[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Require SSL transport?

To: Justin Hahn <jhahn@profitlogic.com>
Subject: Re: Require SSL transport?
From: Jens Vagelpohl <jens@digicool.com>
Date: Fri, 02 Feb 2001 11:57:52 -0500
Cc: "openldap software Openldap.org" <openldap-software@OpenLDAP.org>
In-reply-to: <419A3E73A18BD211A17000105A1C37E97202B8@mail.grossprofit.com>
User-agent: Microsoft-Entourage/9.0.2509

couple things:

- it's lowercase -h and not uppercase

- i'm not sure if the "ldaps://0.0.0.0" syntax will work. use "ldaps:///"
instead (see the man-page)

- if it still fails you can find out why by running it in debug mode, like
so:

slapd -h ldaps:/// -d -1

this will give you full debugging output and will tell you what failed.

jens



On 2/2/01 11:48, "Justin Hahn" <jhahn@profitlogic.com> wrote:

> Already tried that and it doesn't appear to work at all:
> 
> (136 jhahn godel /usr/doc/openldap-guide)
>> /local/libexec/slapd -H "ldaps://0.0.0.0"
> (137 jhahn godel /usr/doc/openldap-guide)
>> ldapsearch -x -ZZ '(objectclass=*)'
> ldap_start_tls: Can't contact LDAP server
> (138 jhahn godel /usr/doc/openldap-guide)
>> ldapsearch -x -ZZ -H "ldaps://127.0.0.1/" '(objectclass=*)'
> Segmentation fault
> (139 jhahn godel /usr/doc/openldap-guide)
>> ldapsearch -x -ZZ -p 636 '(objectclass=*)'
> ldap_start_tls: Can't contact LDAP server
> (140 jhahn godel /usr/doc/openldap-guide)
>> sudo netstat -t -l -p | grep slapd
> tcp        0      0 *:ldaps                 *:*                     LISTEN
> <pid>/slapd   
> 
> And I can't see it with any other LDAP browser. (e.g. the Java based LDAP
> Browser/Editor
> software...)
> 
> Any other bright ideas? The segfault is a little unexpected.
> 
> If I start slapd without any arguments and use -ZZ then ldapsearch works,
> and the logs seem
> to indicate that an SSL exchange is going on. It does complain about the
> client certificate
> (which ldapsearch doesn't have...) but I don't think that matters right now.
> (Especially
> since if the SSL exchange failed, -ZZ should ensure that the search fails).
> 
> I was thinking that adding:
> 
> access to *
> by ssf=0 none
> 
> would do it, but slapd doesn't like ssf=0 in a rule...
> 
>> -----Original Message-----
>> From: Jens Vagelpohl [mailto:jens@digicool.com]
>> Sent: Friday, February 02, 2001 11:34 AM
>> To: Justin Hahn; 'openldap-software@Openldap.org'
>> Subject: Re: Require SSL transport?
>> 
>> 
>> justin,
>> 
>> do a "man slapd" and look at the "-h" option.
>> 
>> starting your server with "slapd -h ldaps:///" should prevent it from
>> listening on anything other than port 636.
>> 
>> jens
>> 
>> 
>> 
>> On 2/2/01 10:56, "Justin Hahn" <jhahn@profitlogic.com> wrote:
>> 
>>> Over the past couple days I've beens setting up OpenLDAP as
>> a substitute for
>>> NIS. To do
>>> this I want all communications done with the LDAP server to
>> be over SSL
>>> exclusively. But
>>> I can't seem to figure out how to get openldap to ignore
>> requests that
>>> aren't over SSL.
>>> (i.e. ldapsearch -ZZ -x '(objectclass=*)' gives me exactly
>> what I expect,
>>> but take away -ZZ and I get the same results back. Which
>> isn't what I want.)
>>> 
>>> Is there any ACL I can use to grant no access if SSL isn't
>> being used? A
>>> config
>>> option? A commandline option to slapd?
>>> 
>>> Thanks!
>> 
>

Prev by Date: ldapadd - No such object
Next by Date: Re: Require SSL transport?
Index(es):
- Chronological
- Thread