Hello,
I have a couple questions relating to LDAP, PHP and
TLS. I have spent considerable time investigating this and am still having
problems.
I used the openldap FAQ-O-Matic instructions to re-generate my self signed certificate. See certificate generation. My production ACL forces ssf=40 for the
userPassword attribute to force encryption of the password, so getting
encryption working properly
is especially vital.
From the command line I am only able to Start-TLS
using the -x or "Simple Bind" switch.
without the simple bind
error = ldap_sasl_interactive_bind_s: Local error (82) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No credentials cache found) with the simple bind (-x)
success I understand that version 2.0 requires this switch
for SASL.
QUESTION # 1. Why do I see SSF=0 in the log? Does this meant that the session is not encrypted?? I have noted ssf=0 in previous slapd.log files when I start-TLS with -x
where I would expect something higher
# ldapsearch -H ldaps://testserver.test.com -x -D
uid=testuid,ou=users,dc=test,dc=com -b ou=users,dc=test,dc=com -w secret
uid=testaccount
Aug 30 11:29:06 testServer slapd[10463]: => access_allowed: auth access granted by auth(=x) Aug 30 11:29:06 testServer slapd[10463]: conn=2 op=0 BIND dn="uid=testacct,ou=users,dc=test,dc=com" mech=SIMPLE ssf=0 # ldapsearch -H ldap://testserver.test.com -x -ZZ -D
uid=testuid,ou=users,dc=test,dc=com -b ou=users,dc=test,dc=com -w secret
uid=testaccount
Aug 30 11:48:44 testServer slapd[10518]: do_extended: oid=1.3.6.1.4.1.1466.20037 Aug 30 11:48:44 testServer slapd[10518]: connection_get(14) Aug 30 11:48:44 testServer last message repeated 2 times Aug 30 11:48:44 testServer slapd[10518]: conn=0 op=1 BIND dn="uid=testacct,ou=users,dc=test,dc=com" method=128 Aug 30 11:48:44 testServer slapd[10518]: ==> bdb_bind: dn: uid=testacct,ou=users,dc=test,dc=com Aug 30 11:48:44 testServer slapd[10518]: => access_allowed: auth access to "uid=testacct,cn=users,dc=test,dc=com" "userPassword" requested Aug 30 11:48:44 testServer slapd[10518]: => dnpat: [1] (.*,)cn=users,dc=test,dc=com nsub: 1 Aug 30 11:48:44 testServer slapd[10518]: => acl_get: [1] matched Aug 30 11:48:44 testServer slapd[10518]: => acl_get: [1] check attr userPassword Aug 30 11:48:44 testServer slapd[10518]: <= acl_get: [1] acl uid=testacct,cn=users,dc=test,dc=com attr: userPassword Aug 30 11:48:44 testServer slapd[10518]: => acl_mask: access to entry "uid=testacct,cn=users,dc=test,dc=com", attr "userPassword" requested Aug 30 11:48:44 testServer slapd[10518]: => acl_mask: to all values by "", (=n) Aug 30 11:48:44 testServer slapd[10518]: <= check a_dn_pat: * Aug 30 11:48:44 testServer slapd[10518]: <= check a_authz.sai_ssf: ACL 40 > OP 256 Aug 30 11:48:44 testServer slapd[10518]: <= acl_mask: [1] applying auth(=x) (stop) Aug 30 11:48:44 testServer slapd[10518]: <= acl_mask: [1] mask: auth(=x) Aug 30 11:48:44 testServer slapd[10518]: => access_allowed: auth access granted by auth(=x) Aug 30 11:48:44 testServer slapd[10518]: conn=0 op=1 BIND dn="uid=testacct,cn=users,dc=test,dc=com" mech=SIMPLE ssf=0 QUESTION # 2.
