Hi,
I'd like to have a test setup for a module I'm maintaining, which basically authenticates IIS users against an LDAP server. I've installed OpenLDAP (OpenLDAP for Windows, 64-bit, version 2.4.40, to be specific) and added some user accounts to it, which worked, except I'm having trouble including X.509 certificates in the user definitions (which the tested module is supposed to check). I've found "Publishing digital certificates with LDAP" at http://www.tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/certificates.ht... , which sounds like what I need, but it's old, and recommends "using the ldif utility provided with OpenLDAP" - which the latest OpenLDAP for Windows (nor any other OpenLDAP packages I've checked) doesn't have. How do I publish digital certificates with OpenLDAP?
Bye Vaclav -- http://www.mangrove.cz
On 2015-07-13 10:36, Vaclav Barta wrote:
I'm having trouble including X.509 certificates in the user definitions (which the tested module is supposed to check). I've found "Publishing digital certificates with LDAP" at http://www.tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/certificates.ht... , which sounds like what I need, but it's old, and recommends "using the ldif utility provided with OpenLDAP" - which the latest OpenLDAP for Windows (nor any other OpenLDAP packages I've checked) doesn't have. How do I publish digital certificates with OpenLDAP?
You could use my http://web2ldap.de which displays a file upload button and also accepts PEM certificate files and normalizes them to DER.
Especially it displays all certificate details of the cert attributes.
Ciao, Michael.
Michael Ströder wrote:
On 2015-07-13 10:36, Vaclav Barta wrote:
I'm having trouble including X.509 certificates in the user definitions (which the tested module is supposed to check). I've found "Publishing digital certificates with LDAP" at http://www.tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/certificates.ht... , which sounds like what I need, but it's old, and recommends "using the ldif utility provided with OpenLDAP" - which the latest OpenLDAP for Windows (nor any other OpenLDAP packages I've checked) doesn't have. How do I publish digital certificates with OpenLDAP?
You could use my http://web2ldap.de which displays a file upload button and also accepts PEM certificate files and normalizes them to DER.
Especially it displays all certificate details of the cert attributes.
Or just read the ldapmodify/ldapadd manpage. The jpegPhoto example in the manpage shows how to load a binary value. You can load DER format certificates directly, this way.
the ldif utility provided with OpenLDAP" - which the latest OpenLDAP
Or just read the ldapmodify/ldapadd manpage. The jpegPhoto example in the manpage shows how to load a binary value. You can load DER format certificates directly, this way.
I agree with Howard, you don't have to use ldif command. You can use ldapmodify or ldapadd to achieve the same thing. I have a working example I could email to you, if you are interested.
Cheers.
Hi,
On 7/15/2015 12:55 AM, Sergio NNX wrote:
Or just read the ldapmodify/ldapadd manpage. The jpegPhoto example
in the
manpage shows how to load a binary value. You can load DER format
certificates
directly, this way.
I agree with Howard, you don't have to use ldif command. You can use ldapmodify or ldapadd to achieve the same thing. I have a working example I could email to you, if you are interested.
Yes please. I've adapted an example from http://kukusan-network.blogspot.cz/2012/01/how-to-setting-ldap-openldap-in-w... (also for OpenLDAP for Windows), adding the certificate with the syntax from the man page (roughly - the man page doesn't have space between : and <). It fails:
C:\OpenLDAP\ClientTools>ldapmodify.exe -a -x -h localhost -p 389 -D "cn=manager, dc=maxcrc,dc=com" -f c:\OpenLDAP\ldifdata\user.ldif -w secret ldap_connect_to_host: TCP localhost:389 ldap_new_socket: 636 ldap_prepare_socket: 636 ldap_connect_to_host: Trying ::1 389 ldap_pvt_connect: fd: 636 tm: -1 async: 0 attempting to connect: connect success adding new entry "cn=Vaclav Barta,ou=people,dc=maxcrc,dc=com" ldap_add: Undefined attribute type (17) additional info: usercertificate: requires ;binary transfer
Obviously the problem is on the usercertificate line of user.ldif, but how exactly should I write it?
Bye Vaclav -- http://www.mangrove.cz
Vaclav Barta wrote:
Hi,
On 7/15/2015 12:55 AM, Sergio NNX wrote:
Or just read the ldapmodify/ldapadd manpage. The jpegPhoto example in the manpage shows how to load a binary value. You can load DER format
certificates
directly, this way.
I agree with Howard, you don't have to use ldif command. You can use ldapmodify or ldapadd to achieve the same thing. I have a working example I could email to you, if you are interested.
Yes please. I've adapted an example from http://kukusan-network.blogspot.cz/2012/01/how-to-setting-ldap-openldap-in-w...
(also for OpenLDAP for Windows), adding the certificate with the syntax from the man page (roughly - the man page doesn't have space between : and <).
Because a space does not belong there.
If you're not going to actually follow the official OpenLDAP documentation, then there's really no point in proceeding any further.
It fails:
C:\OpenLDAP\ClientTools>ldapmodify.exe -a -x -h localhost -p 389 -D "cn=manager, dc=maxcrc,dc=com" -f c:\OpenLDAP\ldifdata\user.ldif -w secret ldap_connect_to_host: TCP localhost:389 ldap_new_socket: 636 ldap_prepare_socket: 636 ldap_connect_to_host: Trying ::1 389 ldap_pvt_connect: fd: 636 tm: -1 async: 0 attempting to connect: connect success adding new entry "cn=Vaclav Barta,ou=people,dc=maxcrc,dc=com" ldap_add: Undefined attribute type (17) additional info: usercertificate: requires ;binary transfer
Obviously the problem is on the usercertificate line of user.ldif, but how exactly should I write it?
