[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How to Force TLS/SSL connection Only ?



søn, 2002-11-24 kl. 13:43 skrev Zhang Fei:
 
>      (system: RH7.3 with openldap 2.0.25)

Good, because otherwise we don't know anything.

> My ldap server doesn't want to allow anonymous access and 
> only allow client's access with valid certificates.
> I have added TLS configuration lines in slapd.conf

Anonymous access is not the same as SSL or TLS.

> ################ Begin ###################################
> TLSCertificateFile    /usr/local/etc/openldap/server.crt
> TLSCertificateKeyFile /usr/local/etc/openldap/server.key
> TLSCACertificateFile  /usr/share/ssl/misc/demoCA/cacert.pem
> TLSVerifyClient       demand
> ################ End  ####################################
> 
> And in ldap.conf ,add:
> ################# Begin ###############################
> TLS_CACERT      /usr/share/ssl/misc/demoCA/cacert.pem
> TLS             hard
> ################## end ################################
> 
> In valid client's ".ldaprc" file :
> ################### Begin ##############################
> TLS_CERT        /home/globus/ldapcert/user.crt
> TLS_KEY         /home/globus/ldapcert/user.key
> #################### End ###############################

> Then, I started ldap server/TLS/SSL as:
>   $slapd -h "ldap:/// ldaps:///" -d 512

> But when I can get all right contents of the ldap server by the "Soffterra LDAP Browser" in anonymous :( Why?
> Should I add some other "access control"?

Yes. As I said, SSL/TLS has nothing to doe with what people get to see.
The latter has to do with ACLs.

> While ,I run the commands:
> (1) $ldapsearch  -x -H "ldap://my_ldap_server_FQDN:389"; -b "o=MyTest,c=CN" -s sub "(objectclass=*)" -v   
>    ldap_initialize( ldap://moon.rd.sdb.ac.cn )
>    ldap_bind: Can't contact LDAP server

No idea. This should work. However, it depends on as whom you are
running the ldapsearch request. What you have in your .ldaprc is wrong,
unless you are going to do something completely different with it, f.
ex. you've insisted on 'verify client'.

> (2) $ldapsearch  -x -H "ldaps://my_ldap_server_FQDN:636" -b "o=MyTest,c=CN" -s sub "(objectclass=*)" attributeType -v
>    ldap_initialize( ldaps://my_ldap_server_FQDN:636 )
>    filter: (objectclass=*)
>    requesting: attributeType 
>    dn: o=MyTest,c=CN
>    dn: cn=Manager,o=MyTest,c=CN    

> >From above results,I think,the TLS connection in  port 636 is working well ,but in port 389,the connection is refused.

> BTW: What's meaning of the option "-x" in command "ldapsearch" ? "Simple Authentication"? It's different from "Anonymous",but why it need not userid&password ?

'-x' means "do a simple, not an SASL bind". It's correct, if you haven't
configured SASL. Try it without '-x' and you'll get an SASL error.

I do think that you have to read much more documentation.Starting with
the admin guide on www.openldap.org, man this and that, 
http://www.mandrakesecure.net/en/docs/ldap-auth.php
http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP.html
 ... are o.k. to start with. There are 100s more :-)

Best,

Tony


-- 

Tony Earnshaw

When all's said and done ...
there's nothing left to say or do.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl