Search results for "starttls" - openldap-technical

Re: STARTTLS vs LDAPS

by Quanah Gibson-Mount

--On Thursday, March 31, 2022 3:13 PM -0400 Braiam <braiamp(a)gmail.com> wrote: > > > > > > > On Thu, Mar 31, 2022 at 11:46 AM Quanah Gibson-Mount > <quanah(a)fast-mail.org> wrote: > > > > --On Thursday, March 31, 2022 12:16 PM -0400 Braiam <braiamp(a)gmail.com> > wrote: > >> What would be the process to modify content on the openldap.org page? > > Depends on the content. The main web pages are in the OpenLDAP Web git > repository. > > > This repository seems to be the FAQ: > > > https://git.openldap.org/project/faq/-/tree/master/data/item > > > There's a website project too. I couldn't figure out what markup language > items > on the faq project uses. It uses whatever format the FAQ-O-Matic software uses (<https://sourceforge.net/projects/faqomatic/>) --Quanah

3 years, 2 months

Re: Reg OpenLdap on Ubuntu

by Asimananda Mohanty

Hi Michael, Indeed, it's fine now :) But is there any way that I make the password stuff working as well. Thanks again.... -Asimananda 2009/7/20 Michael Ströder <michael(a)stroeder.com> > Asimananda Mohanty wrote: > > > > The first command works fine (ldapsearch -x -H ldap://ldap-company.com > > <http://ldap-company.com/> -ZZ) but the second one (ldapsearch -x -H > > ldaps://ldap-company.com:636 <http://ldap-company.com:636/> -ZZ) is > > showing error : > > > > *ldap_start_tls: Operations error (1)* > > Sorry, stupid copy&paste by me. Should have another coffee. Omit the -ZZ > in the second command since LDAPS and StartTLS ext.op. cannot be used > together. > > See also: > http://www.openldap.org/faq/data/cache/605.html > > Ciao, Michael. > > -- > Michael Ströder > E-Mail: michael(a)stroeder.com > http://www.stroeder.com >

15 years, 10 months

Re: How do tool verify certs with ldapi:// ?

by Peter Marschall

Hi, On Monday, 28. May 2012, Philip Guenther wrote: > On Mon, 28 May 2012, Michael Ströder wrote: > > Peter Marschall wrote: > > > how do the openldap tools technically verfify certificates with > > > ldapi:// ? > > > > Which certs do you want to verify? > > I assume the answer is "the one the server returns when you do StartTLS on > the ldapi:// connection". Correct. > If that's not a sufficient option, and verifying certs is required, then > it appears the code will treat the socket path as the hostname to verify > for. For OpenSSL, for example, that means it'll compare it against any > DNS: subjectAltNames as well as against the last CN component of the cert > subject. That's not what the openldap tools do. My cerver certificates do not contain the ldapi socket path as hostnames, yet ldapsearch -LLL -x -H ldapi:/// -ZZ -s base -b "" works and I want to find out how it does this. Best PEter -- Peter Marschall peter(a)adpm.de

13 years

Re: secure passwords

by Michael Ströder

sim123 wrote: > So I did more research and found that java or spring source has APIs for > encrypting passwords and I could store the hashed value in openldap. If thats > the case would LDPA server be able to retrive the password during bind? > > And another interesting read is > > http://blogs.oracle.com/DirectoryManager/entry/the_ssha_password_storage_sc… > > Is that true for OpenLDAP? Can I use similar algorithm for generating > password? Or should password policy will suffice ? Should be the same. Compare to: http://www.openldap.org/faq/data/cache/347.html Generating the salted hash of the password can be done by the client or within slapd when the client sends a LDAP Password Modify extended operation request (RFC 3062) with the clear-text password (as stated in http://www.openldap.org/faq/data/cache/906.html). Note that there are various forms of bind requests. Hashed passwords in attribute 'userPassword' can only be used with bind methods which sends the plaintext password over the wire (simple bind, SASL/PLAIN) and therefore the communication has to be protected (by LDAPS or LDAP with StartTLS). Ciao, Michael.

