Search results for "starttls" - openldap-technical

Context around DNS resolution

by Joshua Schaeffer

I setup LDAPS (yes, will be switching to ldap + StartTLS) and ran intosomething odd and I'm really just looking for a bit of context. Everything is working correctlyand I'm able to authenticate clients to the ldap server, however when I runthe following ldapsearch I get an error: jschaeffer@zipmaster07:~$ ldapsearch -LLL -v -D cn=admin,dc=harmonywave,dc=com -W -H ldaps://baneling -b uid=jschaeffer,ou=People,dc=harmonywave,dc=com ldap_initialize( ldaps://baneling:636/??base ) Enter LDAP Password: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) And from the debug output: 531c7c0a ber_get_next on fd 12 failed errno=0 (Success) 531c7c0a conn=1000 op=1 do_unbind 531c7c0a connection_close: conn=1000 sd=12 531c7c18 slap_listener_activate(6): 531c7c18 >>> slap_listener(ldaps:///) 531c7c18 connection_get(12): got connid=1001 531c7c18 connection_read(12): checking for input on id=1001 531c7c18 connection_get(12): got connid=1001 531c7c18 connection_read(12): checking for input on id=1001 531c7c18 connection_read(12): unable to get TLS client DN, error=49 id=1001 531c7c18 connection_get(12): got connid=1001 531c7c18 connection_read(12): checking for input on id=1001 ber_get_next 531c7c18 ber_get_next on fd 12 failed errno=0 (Success) 531c7c18 connection_close: conn=1001 sd=12 If I use the FQDN for the URI then everything works fine and I get results. I know DNS is working correctly, I can ping the server name and it returns the FQDN and reverse DNS resolution also works. The hostname and hostname -f commands work correctly on both client and server. Was it never intended for ldap commands to resolve server names to their FQDN? I'm also assuming that ldap + StartTLS would show the same behavior.

10 years, 8 months

Openldap Chaining

by jeevan kc

Hello guys here is my proceudre that I wrote for OpenLDAP chaining. My question is since I have a master and two slaves on the replication, where do these overlay go? On the slaves only or both master and slaves. Please respond. Thanks · Create /usr/local/etc/openldap/slapd.d/cn=config/olcDatabase={-1}frontend · Create /usr/local/etc/openldap/slapd.d/cn=config/olcDatabase={-1}frontend/olcOverlay={0}chain · Add olcOverlay={0}chain.ldif to /usr/local/etc/openldap/slapd.d/cn=config/olcDatabase={-1}frontend dn: olcOverlay={0}chain objectClass: olcOverlayConfig objectClass: olcChainConfig olcOverlay: {0}chain olcChainCacheURI: FALSE olcChainMaxReferralDepth: 1 olcChainReturnError: TRUE structuralObjectClass: olcChainConfig · Add olcDatabase={0}ldap.ldif to /usr/local/etc/openldap/slapd.d/cn=config/olcDatabase={-1}frontend/olcOverlay={0}chain dn: olcDatabase={0}ldap objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDatabase: {0}ldap olcDbStartTLS: none starttls=no olcDbRebindAsUser: FALSE olcDbChaseReferrals: TRUE olcDbTFSupport: no olcDbProxyWhoAmI: FALSE olcDbProtocolVersion: 3 olcDbSingleConn: FALSE olcDbCancel: abandon olcDbUseTemporaryConn: FALSE olcDbConnectionPoolMax: 16 olcDbSessionTrackingRequest: FALSE olcDbNoRefs: FALSE olcDbNoUndefFilter: FALSE structuralObjectClass: olcLDAPConfig · Add olcDatabase={1}ldap.ldif to /usr/local/etc/openldap/slapd.d/cn=config/olcDatabase={-1}frontend/olcOverlay={0}chain dn: olcDatabase={1}ldap objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDatabase: {1}ldap olcDbURI: "ldap://master.dc.us" olcDbStartTLS: none starttls=no olcDbIDAssertBind: mode=self flags=prescriptive,proxy-authz-non-critical bindm ethod=simple timeout=0 network-timeout=0 binddn="cn=manager,o=dc,c=us” credentials="l4s3rj3t" keepalive=0:0:0 olcDbRebindAsUser: FALSE olcDbChaseReferrals: TRUE olcDbTFSupport: no olcDbProxyWhoAmI: FALSE olcDbProtocolVersion: 3 olcDbSingleConn: FALSE olcDbCancel: abandon olcDbUseTemporaryConn: FALSE olcDbConnectionPoolMax: 16 olcDbSessionTrackingRequest: FALSE olcDbNoRefs: FALSE olcDbNoUndefFilter: FALSE structuralObjectClass: olcLDAPConfig · Restart slapd

