[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
TLS works not proper; so does searching
- To: openldap-software@OpenLDAP.org
- Subject: TLS works not proper; so does searching
- From: Oliver Hoffmann <oliver.hoffmann@uw-service.de>
- Date: Thu, 1 Jul 2004 11:10:02 +0200
- Content-disposition: inline
- In-reply-to: <5CE7D4D6-CAA6-11D8-840E-000A95B01AAC@columbia.edu>
- References: <200406291539.47528.oliver.hoffmann@uw-service.de> <5CE7D4D6-CAA6-11D8-840E-000A95B01AAC@columbia.edu>
- User-agent: KMail/1.6.2
Hi Patrick and the rest of you!
> Do you have any user data in ldap? You decide where your user-subtree
> is when you add it to ldap
Yes, of course. As mentioned I am able to see everything I put in the ldif
file with this command:
ldapsearch -h ldap -x -b 'dc=testldap,dc=org'
That works from localhost as well as from a remote machine. The whole output,
which I expect with TLS too looks like:
# extended LDIF
#
# LDAPv3
# base <dc=testldap,dc=org> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#
# testldap.org
dn: dc=testldap,dc=org
objectClass: dcObject
objectClass: organizationalUnit
dc: testldap
ou: testldap
# users, testldap.org
dn: ou=users,dc=testldap,dc=org
objectClass: organizationalUnit
objectClass: top
ou: users
# John One, users, testldap.org
dn: cn=John One,ou=users,dc=testldap,dc=org
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: John One
displayName: John
homePostalAddress: at home
mail: john.one@mailme.com
postalCode: 54356
telephoneNumber: 6323-6798
sn: One
# Jim Two, users, testldap.org
dn: cn=Jim Two,ou=users,dc=testldap,dc=org
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Jim Two
displayName: Jim
homePostalAddress: at work
mail: jim.two@mailme.com
postalCode: 54356
telephoneNumber: 5245-65354
sn: Two
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 4
> and from your other email.
Means what?
> > The server invoked with ldap# /usr/local/libexec/slapd -d9 -h "ldap:///
> > ldaps:///" shows me:
>
> You are starting the server on one machine, and it will only accept
> connection from the localhost (I believe).
Yes, there is a difference. A local user which issues this:
ldapsearch -v -n -Z -b 'dc=testldap,dc=org'
with one or two Zs gets this:
bash-2.05b$ ldapsearch -v -n -Z -b 'dc=testldap,dc=org'
ldap_initialize( <DEFAULT> )
filter: (objectclass=*)
requesting: ALL
# extended LDIF
#
# LDAPv3
# base <dc=testldap,dc=org> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#
A remote user:
user@box:~$ ldapsearch -h 192.168.1.22 -v -n -ZZ -b 'dc=testldap,dc=org'
ldap_init( 192.168.1.22, 0 )
ldap_start_tls: Connect error (91)
additional info: Error in the certificate.
> To allow connections from a remote host, start the servers with -h
> "ldap://fullcomputername"
I did that. Now changes.
> for example -h "ldap://pickle.cc.columbia.edu", where pickle is the
> name of the machine.
>
> Then when you try to connect from a remote host, use something like
> ldapsearch -x -H "ldap://pickle.cc.columbia.edu:port" uid=phr2101
I did:
bash-2.05b$ ldapsearch -x -H "ldap://ldap.uwskoeln.de:389" uid=Jim
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: uid=Jim
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
That puzzles me. What if not "Jim", in my case, is a uid? I experienced such
things with other clients (gq, ldap-browser) too. It is always possible to
see everything but not parts of it. Pretty annoying if you have more than 2
example users...
> I would suggest first getting everything to work without tls.
> Then get everything to work with tls on the server only.
> Finally add the client certificates in at the end.
Yeah, that was my plan too ;) I realize now that there is a problem even
without TLS.
> Hopefully the above helps.
Helping in a way of discovering new problems. But thanks anyway. I see it's a
long way to the top if you want ldap!
Do you have an idea why I only can see all or nothing?
Greetings,
Oliver.