Search results for "starttls" - openldap-technical

RE: problem with ldap backend

by Alex Samad - Yieldbroker

Hi I have progressed a little bit further I have stopped using olcdbaclbind and started to use olcDbIDAssertAuthzFrom: "*" olcDbIDAssertBind: bindmethod=none authzId="CN=ad readonly,OU=Services ,DC= xyz,DC=com" credentials="secret" starttls=no but I get this text: 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this ope ration a successful bind must be completed on the connection., data 0, v1db1 I am able to ldapsearch with these credentials, I also tried change bindmethod to simple, but same error How do I turn on debug for the ldap backend ? Any one have any ideas on how to make this work ? Alex > -----Original Message----- > From: openldap-technical-bounces(a)OpenLDAP.org [mailto:openldap-technical- > bounces(a)OpenLDAP.org] On Behalf Of Alex Samad - Yieldbroker > Sent: Wednesday, 28 March 2012 1:58 PM > To: openldap-technical(a)openldap.org > Subject: problem with ldap backend > > Hi > > I am trying to setup a connection from openldap to MS AD > > I am using this > > dn: olcDatabase={3}ldap > objectClass: olcDatabaseConfig > objectClass: olcLDAPConfig > olcDatabase: {3}ldap > olcSuffix: dc=xyz,dc=com > olcAccess: {0}to dn.base="" by * read > olcAccess: {1}to dn.base="cn=Subschema" by * read > olcAccess: {2}to * by self write by users read by anonymous auth > olcReadOnly: TRUE > olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > olcSizeLimit: 500 > olcDbURI: "ldap://dc101. xyz.com ldap://dc201. xyz.com" > olcDbRebindAsUser: TRUE > olcDbChaseReferrals: TRUE > > > This works fine when I pass a bind DN. > > I would like to convert this to allow anon access to ldap, which does a user bind > to MS AD so I added this > > > olcdbaclbind: bindmethod=simple binddn="CN=ad readonly,OU= xyz,DC= > xyz,DC=com" credentials="secret" starttls=no > > but it is not working, I can not make a anon search request, they retrieve any > thing frome the MSAD ldap server. > > Thanks > > > >

13 years, 2 months

Re: Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation

by Robert Heller

At Thu, 28 Sep 2017 12:29:19 -0700 Quanah Gibson-Mount <quanah(a)symas.com> wrote: > > --On Thursday, September 28, 2017 3:34 PM -0400 Robert Heller > <heller(a)deepsoft.com> wrote: > > > > Slapd is reporting TLS Negotiation failure when SSSD tries to connect to > > it. For both port 389 (ldap:///) and 636 (ldaps:///). So I guess > > something is wrong with slapd's TLS configuration -- it is failing to do > > TLS Negotiation, either it is just not doing it or it is doing it wrong > > (somehow). Unless SSSD is not configured properly. > > You need to start with the following: > > >> ldapwhoami -x -ZZ -H ldap://myhost:389 -D binddn -w > > to test startTLS > > and > > ldapwhoami -x -H ldaps://myhost:636 -D binddn -w > > to test without startTLS > > If you can get those to work, then you can move on to SSSD. [heller@c764guest ~]$ ldapwhoami -x -ZZ -H ldap://c764guest:389 -D cn=Manager,dc=deepsoft,dc=com -W ldap_start_tls: Connect error (-11) additional info: TLS error -8157:Certificate extension not found. [heller@c764guest ~]$ ldapwhoami -x -H ldaps://c764guest:636 -D cn=Manager,dc=deepsoft,dc=com -W Enter LDAP Password: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) The certificate is from my own CA and I *think* I have things set up properly, but it is a openssl cert and I know that slapd (and sssd) are built with MozNSS. ldap.conf contains: TLS_CACERT /etc/openldap/certs/ca-cert.pem TLS_CACERTDIR /etc/openldap/certs TLS_REQCERT demand and /etc/openldap/slapd.d/ contains: olcTLSCACertificatePath: /etc/openldap/certs olcTLSCACertificateFile: /etc/openldap/certs/ca-cert.pem olcTLSCertificateFile: /etc/pki/tls/certs/c764guest.cert olcTLSCertificateKeyFile: /etc/pki/tls/certs/c764guestkey.pem > > --Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > > > -- Robert Heller -- 978-544-6933 Deepwoods Software -- Custom Software Services http://www.deepsoft.com/ -- Linux Administration Services heller(a)deepsoft.com -- Webhosting Services

