S90slapd ln -s /etc/init.d/slapd /etc/rc4.d/S90slapd ln -s /etc/init.d/slapd /etc/rc5.d/S90slapd ln -s /etc/init.d/slapd /etc/rc0.d/K10slapd ln -s /etc/init.d/slapd /etc/rc6.d/K10slapd

update-rc.d slapd defaults

...

After that, i change right, else service slapd doesn't start :

chown -R openldap:openldap /usr/local/var/openldap-data/ chown -R openldap:openldap /usr/local/etc/openldap/ chown -R openldap:openldap /usr/local/var/run/

...

so here the right for the different folder :

/usr/local/var drwxr-sr-x 2 openldap openldap 4096 13 déc. 16:20 openldap-data drwxr-sr-x 2 openldap openldap 4096 13 déc. 16:20 run

/usr/local/libexec -rwxr-xr-x 1 root staff 1891388 13 déc. 13:53 slapd

/usr/local/etc/openldap -rw------- 1 openldap openldap 845 13 déc. 13:53 DB_CONFIG.example -rw-r--r-- 1 openldap openldap 245 13 déc. 09:48 ldap.conf -rw-r--r-- 1 openldap openldap 245 13 déc. 13:53 ldap.conf.default drwxr-sr-x 2 openldap openldap 4096 13 déc. 13:53 schema drwxr-sr-x 2 openldap openldap 4096 13 déc. 11:15 schema.17116 drwxr-sr-x 2 openldap openldap 4096 13 déc. 09:48 schema.8962 -rw------- 1 openldap openldap 2129 13 déc. 09:48 slapd.conf -rw------- 1 openldap openldap 2129 13 déc. 13:53 slapd.conf.default -rw------- 1 openldap openldap 2614 13 déc. 09:48 slapd.ldif -rw------- 1 openldap openldap 2614 13 déc. 13:53 slapd.ldif.default

/usr/local/var/openldap-data/ -rw-r--r-- 1 openldap openldap 2048 13 déc. 16:20 alock -rw------- 1 openldap openldap 24576 13 déc. 16:20 __db.001 -rw------- 1 openldap openldap 180224 13 déc. 16:20 __db.002 -rw------- 1 openldap openldap 270336 13 déc. 16:20 __db.003 -rw------- 1 openldap openldap 163840 13 déc. 16:20 __db.004 -rw------- 1 openldap openldap 540672 13 déc. 16:20 __db.005 -rw------- 1 openldap openldap 32768 13 déc. 16:20 __db.006 -rw------- 1 openldap openldap 845 13 déc. 13:53 DB_CONFIG.example -rw------- 1 openldap openldap 8192 13 déc. 16:20 dn2id.bdb -rw------- 1 openldap openldap 32768 13 déc. 16:20 id2entry.bdb -rw------- 1 openldap openldap 10485760 13 déc. 16:20 log.0000000001

I have one warning but openldap start correctly :)

Dec 13 16:20:44 claroline slapd[17039]: bdb_db_open: warning - no DB_CONFIG file found in directory /usr/local/var/openldap-data: (2).#012Expect poor performance for suffix "dc=my-domain,dc=com".

the file DB_CONFIG (Berkeley db configuration) is also available in your "debian" folder, just copy that into your ldap data directory /usr/local/var/openldap-data. "(You should move the ldap data directory to /srv)"

...

Now i try to make some global configuration with load of sldap.ldif and after i try to work with dynamic slapd.d folder, i don't want to use slapd.conf :/

Yep, that's a good idea ;)

...

Thanks a lot, SR

Hi! It's not easy to start with zero configuration with cn=config new openldap administration .. I create my bd.ldif based on the slapd.ldif example in the /usr/local/etc/openldap directory. But how can i insert this ldif with

ldapadd -Y EXTERNAL -H ldapi:/// -f myldiffile.ldif

if i cannot run slapd without configuration ? How do you start a fresh install of openldap in this case? there is an option to run slapd without zero configuration? Thanks a lot, SR.

The best way is to create an initial configuration based on the old way (slapd.conf) and convert it into the online configuration. /path/to/slapd -u openldap -g openldap -f /path/to/offlineconfig.conf -F /path/to/newonlinedirectory -d-1

After that step you have to change the daemon start parameters in /etc/default/slapd. Point the offline config to your new online config directory.

