[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Require SSL transport?
- To: Justin Hahn <jhahn@profitlogic.com>
- Subject: Re: Require SSL transport?
- From: Jens Vagelpohl <jens@digicool.com>
- Date: Fri, 02 Feb 2001 11:57:52 -0500
- Cc: "openldap software Openldap.org" <openldap-software@OpenLDAP.org>
- In-reply-to: <419A3E73A18BD211A17000105A1C37E97202B8@mail.grossprofit.com>
- User-agent: Microsoft-Entourage/9.0.2509
couple things:
- it's lowercase -h and not uppercase
- i'm not sure if the "ldaps://0.0.0.0" syntax will work. use "ldaps:///"
instead (see the man-page)
- if it still fails you can find out why by running it in debug mode, like
so:
slapd -h ldaps:/// -d -1
this will give you full debugging output and will tell you what failed.
jens
On 2/2/01 11:48, "Justin Hahn" <jhahn@profitlogic.com> wrote:
> Already tried that and it doesn't appear to work at all:
>
> (136 jhahn godel /usr/doc/openldap-guide)
>> /local/libexec/slapd -H "ldaps://0.0.0.0"
> (137 jhahn godel /usr/doc/openldap-guide)
>> ldapsearch -x -ZZ '(objectclass=*)'
> ldap_start_tls: Can't contact LDAP server
> (138 jhahn godel /usr/doc/openldap-guide)
>> ldapsearch -x -ZZ -H "ldaps://127.0.0.1/" '(objectclass=*)'
> Segmentation fault
> (139 jhahn godel /usr/doc/openldap-guide)
>> ldapsearch -x -ZZ -p 636 '(objectclass=*)'
> ldap_start_tls: Can't contact LDAP server
> (140 jhahn godel /usr/doc/openldap-guide)
>> sudo netstat -t -l -p | grep slapd
> tcp 0 0 *:ldaps *:* LISTEN
> <pid>/slapd
>
> And I can't see it with any other LDAP browser. (e.g. the Java based LDAP
> Browser/Editor
> software...)
>
> Any other bright ideas? The segfault is a little unexpected.
>
> If I start slapd without any arguments and use -ZZ then ldapsearch works,
> and the logs seem
> to indicate that an SSL exchange is going on. It does complain about the
> client certificate
> (which ldapsearch doesn't have...) but I don't think that matters right now.
> (Especially
> since if the SSL exchange failed, -ZZ should ensure that the search fails).
>
> I was thinking that adding:
>
> access to *
> by ssf=0 none
>
> would do it, but slapd doesn't like ssf=0 in a rule...
>
>> -----Original Message-----
>> From: Jens Vagelpohl [mailto:jens@digicool.com]
>> Sent: Friday, February 02, 2001 11:34 AM
>> To: Justin Hahn; 'openldap-software@Openldap.org'
>> Subject: Re: Require SSL transport?
>>
>>
>> justin,
>>
>> do a "man slapd" and look at the "-h" option.
>>
>> starting your server with "slapd -h ldaps:///" should prevent it from
>> listening on anything other than port 636.
>>
>> jens
>>
>>
>>
>> On 2/2/01 10:56, "Justin Hahn" <jhahn@profitlogic.com> wrote:
>>
>>> Over the past couple days I've beens setting up OpenLDAP as
>> a substitute for
>>> NIS. To do
>>> this I want all communications done with the LDAP server to
>> be over SSL
>>> exclusively. But
>>> I can't seem to figure out how to get openldap to ignore
>> requests that
>>> aren't over SSL.
>>> (i.e. ldapsearch -ZZ -x '(objectclass=*)' gives me exactly
>> what I expect,
>>> but take away -ZZ and I get the same results back. Which
>> isn't what I want.)
>>>
>>> Is there any ACL I can use to grant no access if SSL isn't
>> being used? A
>>> config
>>> option? A commandline option to slapd?
>>>
>>> Thanks!
>>
>