13 years, 9 months

Re: Can't get TLS working.

by Dieter Kluenter

c0re <nr1c0re(a)gmail.com> writes: > # making clientkey > openssl genrsa -out client.key 2048 > # making certificate request > openssl req -new -key client.key -out client.csr > # signing > openssl x509 -req -days 1024 -CA ../ssl/rootcrt.pem -CAkey > ../ssl/rootkey.pem -in client.csr -out client.crt -CAserial > ../ssl/root.seq > > # configuring on client > TLS_CACERT /usr/local/etc/openldap/ssl-client/rootcrt.pem > TLS_CERT /usr/local/etc/openldap/ssl-client/client.crt > and > TLS_KEY /usr/local/etc/openldap/ssl-client/client.key > > Trying again with slapd debug and client calling "id test" [...] As there are no obvious errors in the log you should get TLS properly working, prior to testing with pam. Just do a ldapsearch or a ldapwhoami either on uri ldaps:// or startTLS on ldap:// -Dieter -- Dieter Klünter | Systemberatung sip: 7770535(a)sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6

14 years, 9 months

RHEL 5 will not do TLS/SSL authentication

by Dat Duong

Hi, I can't find anywhere on how to fix my RHEL 5 to use TLS/SSL authentication. I will work when I comment out the ssl startTLS and SSL. On my Solaris 10, I can do ldapsearch with the -ZZ option Here is what I did with the debug on for ldapsearch. Please help me solve this problem...THANKS!! TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL3 alert read:fatal:handshake failure TLS trace: SSL_connect:failed in SSLv3 read finished A TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

16 years, 9 months

Fw: RHEL 5 will not do TLS/SSL authentication

by Dat Duong

Hi, I can't find anywhere on how to fix my RHEL 5 to use TLS/SSL authentication. I will work when I comment out the ssl startTLS and SSL. On my Solaris 10, I can do ldapsearch with the -ZZ option Here is what I did with the debug on for ldapsearch. Please help me solve this problem...THANKS!! TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL3 alert read:fatal:handshake failure TLS trace: SSL_connect:failed in SSLv3 read finished A TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

16 years, 9 months

Re: TLS not working (even though SSL does) -- logging trouble

by Quanah Gibson-Mount

--On Tuesday, October 21, 2008 4:05 PM -0400 Kyle Barger <kbarger(a)ltsp.edu> wrote: > I have an OpenLDAP 2.3 server that is up and running. I have been trying > to add SSL and TLS. SSL connections on port 636 work fine. However the > TLS connection on 389 is not working. The only errors are "TLS accept > failure" and "TLS negotiation failure." I've not been able to dig up any > more information, even using the -d option, and I notice that people have > posted log files with detailed TLS trace messages. How can I enable the > TLS logging to find out what's going on? Thanks. You can't do SSL over port 389, you need to do startTLS instead. You don't say how you are testing these connections, but if you are using ldapsearch, look at the "-Z[ZZ]" option(s). --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

