Hi all,
I have implemented LDAP over ssl. FQDN of LDAP server is "platalytics.com" and same is CN in the SSL certificate. But why is it so that when i run following command it works fine i.e.,
ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldap:// 127.0.0.1:389 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'
but in case of ldaps, i have to provide FQDN as the hostname i.e.,
ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldaps:// platalytics.com:636 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'
because following command does not work i.e.,
ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldaps:// 127.0.0.1:636 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'
Aneela Saleem wrote:
Hi all,
I have implemented LDAP over ssl. FQDN of LDAP server is "platalytics.com" and same is CN in the SSL certificate. But why is it so that when i run following command it works fine i.e.,
ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldap:// 127.0.0.1:389 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'
but in case of ldaps, i have to provide FQDN as the hostname i.e.,
ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldaps:// platalytics.com:636 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'
because following command does not work i.e.,
ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldaps:// 127.0.0.1:636 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'
The mandatory TLS hostname check is a prevention against MITM attacks.
ldaps://127.0.0.1 does not make sense anyway.
And even better you should use ldapi:// [1] for local access.
http://tools.ietf.org/html/draft-chu-ldap-ldapi
Ciao, Michael.
What if i want to access LDAP from external source? how would it recognize platalytics.com?
On Fri, Oct 2, 2015 at 1:18 PM, Michael Ströder michael@stroeder.com wrote:
Aneela Saleem wrote:
Hi all,
I have implemented LDAP over ssl. FQDN of LDAP server is "
platalytics.com"
and same is CN in the SSL certificate. But why is it so that when i run following command it works fine i.e.,
ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldap:// 127.0.0.1:389 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'
but in case of ldaps, i have to provide FQDN as the hostname i.e.,
ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H
ldaps://
platalytics.com:636 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'
because following command does not work i.e.,
ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H
ldaps://
127.0.0.1:636 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'
The mandatory TLS hostname check is a prevention against MITM attacks.
ldaps://127.0.0.1 does not make sense anyway.
And even better you should use ldapi:// [1] for local access.
http://tools.ietf.org/html/draft-chu-ldap-ldapi
Ciao, Michael.
Aneela Saleem wrote:
What if i want to access LDAP from external source? how would it recognize platalytics.com?
Hope fully the client perfoms the TLS hostname check as defined in RFC 6125.
All hostnames and IP addresses used by clients have to be listed in the subjectAltName extension.
Ciao, Michael.
Hi Michael,
Thanks for explaining. I just so far performed server side validation using the link http://www.openldap.org/faq/data/cache/185.html
Can you please guide me how can we perform client side verification? Means how to set subjectAltName extension?
On Fri, Oct 2, 2015 at 4:10 PM, Michael Ströder michael@stroeder.com wrote:
Aneela Saleem wrote:
What if i want to access LDAP from external source? how would it
recognize
platalytics.com?
Hope fully the client perfoms the TLS hostname check as defined in RFC 6125.
All hostnames and IP addresses used by clients have to be listed in the subjectAltName extension.
Ciao, Michael.
I have followed this link http://stackoverflow.com/questions/21488845/how-can-i-generate-a-self-signed-certificate-with-subjectaltname-using-openssl. I update openssl.cnf file manually and added the ip address of other client machine. Then i generated ssl certificate. Now accessing ldaps:// platalytics.com:636 from other client machine (i also have added platalytics.com in /etc/hosts file) but unable to access it from external ip address. What i'm missing now?
On Fri, Oct 2, 2015 at 5:35 PM, Aneela Saleem aneela@platalytics.com wrote:
Hi Michael,
Thanks for explaining. I just so far performed server side validation using the link http://www.openldap.org/faq/data/cache/185.html
Can you please guide me how can we perform client side verification? Means how to set subjectAltName extension?
On Fri, Oct 2, 2015 at 4:10 PM, Michael Ströder michael@stroeder.com wrote:
Aneela Saleem wrote:
What if i want to access LDAP from external source? how would it
recognize
platalytics.com?
Hope fully the client perfoms the TLS hostname check as defined in RFC 6125.
All hostnames and IP addresses used by clients have to be listed in the subjectAltName extension.
Ciao, Michael.
Am Sun, 4 Oct 2015 19:18:19 +0500 schrieb Aneela Saleem aneela@platalytics.com:
I have followed this link http://stackoverflow.com/questions/21488845/how-can-i-generate-a-self-signed-certificate-with-subjectaltname-using-openssl. I update openssl.cnf file manually and added the ip address of other client machine. Then i generated ssl certificate. Now accessing ldaps:// platalytics.com:636 from other client machine (i also have added platalytics.com in /etc/hosts file) but unable to access it from external ip address. What i'm missing now?
Domain Name Service? Firewall? Routing Tables?
-Dieter
On Fri, Oct 2, 2015 at 5:35 PM, Aneela Saleem aneela@platalytics.com wrote:
Hi Michael,
Thanks for explaining. I just so far performed server side validation using the link http://www.openldap.org/faq/data/cache/185.html
Can you please guide me how can we perform client side verification? Means how to set subjectAltName extension?
On Fri, Oct 2, 2015 at 4:10 PM, Michael Ströder michael@stroeder.com wrote:
Aneela Saleem wrote:
What if i want to access LDAP from external source? how would it
recognize
platalytics.com?
Hope fully the client perfoms the TLS hostname check as defined in RFC 6125.
All hostnames and IP addresses used by clients have to be listed in the subjectAltName extension.
Ciao, Michael.
Do we need to have CA certificate/server key on other client machine as well? If yes, then how can we achieve that?
