[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Slurpd over SSL



Thanks in advance for all reply I get.
I'm really gratefull for such a great reception on
my very first post.
But the question mark remains !
I'm providing some more info bellow:

  --- Howard Chu <hyc@symas.com> escreveu: > Port 636
> is the default LDAPS (LDAP over SSL) port.
> As already noted, you
> cannot use the LDAP StartTLS request over SSL. If
> you want slurpd to use SSL,
> you must not specify TLS in the replica
> configuration.
> 
> If you're using OpenLDAP 2.1.23 you can use a URI
in
> the replica
> configuration, and specify ldaps there. e.g.,
> instead of
> 	replica host=foo.bar.domain:636
> use
> 	replica uri=ldaps://foo.bar.domain
> 
> If you're using an older release, you'll need to
set
> TLS=hard in an ldaprc

Yes I'm using an older: 2.1.22
Any other good reason for .23 ?

> file. The ldaprc file can either be in the slurpd
> user's home directory, or
> in the slurpd process's working directory.

Do you meand TLS_REQCERT hard ? or really TLS=hard ?

Whatever I tried I get:

Error: ldap_simple_bind_s for
angra.heavymetal.com:636
failed: Can't contact LDAP server

So, the way it's triyng to connect seems to be
changed. (Not ldap_start_tls anymore)
I'm runnig slurpd as root (only for now) and ldaprc
is on /root/ldaprc.

Answering a question on another reply:

Yes, The master and slave have both the same
certificates. I assumed it is fine given that I used
heavymetal.com as commonName, the domain name.

It is really strange that I can use any sort of ldap
tools except for slurpd...
What is missing ?

>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director,
> Highland Sun
>   http://www.symas.com              
> http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support
> 
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On
> Behalf Of Estevam Viragh
> 
> > Hello List,
> >
> I'll appreciate your help on the following issue.
> I'm trying to set up slurpd replication over ssl.
> > There is one master and only one slave on my lab
> > env.
> > Both are serving only ssl enabled clients pretty
> > smoothly that
> > the ldapsearch from one connects, searchs, and
> adds
> > to each other,
> > using CA Issued Certificate, just like the
> OpenLDAP
> > TLS/SSL How-to
> > and like many Howard Chu answer posts :-)
> > So, it does not seems to be related to using self
> > signed,
> > but I'm getting this slurpd debbug messages:
> > "Error: ldap_start_tls failed: Can't contact LDAP
> > server (81)"
> > 
> > Also, the replication runs finely on ldap://
> manner
> > (simple
> > and insecure)
> > 
> > I read a paragraph on item 7.0 of the mentined how
> > to wich says:
> > "Also, attempting to call ldap_start_tls_s() when
> an
> > SSL connection
> > is already utilized will also be in error"
> > So, is that a way to start slurpd directly with
> ssl
> > ?
> > Is that the point or I'd missed some thig ?
> > 
> > # My ldap.conf:
> > 
> > URI   ldaps://savatage.heavymetal.com
> > BASE   o=heavymetal.com
> > TLS_CACERT      /var/myca/demoCA/cacert.pem
> > TLS_REQCERT     never
> > 
> > # My slapd.conf (the relevant part):
> > 
> > # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v
> > 1.23.2.8
> > #
> > # See slapd.conf(5) for details on configuration
> > options.
> > # This file should NOT be world readable.
> > #
> > include        
> /usr/etc/openldap/schema/core.schema
> > include        
> > /usr/etc/openldap/schema/cosine.schema
> > include        
> /usr/etc/openldap/schema/nis.schema
> > include        
> > /usr/etc/openldap/schema/inetorgperson.schema
> > include        
> /usr/etc/openldap/schema/misc.schema
> > include        
> > /usr/etc/openldap/schema/openldap.schema
> > access to *
> >         by self write
> >         by users read
> >         by anonymous auth
> > TLSCipherSuite          HIGH:MEDIUM:+SSLv2
> > TLSCACertificateFile   
> > /usr/var/openldap-data/cacert.pem
> > TLSCertificateFile     
> > /usr/var/openldap-data/servercrt.pem
> > TLSCertificateKeyFile  
> > /usr/var/openldap-data/serverkey.pem
> > TLSVerifyClient         never
> > database        ldbm
> > replica         host=angra.heavymetal.com:636
> > tls=critical
> >   binddn="cn=metallord,o=heavymetal.com"
> >                 bindmethod=simple
> credentials=mypass
> > replogfile     
> > /usr/var/openldap-data/replog/changes.log
> > suffix          "o=heavymetal.com"
> > rootdn          "cn=metallord,o=heavymetal.com"
> > rootpw          mypass
> > directory       /usr/var/openldap-data
> > index   objectClass     eq
> > 
> > # ldapsearch results:
> > 
> > ldapsearch -x -D "cn=metallord,o=heavymetal.com"
> -W
> > \
> > -b o=heavymetal.com -s sub -H
> > ldaps://angra.heavymetal.com \
> > -v '(objectclass=*)'
> > ldap_initialize( ldaps://angra.heavymetal.com )
> > Enter LDAP Password:
> > filter: (objectclass=*)
> > requesting: ALL
> > # extended LDIF
> > #
> > # LDAPv3
> > # base <o=heavymetal.com> with scope sub
> > # filter: (objectclass=*)
> > # requesting: ALL
> > 
> > # heavymetal.com
> > dn: o=heavymetal.com
> > objectClass: top
> > objectClass: organization
> > o: heavymetal.com
> > description: Heavy Metal Land
> > # computers, heavymetal.com
> > dn: ou=computers,o=heavymetal.com
> > ou: computers
> > objectClass: top
> > objectClass: organizationalUnit
> > # search result
> > search: 2
> > result: 0 Success
> > # numResponses: 3
> > # numEntries: 2
> > 
> >  
> 
>
______________________________________________________________________
> 
> Yahoo! Mail: 6MB, anti-spam e antivírus gratuito!
> Crie sua conta agora:
> http://mail.yahoo.com.br
>  

______________________________________________________________________

Yahoo! Mail: 6MB, anti-spam e antivírus gratuito! Crie sua conta agora:
http://mail.yahoo.com.br