16 years, 7 months

Re: MDB_BAD_RSLOT while executing slapacl

by Igor Zinovik

Howard Chu <hyc(a)symas.com> wrote on Thu, 12 Dec 2013 15:24:00 +0400: > Igor Zinovik wrote: >> 2013/12/12 Howard Chu <hyc(a)symas.com <mailto:hyc@symas.com>> >> >> You should upgrade to get the fix for #7662. >> >> >> I upgraded my slapd to 2.4.38, but I still see error message when I >> execute >> slapacl. >> I also removed data.mdb and lock.mdb, imported data back to ldap using >> backup >> copy and I still see error message. > Post your config, sample data, and the exact slapacl command you used. I started with empty config and empty database with slapd-2.4.38: # sudo slapadd -F /etc/openldap/slapd.d -n0 -l config.ldif _#################### 100.00% eta none elapsed none fast! Closing DB... I import single object into my catalog: # cat initial-import.ldif dn: dc=example,dc=org dc: example objectClass: organization objectClass: dcObject o: Example # sudo slapadd -F /etc/openldap/slapd.d -b dc=example,dc=org -l config.ldif _#################### 100.00% eta none elapsed none fast! Closing DB... Trying to check access: # sudo slapacl -F /etc/openldap/slapd.d -D uid=zinovik,ou=people,dc=example,dc=org \ -b dc=example,dc=org o/read authcDN: "uid=zinovik,ou=people,dc=example,dc=org" 52abd7bc mdb_opinfo_get: err MDB_BAD_RSLOT: Invalid reuse of reader locktable slot(-30783) read access to o: ALLOWED Here is my config (with omitted cn=schema,cn=config): dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: slapd.conf.bak olcConfigDir: slapd.d olcArgsFile: /var/run/slapd/slapd.args olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcLocalSSF: 71 olcPidFile: /var/run/slapd/slapd.pid olcReadOnly: FALSE olcSaslSecProps: noplain,noanonymous olcServerID: 1 ldap://ldap1.example.org olcServerID: 2 ldap://ldap2.example.org olcServerID: 3 ldap://ldap3.example.org olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 8 olcTLSCACertificatePath: /etc/ssl/certs olcTLSCertificateKeyFile: /etc/openldap/ldap.key olcTLSCRLCheck: none olcTLSVerifyClient: allow olcToolThreads: 1 olcWriteTimeout: 0 olcTLSCACertificateFile: /etc/ssl/example-ca-bundle.crt olcTLSCertificateFile: /etc/openldap/ldap.crt olcLogLevel: config sync dn: cn=schema,cn=config ... [omitted] ... dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/openldap/modules olcModuleLoad: {0}accesslog olcModuleLoad: {1}memberof olcModuleLoad: {2}pcache olcModuleLoad: {3}refint olcModuleLoad: {4}syncprov olcModuleLoad: {5}unique dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to dn.base="" by * read olcAccess: {1}to dn.base="cn=subschema" by * read olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 0 olcReadOnly: FALSE olcSchemaDN: cn=Subschema olcSyncUseSubentry: FALSE olcMonitoring: FALSE dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by group/groupOfNames/member.exact="cn=ldap admins,ou=grou ps,dc=example,dc=org" write olcAddContentAcl: TRUE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=admin,cn=config olcRootPW:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX olcSyncUseSubentry: FALSE olcMirrorMode: TRUE olcMonitoring: FALSE olcSyncrepl: {0}rid=001 provider=ldap://ldap1.example.org binddn="cn=admin,cn=co nfig" bindmethod=simple credentials="XXXXXXXXXXXXXXXXX" searchbase="cn=con fig" type=refreshAndPersist retry="5 5 30 +" timeout=1 starttls=yes tls_cert= "/etc/openldap/ldap.crt" tls_key="/etc/openldap/ldap.key" tls_cacert="/etc/ss l/example-ca-bundle.crt" tls_reqcert=demand tls_crlcheck=none olcSyncrepl: {1}rid=002 provider=ldap://ldap2.example.org binddn="cn=admin,cn=co nfig" bindmethod=simple credentials="XXXXXXXXXXXXXXXXX" searchbase="cn=con fig" type=refreshAndPersist retry="5 5 30 +" timeout=1 starttls=yes tls_cert= "/etc/openldap/ldap.crt" tls_key="/etc/openldap/ldap.key" tls_cacert="/etc/ss l/example-ca-bundle.crt" tls_reqcert=demand tls_crlcheck=none olcSyncrepl: {2}rid=003 provider=ldap://ldap3.example.org binddn="cn=admin,cn=co nfig" bindmethod=simple credentials="XXXXXXXXXXXXXXXXX" searchbase="cn=con fig" type=refreshAndPersist retry="5 5 30 +" timeout=1 starttls=yes tls_cert= "/etc/openldap/ldap.crt" tls_key="/etc/openldap/ldap.key" tls_cacert="/etc/ss