Hi all,
I have followed the following link to configure LDAP with TLS:
https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ch-ldap-tls.html...
but when i run the search command: i.e., *ldapsearch -x -b "dc=platalytics,dc=com" -H 'ldap://localhost:389' -ZZ*
i get the following error:
ldap_start_tls: Protocol error (2) additional info: unsupported extended operation
Following is my *ldap.conf* file:
# # LDAP Defaults #
# See ldap.conf(5) for details # This file should be world readable but not world writable.
BASE dc=platalytics,dc=com URI ldap://127.0.0.1:389
#SIZELIMIT 12 #TIMELIMIT 15 #DEREF never
# TLS certificates (needed for GnuTLS) TLS_CACERT /etc/ldap/cacert.pem TLS_REQCERT allow
TLSVerifyClient never
Following is my *cn=config.ldif* file:
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 0cd16f20 dn: cn=config objectClass: olcGlobal cn: config
*TLSCertificateFile: /etc/ldap/servercrt.pem* *TLSCertificateKeyFile: /etc/ldap/serverkey.pem* *TLSCACertificateFile: /etc/ldap/cacert.pem*
olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: 59729584-bdf0-1034-90b9-fdf431101d87 creatorsName: cn=config createTimestamp: 20150713211745Z entryCSN: 20150713211745.443612Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20150713211745Z
Can anyone please help what could be the issue?
On 07/14/15 03:45 +0500, Aneela Saleem wrote:
but when i run the search command: i.e., *ldapsearch -x -b "dc=platalytics,dc=com" -H 'ldap://localhost:389' -ZZ*
i get the following error:
ldap_start_tls: Protocol error (2) additional info: unsupported extended operation
Which ssl library is your slapd compiled against? See the slapd-config manpage for appropriate configuration for your ssl lib.
Following is my *cn=config.ldif* file:
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 0cd16f20 dn: cn=config objectClass: olcGlobal cn: config
*TLSCertificateFile: /etc/ldap/servercrt.pem* *TLSCertificateKeyFile: /etc/ldap/serverkey.pem* *TLSCACertificateFile: /etc/ldap/cacert.pem*
Assuming these are correct paths, verify permissions to these files, and check them again.
Enable logging/debugging on the server side to trouble shoot.
olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: 59729584-bdf0-1034-90b9-fdf431101d87 creatorsName: cn=config createTimestamp: 20150713211745Z entryCSN: 20150713211745.443612Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20150713211745Z
Dan White wrote:
On 07/14/15 03:45 +0500, Aneela Saleem wrote:
but when i run the search command: i.e., *ldapsearch -x -b "dc=platalytics,dc=com" -H 'ldap://localhost:389' -ZZ*
i get the following error:
ldap_start_tls: Protocol error (2) additional info: unsupported extended operation
Which ssl library is your slapd compiled against? See the slapd-config manpage for appropriate configuration for your ssl lib.
Following is my *cn=config.ldif* file:
This is not a valid file.
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 0cd16f20 dn: cn=config objectClass: olcGlobal cn: config
*TLSCertificateFile: /etc/ldap/servercrt.pem* *TLSCertificateKeyFile: /etc/ldap/serverkey.pem* *TLSCACertificateFile: /etc/ldap/cacert.pem*
Assuming these are correct paths, verify permissions to these files, and check them again.
Enable logging/debugging on the server side to trouble shoot.
olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: 59729584-bdf0-1034-90b9-fdf431101d87 creatorsName: cn=config createTimestamp: 20150713211745Z entryCSN: 20150713211745.443612Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20150713211745Z
Hi Dan,
I found three libraries in mangpages of slapd-config i.e., OpenSSL, GnuTLS, or Mozilla NSS
On Tue, Jul 14, 2015 at 10:31 PM, Howard Chu hyc@symas.com wrote:
Dan White wrote:
On 07/14/15 03:45 +0500, Aneela Saleem wrote:
but when i run the search command: i.e., *ldapsearch -x -b "dc=platalytics,dc=com" -H 'ldap://localhost:389' -ZZ*
i get the following error:
ldap_start_tls: Protocol error (2) additional info: unsupported extended operation
Which ssl library is your slapd compiled against? See the slapd-config manpage for appropriate configuration for your ssl lib.
Following is my *cn=config.ldif* file:
This is not a valid file.
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 0cd16f20 dn: cn=config objectClass: olcGlobal cn: config
*TLSCertificateFile: /etc/ldap/servercrt.pem* *TLSCertificateKeyFile: /etc/ldap/serverkey.pem* *TLSCACertificateFile: /etc/ldap/cacert.pem*
Assuming these are correct paths, verify permissions to these files, and check them again.
Enable logging/debugging on the server side to trouble shoot.
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: 59729584-bdf0-1034-90b9-fdf431101d87 creatorsName: cn=config createTimestamp: 20150713211745Z entryCSN: 20150713211745.443612Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20150713211745Z
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Hi Howard,
Can you please give me some suitable link, i can follow?