7 years, 8 months

Re: Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation

by Quanah Gibson-Mount

--On Thursday, September 28, 2017 7:28 PM -0400 Robert Heller <heller(a)deepsoft.com> wrote: > At Thu, 28 Sep 2017 12:29:19 -0700 Quanah Gibson-Mount <quanah(a)symas.com> > wrote: > >> >> --On Thursday, September 28, 2017 3:34 PM -0400 Robert Heller >> <heller(a)deepsoft.com> wrote: >> >> >> > Slapd is reporting TLS Negotiation failure when SSSD tries to connect >> > to it. For both port 389 (ldap:///) and 636 (ldaps:///). So I guess >> > something is wrong with slapd's TLS configuration -- it is failing to >> > do TLS Negotiation, either it is just not doing it or it is doing it >> > wrong (somehow). Unless SSSD is not configured properly. >> >> You need to start with the following: >> >> >> ldapwhoami -x -ZZ -H ldap://myhost:389 -D binddn -w >> >> to test startTLS >> >> and >> >> ldapwhoami -x -H ldaps://myhost:636 -D binddn -w >> >> to test without startTLS >> >> If you can get those to work, then you can move on to SSSD. > > [heller@c764guest ~]$ ldapwhoami -x -ZZ -H ldap://c764guest:389 -D > cn=Manager,dc=deepsoft,dc=com -W ldap_start_tls: Connect error (-11) > additional info: TLS error -8157:Certificate extension not found. This may be of help: <https://serverfault.com/questions/640910/my-certificate-doesnt-work-on-all-…> > [heller@c764guest ~]$ ldapwhoami -x -H ldaps://c764guest:636 -D > cn=Manager,dc=deepsoft,dc=com -W Enter LDAP Password: > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) This may mean slapd isn't listening on port 636 (With no -d -1 info, hard to know for sure). It may also simply be a different manifistation of the error above. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

7 years, 8 months

slapd(8C) man page, -c option: covers delete phase?

by Francesco Malvezzi

hi all, on a consumer I spotted a zombie entry which was deleted on provider. Replication is syncrepl: olcSyncrepl: {0}rid=003 provider=ldap://ldap-master.example.org binddn="cn=repluser,ou=agents,dc=example,dc=org" bindmethod=simple credentials="secret" searchbase="ou=people,dc=example,dc=org" type=refreshOnly interval=00:00:01:00 retry="5 5 30 +" timeout=1 scope=sub schemachecking=on exattrs=sambaHomeDrive sizelimit=100000 timelimit=7200 starttls=yes filter="....." my naive strategy was to (re-)start slapd with the -c rid=003 switch but of course I am missing something because I can see from logs syncronization if actually forced but zombie entry is not deleted. I am really sorry to ask you what I misundestood, thank you, Francesco

3 years, 3 months

Re: About TLS - ldaps search

by Quanah Gibson-Mount

--On Friday, January 04, 2013 4:09 PM -0800 Bheeshma SM <bheeshma.manjunath(a)gmail.com> wrote: > > Hi guys. > > I have a problem in Openldap 2.4.33 on RHEL 5.8 > > I am able to do a " ldapsearch -x -p 389 -h -D<> -w<> -b<> " > > but i am not able to do > > " ldapsearch -x -p 636 -h -D<> -w<> -b<> Sounds like slapd is not configured to listen to port 636. No amount of mucking with ldapsearch is going to change that. I would note that you can do secure searches over port 389 just fine. Simply use the startTLS operation. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

12 years, 5 months

Re: olcSecurity: tls=1 and olcLocalSSF= : what value should I use?