l/example-ca-bundle.crt" tls_reqcert=demand tls_crlcheck=none dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {0}syncprov dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=org olcAddContentAcl: FALSE olcLastMod: TRUE olcLimits: {0}group/groupOfNames/member="cn=ldap admins,ou=groups,dc=example,dc =ru" size=unlimited olcLimits: {1}group/groupOfNames/member="cn=ldap admins,ou=groups,dc=example,dc =ru" time=unlimited olcLimits: {2}group/groupOfNames/member="cn=admins,ou=mail,ou=groups,dc=example ,dc=ru" size=unlimited olcLimits: {3}group/groupOfNames/member="cn=replicators,ou=groups,dc=example,dc =ru" size=unlimited time=unlimited olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=admin,dc=example,dc=org olcRootPW:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX olcSyncUseSubentry: FALSE olcSyncrepl: {0}rid=004 provider=ldap://ldap1.example.org bindmethod=simple bind dn="uid=mirrormode,ou=services,dc=example,dc=org" credentials="XXXXXXXXXXXXXXXX XX" keepalive=0:0:0 starttls=yes tls_cert="/etc/openldap/ldap.crt" tls_key="/ etc/openldap/ldap.key" tls_cacert="/etc/ssl/example-ca-bunle.crt" tls_reqcert= demand tls_crlcheck=none filter="(objectclass=*)" searchbase="dc=example,dc=org " schemachecking=on type=refreshAndPersist retry="60 +" olcSyncrepl: {1}rid=005 provider=ldap://ldap2.example.org bindmethod=simple bind dn="uid=mirrormode,ou=services,dc=example,dc=org" credentials="XXXXXXXXXXXXXXXX XX" keepalive=0:0:0 starttls=yes tls_cert="/etc/openldap/ldap.crt" tls_key="/ etc/openldap/ldap.key" tls_cacert="/etc/ssl/example-ca-bundle.crt" tls_reqcert =demand tls_crlcheck=none filter="(objectclass=*)" searchbase="dc=example,dc=r u" schemachecking=on type=refreshAndPersist retry="60 +" olcSyncrepl: {2}rid=006 provider=ldap://ldap3.example.org bindmethod=simple bind dn="uid=mirrormode,ou=services,dc=example,dc=org" credentials="XXXXXXXXXXXXXXXX XX" keepalive=0:0:0 starttls=yes tls_cert="/etc/openldap/ldap.crt" tls_key="/ etc/openldap/ldap.key" tls_cacert="/etc/ssl/example-ca-bundle.crt" tls_reqcert =demand tls_crlcheck=none filter="(objectclass=*)" searchbase="dc=example,dc=r u" schemachecking=on type=refreshAndPersist retry="60 +" olcMirrorMode: TRUE olcMonitoring: TRUE olcDbNoSync: FALSE olcDbIndex: objectClass eq olcDbIndex: cn pres,eq,approx,sub olcDbIndex: uid pres,eq,sub olcDbIndex: memberUid eq olcDbIndex: member eq olcDbIndex: sudoUser eq,sub olcDbIndex: uniqueMember eq olcDbIndex: uidNumber eq olcDbIndex: rfc822MailMember eq olcDbIndex: gidNumber eq olcDbIndex: mail eq,sub olcDbIndex: zoneName eq olcDbIndex: relativeDomainName eq olcDbIndex: dlzHostName,dlzZoneName,dlzRecordID,dlzType eq,pres olcDbIndex: dhcpHWAddress,dhcpClassData eq olcDbIndex: sudoHost eq,sub olcDbIndex: accountStatus eq olcDbIndex: dc eq olcDbMaxReaders: 0 olcDbMaxSize: 1073741824 olcDbMode: 0600 olcDbSearchStack: 16 olcAccess: {0}to attrs=userPassword by self write by anonymous auth olcAccess: {1}to * by * read dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcMemberOf olcOverlay: {0}memberof olcMemberOfDangling: ignore olcMemberOfRefInt: TRUE olcMemberOfGroupOC: groupOfNames olcMemberOfMemberAD: member dn: olcOverlay={1}refint,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcRefintConfig olcOverlay: {1}refint olcRefintAttribute: seeAlso olcRefintAttribute: uniqueMember olcRefintAttribute: member olcRefintNothing: cn=EMPTY dn: olcOverlay={2}unique,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcUniqueConfig olcOverlay: {2}unique olcUniqueURI: ldap:///ou=Hosts,dc=example,dc=org?ipHostNumber?sub olcUniqueURI: ldap:///ou=People,dc=example,dc=org?uid,uidNumber?sub olcUniqueURI: ldap:///ou=Groups,dc=example,dc=org?cn,gidNumber?sub olcUniqueURI: ldap:///ou=Mail,dc=example,dc=org?mail,mailLocalAddress?sub dn: olcOverlay={3}syncprov,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {3}syncprov olcSpCheckpoint: 100 10 olcSpSessionlog: 100 dn: olcDatabase={2}monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: {2}monitor olcAccess: {0}to * by group/groupOfNames/member.exact="cn=ldap admins,ou=grou ps,dc=example,dc=org" read olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcSyncUseSubentry: FALSE olcMonitoring: FALSE