On Sun, Oct 4, 2015 at 9:00 PM, Dieter Klünter dieter@dkluenter.de wrote:
Am Sun, 4 Oct 2015 19:18:19 +0500 schrieb Aneela Saleem aneela@platalytics.com:
I have followed this link <
http://stackoverflow.com/questions/21488845/how-can-i-generate-a-self-signed...
. I update openssl.cnf file manually and added the ip address of other client machine. Then i generated ssl certificate. Now accessing ldaps:// platalytics.com:636 from other client machine (i also have added platalytics.com in /etc/hosts file) but unable to access it from external ip address. What i'm missing now?
Domain Name Service? Firewall? Routing Tables?
-Dieter
On Fri, Oct 2, 2015 at 5:35 PM, Aneela Saleem aneela@platalytics.com wrote:
Hi Michael,
Thanks for explaining. I just so far performed server side validation using the link http://www.openldap.org/faq/data/cache/185.html
Can you please guide me how can we perform client side verification? Means how to set subjectAltName extension?
On Fri, Oct 2, 2015 at 4:10 PM, Michael Ströder michael@stroeder.com wrote:
Aneela Saleem wrote:
What if i want to access LDAP from external source? how would it
recognize
platalytics.com?
Hope fully the client perfoms the TLS hostname check as defined in RFC 6125.
All hostnames and IP addresses used by clients have to be listed in the subjectAltName extension.
Ciao, Michael.
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
Am Tue, 6 Oct 2015 00:00:43 +0500 schrieb Aneela Saleem aneela@platalytics.com:
Do we need to have CA certificate/server key on other client machine as well? If yes, then how can we achieve that?
Yes, you have to install a CA certificate on all hosts that want to access a ldap server, and the client application on remote hosts need to know the place ot this CA, usually that is configured in ldap.conf(5), but it depends on the clients ability.
-Dieter
On Sun, Oct 4, 2015 at 9:00 PM, Dieter Klünter dieter@dkluenter.de wrote:
Am Sun, 4 Oct 2015 19:18:19 +0500 schrieb Aneela Saleem aneela@platalytics.com:
I have followed this link <
http://stackoverflow.com/questions/21488845/how-can-i-generate-a-self-signed...
. I update openssl.cnf file manually and added the ip address of other client machine. Then i generated ssl certificate. Now accessing ldaps:// platalytics.com:636 from other client machine (i also have added platalytics.com in /etc/hosts file) but unable to access it from external ip address. What i'm missing now?
Domain Name Service? Firewall? Routing Tables?
-Dieter
On Fri, Oct 2, 2015 at 5:35 PM, Aneela Saleem aneela@platalytics.com wrote:
Hi Michael,
Thanks for explaining. I just so far performed server side validation using the link http://www.openldap.org/faq/data/cache/185.html
Can you please guide me how can we perform client side verification? Means how to set subjectAltName extension?
On Fri, Oct 2, 2015 at 4:10 PM, Michael Ströder michael@stroeder.com wrote:
Aneela Saleem wrote:
What if i want to access LDAP from external source? how would it
recognize
platalytics.com?
Hope fully the client perfoms the TLS hostname check as defined in RFC 6125.
All hostnames and IP addresses used by clients have to be listed in the subjectAltName extension.
Ciao, Michael.
That is different per OS and application implementation. Search for "update CA certificates [your os or app name]"
We only use our LDAP for auth(n/z) so we tell PAM or SSSD (depending on OS version) to use the CA cert we push onto those nodes using our configuration management system (e.g.: puppet, chef) – without having to modify our CA bundles. We DO have an internal CA that java apps must support, as well as some system level apps: on those nodes we update the system as needed (CentOS or Java).
Good luck, - chris
From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Aneela Saleem Sent: Monday, October 05, 2015 12:01 PM To: Dieter Klünter dieter@dkluenter.de Cc: openldap-technical@openldap.org Subject: Re: SSL based ldap server
Do we need to have CA certificate/server key on other client machine as well? If yes, then how can we achieve that?
On Sun, Oct 4, 2015 at 9:00 PM, Dieter Klünter <dieter@dkluenter.demailto:dieter@dkluenter.de> wrote: Am Sun, 4 Oct 2015 19:18:19 +0500 schrieb Aneela Saleem <aneela@platalytics.commailto:aneela@platalytics.com>:
I have followed this link http://stackoverflow.com/questions/21488845/how-can-i-generate-a-self-signed-certificate-with-subjectaltname-using-openssl. I update openssl.cnf file manually and added the ip address of other client machine. Then i generated ssl certificate. Now accessing ldaps:// platalytics.com:636http://platalytics.com:636 from other client machine (i also have added platalytics.comhttp://platalytics.com in /etc/hosts file) but unable to access it from external ip address. What i'm missing now?
Domain Name Service? Firewall? Routing Tables?
-Dieter
On Fri, Oct 2, 2015 at 5:35 PM, Aneela Saleem <aneela@platalytics.commailto:aneela@platalytics.com> wrote:
Hi Michael,
Thanks for explaining. I just so far performed server side validation using the link http://www.openldap.org/faq/data/cache/185.html
Can you please guide me how can we perform client side verification? Means how to set subjectAltName extension?
On Fri, Oct 2, 2015 at 4:10 PM, Michael Ströder <michael@stroeder.commailto:michael@stroeder.com> wrote:
Aneela Saleem wrote:
What if i want to access LDAP from external source? how would it
recognize
platalytics.comhttp://platalytics.com?
Hope fully the client perfoms the TLS hostname check as defined in RFC 6125.
All hostnames and IP addresses used by clients have to be listed in the subjectAltName extension.
Ciao, Michael.
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
openldap-technical@openldap.org
-
Aneela Saleem -
Chris Jacobs -
Dieter Klünter -
Michael Ströder