11 years, 9 months

seg fault with TLS syncrepl ?

by Olivier

My N-WAY replication works properly with a "bindmethod=simple". However, I don't like keeping a password in clear in a configuration file, then I tryed this : On server "ldap-master1.example.fr" : TLSVerifyClient allow syncrepl rid=101 provider=ldap://ldap-master2.example.fr:389 searchbase="dc=example,dc=fr" schemachecking=on type=refreshOnly interval=00:00:01:00 retry="10 +" bindmethod=sasl saslmech=EXTERNAL starttls=critical tls_cert=/etc/openldap/cacerts/master1/server.crt tls_key=/etc/openldap/cacerts/master1/server.key tls_cacert=/etc/openldap/cacerts/CA.crt tls_reqcert=demand On server "ldap-master2.example.fr" : TLSVerifyClient allow syncrepl rid=201 provider=ldap://ldap-master1.example.fr:389 searchbase="dc=example,dc=fr" schemachecking=on type=refreshOnly interval=00:00:01:00 retry="10 +" bindmethod=sasl saslmech=EXTERNAL starttls=critical tls_cert=/etc/openldap/cacerts/master2/server.crt tls_key=/etc/openldap/cacerts/master2/server.key tls_cacert=/etc/openldap/cacerts/CA.crt I get a segmentation fault : ldap-master1 #$ /usr/sbin/slapd -h ldap:/// -u ldap -d256 @(#) $OpenLDAP: slapd 2.4.23 (Apr 12 2011 19:26:36) $ mockbuild@x86-001.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd bdb_monitor_db_open: monitoring disabled; configure monitor database to enable <= bdb_inequality_candidates: (entryCSN) not indexed slapd starting slap_client_connect: URI=ldap://ldap-master2.example.fr:389 Error, ldap_start_tls failed (-1) do_syncrepl: rid=101 rc -1 retrying conn=1000 fd=12 ACCEPT from IP=10.1.92.25:47353 (IP=0.0.0.0:389) conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037 conn=1000 op=0 STARTTLS conn=1000 op=0 RESULT oid= err=0 text= conn=1000 fd=12 TLS established tls_ssf=256 ssf=256 conn=1000 op=1 BIND dn="" method=163 conn=1000 op=1 BIND authcid="email=max(a)example.fr,cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr" authzid="email=max(a)example.fr,cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr" conn=1000 op=1 BIND dn="email=max(a)example.fr,cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr" mech=EXTERNAL sasl_ssf=0 ssf=256 conn=1000 op=1 RESULT tag=97 err=0 text= conn=1000 op=2 SRCH base="dc=example,dc=fr" scope=2 deref=0 filter="(objectClass=*)" conn=1000 op=2 SRCH attr=* + conn=1000 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= conn=1000 op=3 UNBIND conn=1000 fd=12 closed Erreur de segmentation The segfault happened when the second server tried to sync with the first one : [root@ldap-master2 cacerts]# /usr/sbin/slapd -h ldap:/// -u ldap -d256 @(#) $OpenLDAP: slapd 2.4.23 (Apr 12 2011 19:26:36) $ mockbuild@x86-001.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd bdb_monitor_db_open: monitoring disabled; configure monitor database to enable slapd starting conn=1000 fd=12 ACCEPT from IP=10.1.92.24:55208 (IP=0.0.0.0:389) conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037 conn=1000 op=0 STARTTLS conn=1000 op=0 RESULT oid= err=0 text= TLS: error: accept - force handshake failure: errno 2 - moznss error -5938 TLS: can't accept: TLS error -5938:Encountered end of file. conn=1000 fd=12 closed (TLS negotiation failure) ^C daemon: shutdown requested and initiated. slapd shutdown: waiting for 0 operations/tasks to finish slapd stopped. Any idea ? NOTE : if I start the daemon on ldap-master2, that's ldap-master2 that produce the seg fault. --- Olivier