11 years, 6 months

Re: no contextCSN attribute on consumers

by cYuSeDfZfb cYuSeDfZfb

Hi! I am using the cn=admin,o=infra,c=com with correct password to connect. I will further check ACLs! Thank you for that suggestion. Just to make things more concrete, below are two samples. One on the MASTER with contextCSN, and one from the SLAVE without contextCSN. EXAMPLE SLAVE: ldapsearch -x -H ldaps://$SERVER -D $LDAPBINDDN -w $ADMINPW -b "o=infra,c=com" -s base contextCSN # extended LDIF # # LDAPv3 # base <o=infra,c=com> with scope baseObject # filter: (objectclass=*) # requesting: contextCSN # # search result search: 2 result: 0 Success # numResponses: 1 EXAMPLE MASTER: ldapsearch -x -H ldaps://$SERVER -D $LDAPBINDDN -w $ADMINPW -b "o=infra,c=com" -s base contextCSN # extended LDIF # # LDAPv3 # base <o=infra,c=com> with scope baseObject # filter: (objectclass=*) # requesting: contextCSN # # infra, com dn: o=infra,c=com contextCSN: 20180917142109.765066Z#000000#000#000000 contextCSN: 20230612144901.796553Z#000000#001#000000 contextCSN: 20230612144904.899482Z#000000#002#000000 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 On Mon, 12 Jun 2023 at 16:42, Quanah Gibson-Mount <quanah(a)fast-mail.org> wrote: > > > --On Monday, June 12, 2023 5:36 PM +0200 cYuSeDfZfb cYuSeDfZfb > <cyusedfzfb(a)gmail.com> wrote: > > > Hi Quanah, > > > > Thanks for the swift reponse! I think I do, yes, see, from consumer one: > > > > olcSyncrepl: {0}rid=202 > > provider=ldap://master-acc-02.ldap.infra.com:389 bindmethod=simple > > filter="(objectClass=*)" scope=sub binddn="cn=mirrormode,ou=Directory > > Access,o=infra,c=com" credentials=XYZ searchbase="o=infra,c=com" > > schemachecking=on type=refreshAndPersist retry="60 +" attrs="*,+" > > starttls=critical tls_reqcert=demand > > olcSyncrepl: {1}rid=201 > > provider=ldap://master-acc-01.ldap.infra.com:389 bindmethod=simple > > filter="(objectClass=*)" scope=sub binddn="cn=mirrormode,ou=Directory > > Access,o=infra,c=com" credentials=XYZ searchbase="o=infra,c=com" > > schemachecking=on type=refreshAndPersist retry="60 +" attrs="*,+" > > starttls=critical tls_reqcert=demand > > olcUpdateRef: ldap://provider-acc-02.ldap.infra.com:389 > > olcUpdateRef: ldap://provider-acc-01.ldap.infra.com:389 > > That's syncrepl, not syncprov. > > However, the issue could be ACLs. If you use the rootdn for your database > to run the query, can you see the contextCSN value stored in your database > root? > > --Quanah > > > >

2 years

openldap-technical search results for query "starttls"