On Tue, Jul 14, 2015 at 11:05 PM, Aneela Saleem aneela@platalytics.com wrote:
Hi Dan,
I found three libraries in mangpages of slapd-config i.e., OpenSSL, GnuTLS, or Mozilla NSS
On Tue, Jul 14, 2015 at 10:31 PM, Howard Chu hyc@symas.com wrote:
Dan White wrote:
On 07/14/15 03:45 +0500, Aneela Saleem wrote:
but when i run the search command: i.e., *ldapsearch -x -b "dc=platalytics,dc=com" -H 'ldap://localhost:389' -ZZ*
i get the following error:
ldap_start_tls: Protocol error (2) additional info: unsupported extended operation
Which ssl library is your slapd compiled against? See the slapd-config manpage for appropriate configuration for your ssl lib.
Following is my *cn=config.ldif* file:
This is not a valid file.
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 0cd16f20 dn: cn=config objectClass: olcGlobal cn: config
*TLSCertificateFile: /etc/ldap/servercrt.pem* *TLSCertificateKeyFile: /etc/ldap/serverkey.pem* *TLSCACertificateFile: /etc/ldap/cacert.pem*
Assuming these are correct paths, verify permissions to these files, and check them again.
Enable logging/debugging on the server side to trouble shoot.
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: 59729584-bdf0-1034-90b9-fdf431101d87 creatorsName: cn=config createTimestamp: 20150713211745Z entryCSN: 20150713211745.443612Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20150713211745Z
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Dan White wrote:
ldap_start_tls: Protocol error (2) additional info: unsupported extended operation
Which ssl library is your slapd compiled against? See the slapd-config manpage for appropriate configuration for your ssl lib.
On 07/14/15 23:05 +0500, Aneela Saleem wrote:
Hi Dan,
I found three libraries in mangpages of slapd-config i.e., OpenSSL, GnuTLS, or Mozilla NSS
Correct, as OpenLDAP supports all three of those libraries. Consult your system documentation for which library your binary slapd was linked against.
This should give you a hint:
~# ldd `which slapd`
Hi Dan,
It gives the following output:
* linux-vdso.so.1 => (0x00007ffca9bec000)* * libldap_r-2.4.so.2 => /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2 (0x00007fee3c95b000)* * liblber-2.4.so.2 => /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2 (0x00007fee3c74c000)* * libslp.so.1 => /usr/lib/libslp.so.1 (0x00007fee3c539000)* * libsasl2.so.2 => /usr/lib/x86_64-linux-gnu/libsasl2.so.2 (0x00007fee3c31e000)* * libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007fee3c0e5000)* * libslapi-2.4.so.2 => /usr/lib/x86_64-linux-gnu/libslapi-2.4.so.2 (0x00007fee3bec6000)* * libltdl.so.7 => /usr/lib/x86_64-linux-gnu/libltdl.so.7 (0x00007fee3bcbc000)* * libwrap.so.0 => /lib/x86_64-linux-gnu/libwrap.so.0 (0x00007fee3bab2000)* * libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fee3b893000)* * libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fee3b4ce000)* * libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007fee3b2b3000)* * libgssapi.so.3 => /usr/lib/x86_64-linux-gnu/libgssapi.so.3 (0x00007fee3b074000)* * libgnutls.so.26 => /usr/lib/x86_64-linux-gnu/libgnutls.so.26 (0x00007fee3adb6000)* * libgcrypt.so.11 => /lib/x86_64-linux-gnu/libgcrypt.so.11 (0x00007fee3ab36000)* * libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fee3a931000)* * libnsl.so.1 => /lib/x86_64-linux-gnu/libnsl.so.1 (0x00007fee3a717000)* * /lib64/ld-linux-x86-64.so.2 (0x00007fee3cf53000)* * libheimntlm.so.0 => /usr/lib/x86_64-linux-gnu/libheimntlm.so.0 (0x00007fee3a50d000)* * libkrb5.so.26 => /usr/lib/x86_64-linux-gnu/libkrb5.so.26 (0x00007fee3a285000)* * libasn1.so.8 => /usr/lib/x86_64-linux-gnu/libasn1.so.8 (0x00007fee39fe4000)* * libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 (0x00007fee39ddf000)*
On Tue, Jul 14, 2015 at 11:09 PM, Dan White dwhite@cafedemocracy.org wrote:
Dan White wrote:
ldap_start_tls: Protocol error (2) additional info: unsupported extended operation
Which ssl library is your slapd compiled against? See the slapd-config manpage for appropriate configuration for your ssl lib.
On 07/14/15 23:05 +0500, Aneela Saleem wrote:
Hi Dan,
I found three libraries in mangpages of slapd-config i.e., OpenSSL, GnuTLS, or Mozilla NSS
Correct, as OpenLDAP supports all three of those libraries. Consult your system documentation for which library your binary slapd was linked against.
This should give you a hint:
~# ldd `which slapd`
-- Dan White
On Tue, Jul 14, 2015 at 11:09 PM, Dan White <dwhite@cafedemocracy.org wrote:
On 07/14/15 23:05 +0500, Aneela Saleem wrote:
I found three libraries in mangpages of slapd-config i.e., OpenSSL, GnuTLS, or Mozilla NSS
This should give you a hint:
~# ldd `which slapd`
On 07/15/15 00:37 +0500, Aneela Saleem wrote:
It gives the following output:
libgnutls.so.26 => /usr/lib/x86_64-linux-gnu/libgnutls.so.26
GnuTLS.
openldap-technical@openldap.org
-
Aneela Saleem -
Dan White -
Howard Chu