by Quanah Gibson-Mount

--On Thursday, September 06, 2018 1:40 PM -0400 Jean-Francois Malouin <Jean-Francois.Malouin(a)bic.mni.mcgill.ca> wrote: > I guess I need to modify either 'olcSecurity: tls=1' in the database > config or add/insert the proper value for 'olcLocalSSF=' in the > cn=config. What value should I use in order to still force StartTLS over > simple binding and allow read/write/modify local access on the ldapi:/// > listener. Hello, Just set: olcSecurity: ssf=1 that will allow either to work as *some* SSF level is then required. As long as you have tls=X, then it will always require TLS, regardless of what the LocalSSF setting is configured to be. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

6 years, 9 months

Re: OpenLDAP self-signed certificates issue

by Ryan Tandy

On 07/09/14 10:28 PM, Vijay Ganesan wrote: > But I can't seem to connect using ldaps://localhost:636 using Apache > Directory Studio client. I get a "Error while opening connection - > Cannot connect on the server: Connection refused" error. > I can connect fine using ldap://localhost:389. Like Udai wrote, ldaps is deprecated, and if possible you should use STARTTLS on the LDAP port (389) instead. But if you really need ldaps, then edit /etc/default/slapd, add ldaps:/// to the SLAPD_SERVICES line, and restart slapd. > What diagnostics can be run to figure out if TLS is working correctly? LDAPTLS_CACERT=/path/to/ca.pem ldapwhoami -H ldap://server -x -ZZ Add '-d1' to see some debugging information, including more detailed info from the TLS library.

10 years, 9 months

Re: ssf settings for SASL and TLS

by Joshua Schaeffer

On 02/18/2016 03:19 AM, Dieter Klünter wrote: > Am Wed, 17 Feb 2016 20:25:56 -0700 > schrieb Joshua Schaeffer <jschaeffer0922(a)gmail.com>: > >> What is the proper way to setup SASL and TLS with different security >> strength factors? I've setup SASL on my OpenLDAP server so that it >> can connect to my Kerberos server using GSSAPI. I also have TLS setup >> for simple auth. My database config is below: > [...] >> olcSecurity: sasl=56 simple_bind=256 ssf=256 > > ssf=x specifies the overall security, a value '1' enables security. > This setting would meet your requirements: > olcSecurity: ssf=1 sasl=56 tls=256 > > > -Dieter > I updated olcSecurity and now I get the following when using simple auth: root@immortal:/var/log/kerberos# ldapsearch -LLL -x -D cn=admin,dc=harmonywave,dc=com -W -H ldap://baneling.harmonywave.com/????starttls -b dc=harmonywave,dc=com Enter LDAP Password: ldap_bind: Confidentiality required (13) additional info: SASL confidentiality required I see this in the logs: Feb 18 22:19:04 baneling slapd[22171]: conn=1005 fd=15 ACCEPT from IP=10.1.10.12:55750 (IP=0.0.0.0:389) Feb 18 22:19:04 baneling slapd[22171]: conn=1005 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Feb 18 22:19:04 baneling slapd[22171]: conn=1005 op=0 STARTTLS Feb 18 22:19:04 baneling slapd[22171]: conn=1005 op=0 RESULT oid= err=0 text= Feb 18 22:19:04 baneling slapd[22171]: conn=1005 fd=15 TLS established tls_ssf=256 ssf=256 Feb 18 22:19:08 baneling slapd[22171]: conn=1005 op=1 BIND dn="cn=admin,dc=harmonywave,dc=com" method=128 Feb 18 22:19:08 baneling slapd[22171]: conn=1005 op=1 RESULT tag=97 err=13 text=SASL confidentiality required Feb 18 22:19:08 baneling slapd[22171]: conn=1005 op=2 UNBIND Feb 18 22:19:08 baneling slapd[22171]: conn=1005 fd=15 closed

9 years, 3 months

updating from 2.4.20 to 2.4.22 breaks syncrepl/TLS

by Thierry Lacoste

Hello, I have 2 CentOS 5.4 servers running OpenLDAP 2.4.20 installed from Buchan Milne's repository (openldap2.4- servers-2.4.20-1.el5). The first server is a Sync Provider. The second is a consumer with 'starttls=critical'. I have no problem after 'yum update' of the master (openldap2.4-servers-2.4.22-1.el5 is installed and replication is OK). But after 'yum update' of the slave, syncrepl won't work anymore because of TLS failures. Here are the logs on the master : Oct 20 16:51:15 vcos-castor slapd2.4[20097]: @(#) $OpenLDAP: slapd 2.4.22 (Apr 27 2010 12:04:27) $ bgmilne@centos5-32.ranger.dnsalias.com:/home/bgmilne/rpm/BUILD/ openldap-2.4.22/servers/slapd Oct 20 16:51:15 vcos-castor slapd2.4[20098]: slapd starting Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 fd=16 ACCEPT from IP=IP.OF.THE.SLAVE:46212 (IP=0.0.0.0:389) Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 op=0 STARTTLS Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 op=0 RESULT oid= err=0 text= Oct 20 16:51:46 vcos-castor slapd2.4[20098]: conn=1000 fd=16 closed (TLS negotiation failure) Here are the logs on the slave : Oct 20 16:51:45 vcos-pollux slapd2.4[1808]: @(#) $OpenLDAP: slapd 2.4.22 (Apr 27 2010 12:04:27) $ bgmilne@centos5-32.ranger.dnsalias.com:/home/bgmilne/rpm/BUILD/ openldap-2.4.22/servers/slapd Oct 20 16:51:45 vcos-pollux slapd2.4[1809]: slapd starting Oct 20 16:51:45 vcos-pollux slapd2.4[1809]: slap_client_connect: URI=ldap://NAME_OF_THE_MASTER Error, ldap_start_tls failed (-11) Oct 20 16:51:45 vcos-pollux slapd2.4[1809]: do_syncrepl: rid=000 rc -11 retrying (4 retries left) ldapsearch from the slave can do TLS : $ ldapsearch -ZZ -x -h NAME_OF_THE_MASTER This is ldapsearch from openldap-clients-2.3.43-12.el5_5.2 as packaged by CentOS Any ideas on how to troubleshoot the problem? Regards, Thierry PS : as a side note both servers are Xen VMs running on CentOS hosts.

14 years, 7 months

Re: Ubuntu Server 12.04: StartTLS

by Admus

On 11/05/2012 04:05 PM, Dan White wrote: > On 11/05/12 08:29 +0100, Admus wrote: >> On 11/04/2012 11:59 PM, Dan White wrote: >>> On 11/04/12 23:13 +0100, admus wrote: >>>> Hello, >>>> I'm following >>>> https://help.ubuntu.com/12.04/serverguide/openldap-server.html#openldap-tls… >>>> how to: >>>> LDAP serwer starts correctly but when I tries to test StartTLS: >>>> ldapsearch -x -H ldap:/// -ZZ -d -1 >>>> I gets the following error: >>>> TLS: peer cert untrusted or revoked (0x42) >>>> TLS: can't connect: (unknown error code). >>>> ldap_err2string >>>> ldap_start_tls: Connect error (-11) >>>> additional info: (unknown error code) >>>> Any idea? >>> >>> Your hostname will need to match the certificate you have installed. >>> '-H >>> ldap:///' will, instead, need to include the hostname matching your >>> certificate. >>> >>> For project documentation, see chapter 16 of the OpenLDAP >>> Administrator's >>> Guide, slapd-config(5), ldap.conf(5), and ldapsearch(1). >>> >> >> ldapsearch -x -H ldap://ldap1.example.com -ZZ -d -1 >> >> Does not help, same error. CN in my certificate is ldap1.example.com. > > Assuming that your OpenLDAP was compiled against GnuTLS, use the GnuTLS > tools to trouble shoot your certificate. > > A google search for "peer cert untrusted or revoked (0x42)" finds > users who > also received that error. > The output of `gnutls-cli --print-cert -p 636 ldap1.example.com` is: - The hostname in the certificate matches 'ldap1.example.com'. - Peer's certificate issuer is unknown - Peer's certificate is NOT trusted - Version: TLS1.2 - Key Exchange: RSA - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL - Handshake was completed

12 years, 7 months

openldap-technical search results for query "starttls"