[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Slurpd over SSL
Thanks in advance for all reply I get.
I'm really gratefull for such a great reception on
my very first post.
But the question mark remains !
I'm providing some more info bellow:
--- Howard Chu <hyc@symas.com> escreveu: > Port 636
> is the default LDAPS (LDAP over SSL) port.
> As already noted, you
> cannot use the LDAP StartTLS request over SSL. If
> you want slurpd to use SSL,
> you must not specify TLS in the replica
> configuration.
>
> If you're using OpenLDAP 2.1.23 you can use a URI
in
> the replica
> configuration, and specify ldaps there. e.g.,
> instead of
> replica host=foo.bar.domain:636
> use
> replica uri=ldaps://foo.bar.domain
>
> If you're using an older release, you'll need to
set
> TLS=hard in an ldaprc
Yes I'm using an older: 2.1.22
Any other good reason for .23 ?
> file. The ldaprc file can either be in the slurpd
> user's home directory, or
> in the slurpd process's working directory.
Do you meand TLS_REQCERT hard ? or really TLS=hard ?
Whatever I tried I get:
Error: ldap_simple_bind_s for
angra.heavymetal.com:636
failed: Can't contact LDAP server
So, the way it's triyng to connect seems to be
changed. (Not ldap_start_tls anymore)
I'm runnig slurpd as root (only for now) and ldaprc
is on /root/ldaprc.
Answering a question on another reply:
Yes, The master and slave have both the same
certificates. I assumed it is fine given that I used
heavymetal.com as commonName, the domain name.
It is really strange that I can use any sort of ldap
tools except for slurpd...
What is missing ?
> -- Howard Chu
> Chief Architect, Symas Corp. Director,
> Highland Sun
> http://www.symas.com
> http://highlandsun.com/hyc
> Symas: Premier OpenSource Development and Support
>
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On
> Behalf Of Estevam Viragh
>
> > Hello List,
> >
> I'll appreciate your help on the following issue.
> I'm trying to set up slurpd replication over ssl.
> > There is one master and only one slave on my lab
> > env.
> > Both are serving only ssl enabled clients pretty
> > smoothly that
> > the ldapsearch from one connects, searchs, and
> adds
> > to each other,
> > using CA Issued Certificate, just like the
> OpenLDAP
> > TLS/SSL How-to
> > and like many Howard Chu answer posts :-)
> > So, it does not seems to be related to using self
> > signed,
> > but I'm getting this slurpd debbug messages:
> > "Error: ldap_start_tls failed: Can't contact LDAP
> > server (81)"
> >
> > Also, the replication runs finely on ldap://
> manner
> > (simple
> > and insecure)
> >
> > I read a paragraph on item 7.0 of the mentined how
> > to wich says:
> > "Also, attempting to call ldap_start_tls_s() when
> an
> > SSL connection
> > is already utilized will also be in error"
> > So, is that a way to start slurpd directly with
> ssl
> > ?
> > Is that the point or I'd missed some thig ?
> >
> > # My ldap.conf:
> >
> > URI ldaps://savatage.heavymetal.com
> > BASE o=heavymetal.com
> > TLS_CACERT /var/myca/demoCA/cacert.pem
> > TLS_REQCERT never
> >
> > # My slapd.conf (the relevant part):
> >
> > # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v
> > 1.23.2.8
> > #
> > # See slapd.conf(5) for details on configuration
> > options.
> > # This file should NOT be world readable.
> > #
> > include
> /usr/etc/openldap/schema/core.schema
> > include
> > /usr/etc/openldap/schema/cosine.schema
> > include
> /usr/etc/openldap/schema/nis.schema
> > include
> > /usr/etc/openldap/schema/inetorgperson.schema
> > include
> /usr/etc/openldap/schema/misc.schema
> > include
> > /usr/etc/openldap/schema/openldap.schema
> > access to *
> > by self write
> > by users read
> > by anonymous auth
> > TLSCipherSuite HIGH:MEDIUM:+SSLv2
> > TLSCACertificateFile
> > /usr/var/openldap-data/cacert.pem
> > TLSCertificateFile
> > /usr/var/openldap-data/servercrt.pem
> > TLSCertificateKeyFile
> > /usr/var/openldap-data/serverkey.pem
> > TLSVerifyClient never
> > database ldbm
> > replica host=angra.heavymetal.com:636
> > tls=critical
> > binddn="cn=metallord,o=heavymetal.com"
> > bindmethod=simple
> credentials=mypass
> > replogfile
> > /usr/var/openldap-data/replog/changes.log
> > suffix "o=heavymetal.com"
> > rootdn "cn=metallord,o=heavymetal.com"
> > rootpw mypass
> > directory /usr/var/openldap-data
> > index objectClass eq
> >
> > # ldapsearch results:
> >
> > ldapsearch -x -D "cn=metallord,o=heavymetal.com"
> -W
> > \
> > -b o=heavymetal.com -s sub -H
> > ldaps://angra.heavymetal.com \
> > -v '(objectclass=*)'
> > ldap_initialize( ldaps://angra.heavymetal.com )
> > Enter LDAP Password:
> > filter: (objectclass=*)
> > requesting: ALL
> > # extended LDIF
> > #
> > # LDAPv3
> > # base <o=heavymetal.com> with scope sub
> > # filter: (objectclass=*)
> > # requesting: ALL
> >
> > # heavymetal.com
> > dn: o=heavymetal.com
> > objectClass: top
> > objectClass: organization
> > o: heavymetal.com
> > description: Heavy Metal Land
> > # computers, heavymetal.com
> > dn: ou=computers,o=heavymetal.com
> > ou: computers
> > objectClass: top
> > objectClass: organizationalUnit
> > # search result
> > search: 2
> > result: 0 Success
> > # numResponses: 3
> > # numEntries: 2
> >
> >
>
>
______________________________________________________________________
>
> Yahoo! Mail: 6MB, anti-spam e antivírus gratuito!
> Crie sua conta agora:
> http://mail.yahoo.com.br
>
______________________________________________________________________
Yahoo! Mail: 6MB, anti-spam e antivírus gratuito! Crie sua conta agora:
http://mail.yahoo.com.br