13 years, 3 months

Re: require StartTLS

by Nick Milas

On 26/2/2012 1:39 μμ, Daniel Pocock wrote: > I've looked at the TLS options and I have TLS running fine already. I > notice the TLSCipherSuite option sets the cipher level within TLS, but > it doesn't appear to guarantee that TLS is used. I am not an expert on it, but I have found this solution: http://www.openldap.org/lists/openldap-software/200707/msg00341.html on the issue, although I haven't used it myself (but I am planning to). I believe it does what you want. If there is another solution, more straightforward, using simply configuration directives, I don't know. Best regards, Nick

12 years, 8 months

Re: s_client working against 636 but not 389

by Marco Schirrmeister

On Sep 3, 2011, at 6:00 PM, Nate Marks wrote: > [root@ldap01 cacerts]# openssl s_client -CAfile /etc/pki/tls/certs/cacert.pem -connect 10.60.1.57:389 > CONNECTED(00000003) > 4392:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: > [root@ldap01 cacerts]# To use tls on the standard port you would need to submit the option -starttls xxx to openssl. Where xxx is the protocol. But ldap as protocol is not supported. Even if it would, you could not type in anything useful. -- Marco

13 years, 2 months

Re: Reject requests on non-secure connections

by Michael Ströder

Terry Gardner wrote: > can the server be configured to reject all requests on that exception > except for the StartTLS extended request in order to prevent clients from > transmitting data in the clear? Watch out for configuration directives 'security' and 'sasl-secprops'. You might want to set TLSCipherSuite to avoid that a client uses a weak cipher or crypto protocol. But strictly speaking nothing prevents a misconfigured client to send clear-text credentials over the wire. Rejecting processing them only gives a strong hint that this is not the desired behaviour... Ciao, Michael.

12 years, 4 months

RE: LDAPS Support

by Maucci, Cyrille

https://www.openldap.org/faq/data/cache/605.html " ldaps:// is deprecated in favor of Start TLS [RFC2830]. OpenLDAP 2.0 supports both." I understand it as OpenLDAP 2.1 and greater don't. ++Cyrille -----Original Message----- From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of web(a)tomjay.co.uk Sent: Tuesday, June 05, 2018 4:36 AM To: openldap-technical(a)openldap.org Subject: LDAPS Support Hello, I'm under the impression that LDAPS (and not StartTLS) has been depreciated in OpenLDAP, but I can't find anything on the OpenLDAP website that says this. Is this the case, and is there a reference for it? Thanks.

6 years, 5 months

Re: Secure replication

by Quanah Gibson-Mount

--On Saturday, May 06, 2017 1:56 AM +0000 "Real, Elizabeth (392K)" <Elizabeth.Real(a)jpl.nasa.gov> wrote: > The olcSyncRepl directive on both systems needs to go from: > > olcSyncRepl: rid=001 provider=ldap > > to: > > olcSyncRepl: rid=001 provider=ldaps The use of "ldap://" does not mean that you have insecure replication. The "ldaps" designation was developed to allow for SSL encrypted connections as a part of LDAPv2, which did not have a formal design spec for allowing SSL encryption. The LDAPv3 spec, which is what OpenLDAP 2.4 (and much earlier version) implement, specifically has startTLS as a part of that specification, which uses "ldap:///". I.e., ldaps is a bastardized hack for LDAPv2. The proper way to do TLS encryption with LDAPv3 capable servers such as OpenLDAP 2.[1-4+] is to use the startTLS extended operation over a "ldap:///" URI. In addition, there are other ways to have an encrypted connection between an LDAP client and server without involving TLS at all, such as SASL/GSSAPI. As Michael noted, you can, in addition to enabling TLS encryption between the client and servers, use client cert authentication (SASL/EXTERNAL) so as to remove the requirement for clear text credentials to be stored in the olcSyncRepl attribute (if using simple binds). And again, the usage of SASL/GSSAPI also precludes the neccessity of storing cleartext credentials in the olcSyncRepl attribute. As an aside, I would note that 2.4.40 is completely unsafe to use with multimaster replication. I would generally suggest forming a clear set of requirements for your replication environment, and then asking how to implement them. Your current question is too vague/general to really be answered well. Hope that helps! Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