Use
usercertificate;binary:< file:///blahblahblah
Hi,
On 7/15/2015 4:55 PM, Howard Chu wrote:
Vaclav Barta wrote:
It fails:
C:\OpenLDAP\ClientTools>ldapmodify.exe -a -x -h localhost -p 389 -D "cn=manager, dc=maxcrc,dc=com" -f c:\OpenLDAP\ldifdata\user.ldif -w secret ldap_connect_to_host: TCP localhost:389 ldap_new_socket: 636 ldap_prepare_socket: 636 ldap_connect_to_host: Trying ::1 389 ldap_pvt_connect: fd: 636 tm: -1 async: 0 attempting to connect: connect success adding new entry "cn=Vaclav Barta,ou=people,dc=maxcrc,dc=com" ldap_add: Undefined attribute type (17) additional info: usercertificate: requires ;binary transfer
Obviously the problem is on the usercertificate line of user.ldif, but how exactly should I write it?
Use
usercertificate;binary:< file:///blahblahblah
Also fails: C:\OpenLDAP\ClientTools>ldapmodify.exe -a -x -h localhost -p 389 -D "cn=manager, dc=maxcrc,dc=com" -f c:\OpenLDAP\ldifdata\user.ldif -w secret ldap_connect_to_host: TCP localhost:389 ldap_new_socket: 612 ldap_prepare_socket: 612 ldap_connect_to_host: Trying ::1 389 ldap_pvt_connect: fd: 612 tm: -1 async: 0 attempting to connect: connect success ldapmodify: invalid format (line 11) entry: "cn=Vaclav Barta,ou=people,dc=maxcrc ,dc=com"
And the problem is not on line 11 of user.ldif - when I remove the usercertificate line, ldapmodify succeeds.
Bye Vaclav -- http://www.mangrove.cz
Vaclav Barta wrote:
Hi,
Sounds like your Windows build of OpenLDAP is broken. Your LDIF works fine on my Linux box.
On 7/15/2015 4:55 PM, Howard Chu wrote:
Vaclav Barta wrote:
It fails:
C:\OpenLDAP\ClientTools>ldapmodify.exe -a -x -h localhost -p 389 -D "cn=manager, dc=maxcrc,dc=com" -f c:\OpenLDAP\ldifdata\user.ldif -w secret ldap_connect_to_host: TCP localhost:389 ldap_new_socket: 636 ldap_prepare_socket: 636 ldap_connect_to_host: Trying ::1 389 ldap_pvt_connect: fd: 636 tm: -1 async: 0 attempting to connect: connect success adding new entry "cn=Vaclav Barta,ou=people,dc=maxcrc,dc=com" ldap_add: Undefined attribute type (17) additional info: usercertificate: requires ;binary transfer
Obviously the problem is on the usercertificate line of user.ldif, but how exactly should I write it?
Use
usercertificate;binary:< file:///blahblahblah
Also fails: C:\OpenLDAP\ClientTools>ldapmodify.exe -a -x -h localhost -p 389 -D "cn=manager, dc=maxcrc,dc=com" -f c:\OpenLDAP\ldifdata\user.ldif -w secret ldap_connect_to_host: TCP localhost:389 ldap_new_socket: 612 ldap_prepare_socket: 612 ldap_connect_to_host: Trying ::1 389 ldap_pvt_connect: fd: 612 tm: -1 async: 0 attempting to connect: connect success ldapmodify: invalid format (line 11) entry: "cn=Vaclav Barta,ou=people,dc=maxcrc ,dc=com"
And the problem is not on line 11 of user.ldif - when I remove the usercertificate line, ldapmodify succeeds.
Bye Vaclav
Hi,
On 7/15/2015 7:34 PM, Howard Chu wrote:
Sounds like your Windows build of OpenLDAP is broken. Your LDIF works fine on my Linux box.
quite possibly - it's just the first thing I found with Google, after all... What is the recommended OpenLDAP binary package for Windows - or should I build it myself?
Bye Vaclav -- http://www.mangrove.cz
Vaclav Barta wrote:
Hi,
On 7/15/2015 7:34 PM, Howard Chu wrote:
Sounds like your Windows build of OpenLDAP is broken. Your LDIF works fine on my Linux box.
quite possibly - it's just the first thing I found with Google, after all... What is the recommended OpenLDAP binary package for Windows - or should I
The OpenLDAP Project only distributes source code. The Project does not endorse or recommend anybody's binaries.
Speaking for myself, obviously I believe there is merit in my own company's offerings.
build it myself?
Using the newest release, yes, this is always the preferred approach.
Open source software isn't *just* software you can download and *use* for free. Communities grow up around open source code because developers are able to read and *learn from the code*. If all you ever do is run a free download of <your favorite project> you're somewhat missing the point.
It's much like the choice between fruits & veg you grew in your own garden, vs buying a frozen microwavable dinner. Reliance on packaged/processed stuff will catch up to you in the long run.
Hi all
Le 16/07/2015 15:19, Howard Chu a écrit :
It's much like the choice between fruits & veg you grew in your own garden, vs buying a frozen microwavable dinner. Reliance on packaged/processed stuff will catch up to you in the long run.
great !! Howard, the opensource's philosoph.
openldap-technical@openldap.org
-
Abdelhamid Meddeb -
Howard Chu -
Michael Ströder -
Sergio NNX -
Vaclav Barta