OK, it's work, i have a fonctionnal slapd.d/cn=config folder, but i don't understand why i can't access to openldap with cn=admin,dc=parisgeo,dc=cnrs,dc=fr and good password generated by

My slapd.conf before conversion contain the SSHA password generated by slappasswd for rootDn : -----

database bdb suffix "dc=parisgeo,dc=cnrs,dc=fr" rootdn "cn=admin,dc=parisgeo,dc=cnrs,dc=fr" rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxx

---- I try this : root@xxxxx:/usr/local/etc/openldap/slapd.d# ldapsearch -D cn=admin,dc=parisgeo,dc=cnrs,dc=fr -W -x 'userName=*' Enter LDAP Password: ldap_bind: Invalid credentials (49)

Bizarre ... Perhaps i can try to redefine the rootdn, because it disapear with conversion ? Do you have an idea about this ?

Thanks, SR.

Le jeu. 15 déc. 2011 08:51:29 CET, Raffael Sahli a écrit :

...

OK, it's work, i have a fonctionnal slapd.d/cn=config folder, but i don't understand why i can't access to openldap with cn=admin,dc=parisgeo,dc=cnrs,dc=fr and good password generated by

My slapd.conf before conversion contain the SSHA password generated by slappasswd for rootDn :

---

database bdb suffix "dc=parisgeo,dc=cnrs,dc=fr" rootdn "cn=admin,dc=parisgeo,dc=cnrs,dc=fr" rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxx

---

I try this : root@xxxxx:/usr/local/etc/openldap/slapd.d# ldapsearch -D cn=admin,dc=parisgeo,dc=cnrs,dc=fr -W -x 'userName=*' Enter LDAP Password: ldap_bind: Invalid credentials (49)

Bizarre ... Perhaps i can try to redefine the rootdn, because it disapear with conversion ? Do you have an idea about this ?

Thanks, SR.

Use slapadd. Again, RTFM. Everything you've asked in the past week or

so has been documented in the manpages and the Admin Guide. Read and learn.

Yes right, @rey rtfm, and ask your question again, if you're sure your point is not in the OpenLDAP manual. But i'm sure you will find your answer there.

...

Please trim irrelevant text from your emails. Please update your

Subject line to something relevant to the actual discussion topic. @Howard, please say that to the guy who ask questions, and not me^^

Raffael Sahli wrote:

...

On 14.12.2011 16:54, rey sebastien wrote:

...

Le 13/12/2011 16:48, Raffael Sahli a écrit :

...

...

Hi! It's not easy to start with zero configuration with cn=config new openldap administration .. I create my bd.ldif based on the slapd.ldif example in the /usr/local/etc/openldap directory. But how can i insert this ldif with

ldapadd -Y EXTERNAL -H ldapi:/// -f myldiffile.ldif

if i cannot run slapd without configuration ? How do you start a fresh install of openldap in this case? there is an option to run slapd without zero configuration? Thanks a lot,

Use slapadd. Again, RTFM. Everything you've asked in the past week or so has been documented in the manpages and the Admin Guide. Read and learn.

Everything ? really ... Install from sources with specific init script installation on debian ? Also, i find nothing about a fresh install directly with cn=config (without conversion of slapd.conf) into the admin guide ...

I'm not a junior system administrator, i make a phd in geography / geomatics, and i have only one week before christmas to create and populate a new ldap in my laboratory. I try to learn the maximum with google/debian tutorial and a lot of false tutorial, but actually, and i'm sorry about that, i have no time to read all the man page, and all the admin guide ...

Thanks you again for the time you take to answer to my question Raffael, and others.

Please trim irrelevant text from your emails. Please update your Subject line to something relevant to the actual discussion topic.

Raffael Sahli wrote:

On 14.12.2011 16:54, rey sebastien wrote:

...

Le 13/12/2011 16:48, Raffael Sahli a écrit :

...

Hi! It's not easy to start with zero configuration with cn=config new openldap administration .. I create my bd.ldif based on the slapd.ldif example in the /usr/local/etc/openldap directory. But how can i insert this ldif with

ldapadd -Y EXTERNAL -H ldapi:/// -f myldiffile.ldif

if i cannot run slapd without configuration ? How do you start a fresh install of openldap in this case? there is an option to run slapd without zero configuration? Thanks a lot,

Use slapadd. Again, RTFM. Everything you've asked in the past week or so has been documented in the manpages and the Admin Guide. Read and learn.