7 years, 6 months

cn=config (MMR) replication causes ldapsearch -ZZ to hang on RHEL 6.7

by Frank Crow

I'm trying to move my OpenLDAP MMR configuration from RHEL 6.5 (OpenLDAP 2.4.23) to RHEL 6.7 (OpenLDAP 2.4.40). On RHEL 6.5 it is working no with no problems. On RHEL 6.7, the configuration causes "ldapsearch -ZZ" to hang indefinitely. The cn=config section in slapd.conf looks like this: # sync provider configuration overlay syncprov syncprov-checkpoint 1 1 syncrepl rid=001 provider=ldap://server1 searchbase="cn=config" filter="(|(objectClass=olcDatabaseConfig)(objectClass=olcOverlayConfig))" bindmethod=sasl saslmech=EXTERNAL starttls=critical tls_cert=/etc/openldap/csa-certs/config.crt tls_key=/etc/openldap/csa-certs/config.key tls_cacert=/etc/openldap/csa-certs/cacert.pem tls_reqcert=demand type=refreshAndPersist retry="5 10 10 10 30 +" timeout=1 syncrepl rid=002 provider=ldap://server2 searchbase="cn=config" filter="(|(objectClass=olcDatabaseConfig)(objectClass=olcOverlayConfig))" bindmethod=sasl saslmech=EXTERNAL starttls=critical tls_cert=/etc/openldap/csa-certs/config.crt tls_key=/etc/openldap/csa-certs/config.key tls_cacert=/etc/openldap/csa-certs/cacert.pem tls_reqcert=demand type=refreshAndPersist retry="5 10 10 10 30 +" timeout=1 mirrormode on If I comment out that section in slapd.conf then "ldapsearch -ZZ" works but (obviously) I don't get cn=config replication. Am I doing something wrong in the configuration? Is it a fluke that it is working on 2.4.23 in the first place? Or does anyone know what may have changed (or is more strict or whatever) in the 2.4.40 release? Should I try to just remove RHEL's version of OpenLDAP and install the latest from openldap.org instead? Any assistance is highly appreciated! Thanks, -- Frank

8 years, 7 months

Re: syncrepl without cleartext password.

by Christian Kratzer

Hi, On Tue, 27 Oct 2015, Prakash Padadune wrote: > I want to implement syncrepl without having cleartext password in the > slapd.conf. > How this can be achieved? authenticate using client certificates and sasl_method = external You will need the private key files on the clients though. olcSyncrepl: {0}rid=001 provider=ldap://ldap1.foo.bar bindmethod=sasl saslmech=external keepalive=60:6:10 starttls=yes tls_cert="/etc/ssl/ce rts/server.cert" tls_key="/etc/ssl/certs/server.key" tls_cacert="/etc/ssl/certs/CA.cert" tls_reqcert=demand tls_crlcheck =none filter="(objectclass=*)" searchbase="dc=foo,dc=bar" scope=sub type=refreshAndPersist retry="60 10 300 +" olcSyncrepl: {1}rid=002 provider=ldap://ldap2.foo.bar bindmethod=sasl saslmech=external keepalive=60:6:10 starttls=yes tls_cert="/etc/ssl/ce rts/server.cert" tls_key="/etc/ssl/certs/server.key" tls_cacert="/etc/ssl/certs/CA.cert" tls_reqcert=demand tls_crlcheck =none filter="(objectclass=*)" searchbase="dc=foo,dc=bar" scope=sub type=refreshAndPersist retry="60 10 300 +" then map your certificate identity to an entry in your tree that has appropriate permissions: olcAuthzRegexp: {0}"cn=([^,]*)," "cn=$1,ou=servers,dc=foo,dc=bar" Greetings Christian -- Christian Kratzer CK Software GmbH Email: ck(a)cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer Web: http://www.cksoft.de/

9 years

openldap-technical search results for query "starttls"