I am having problems that I consider related when I attempt to use TLS with
php.
phpLDAPadmin works fine without TLS For this case though I switched back to the default ACL to avoid any ACL related problems. when I start TLS the browser states "Could not start TLS. Please check your
LDAP server configuration"
the slapd.log
Aug 30 09:46:40 testServer slapd[3964]: conn=27 fd=14 ACCEPT from IP=1.2.3.4:37580 (IP=4.3.2.1:389) Aug 30 09:46:40 testServer slapd[3964]: connection_get(14) Aug 30 09:46:40 testServer slapd[3964]: do_extended: oid=1.3.6.1.4.1.1466.20037 Aug 30 09:46:40 testServer slapd[3964]: connection_get(14) Aug 30 09:46:40 testServer slapd[3964]: conn=27 fd=14 closed I have attempted to solve this problem based on several php and phpldapadmin posts relating to configuring the ldap.conf, .ldaprc files with out success.
I tried to use an ldaps connection with PHP (phpldapadmin) with no
success.
I greatly appreciate your comments and assistance.
Thanks
Mark
BACKGROUND ######################################################## ######################################################## ######################################################## Question 1: Why do I see SSF=0 in the log? Does this meant that the session is not encrypted?? I am able to start TLS and bind using the -x switch for simple bind
server3231:~ # ldapsearch -h testServer.test.com -p 389 -ZZ -x -D
"cn=ldap=admin,dc=test,dc=com" -w secret-b ou=users,dc=test,dc=com
uid=testacct
# extended LDIF # # LDAPv3 # base <ou=users,dc=test,dc=com> with scope sub # filter: uid=testacct # requesting: ALL # # testacct, users, test.com
dn: uid=testacct,ou=users,dc=test,dc=com uid: testacct telephoneNumber: xxx title: yyyyy departmentNumber: 221 description: /Users/labusers employeeType: faculty employeeNumber: 104372 roomNumber: VMH207 & GH 213 userPassword:: 12312312313213213hghgf sn: LastName givenName: First displayName: TLS is a pain cn: wholename mailRoutingAddress: testacct@test.com mailHost: mail.test.com eduPersonPrimaryAffiliation: Staff eduPersonAffiliation: Staff objectClass: inetOrgPerson objectClass: hsuPerson objectClass: person objectClass: eduPerson objectClass: top objectClass: organizationalPerson objectClass: inetLocalMailRecipient # search result search: 3 result: 0 Success # numResponses: 2
# numEntries: 1 slapd.log
Aug 27 14:18:29 testServer slapd[3640]: conn=4 fd=13 ACCEPT from IP=1.2.3.4:34261 (IP=4.3.2.1:389) Aug 27 14:18:29 testServer slapd[3640]: connection_get(13) Aug 27 14:18:29 testServer slapd[3640]: do_extended: oid=1.3.6.1.4.1.1466.20037 Aug 27 14:18:29 testServer slapd[3640]: connection_get(13) Aug 27 14:18:29 testServer last message repeated 2 times Aug 27 14:18:29 testServer slapd[3640]: conn=4 op=1 BIND dn="cn=ldap-admin,dc=test,dc=com" method=128 Aug 27 14:18:29 testServer slapd[3640]: ==> bdb_bind: dn: cn=ldap-admin,dc=test,dc=com Aug 27 14:18:29 testServer slapd[3640]: conn=4 op=1 BIND dn="cn=ldap-admin,dc=test,dc=com" mech=SIMPLE ssf=0 Aug 27 14:18:29 testServer slapd[3640]: send_ldap_result: err=0 matched="" text="" Aug 27 14:18:29 testServer slapd[3640]: conn=4 op=1 RESULT tag=97 err=0 text= Aug 27 14:18:29 testServer slapd[3640]: connection_get(13) Aug 27 14:18:29 testServer slapd[3640]: SRCH "ou=users,dc=test,dc=com" 2 0 Aug 27 14:18:29 testServer slapd[3640]: 0 0 0 Aug 27 14:18:29 testServer slapd[3640]: begin get_filter Aug 27 14:18:29 testServer slapd[3640]: EQUALITY Aug 27 14:18:29 testServer slapd[3640]: end get_filter 0 Aug 27 14:18:29 testServer slapd[3640]: filter: (uid=testacct) Aug 27 14:18:29 testServer slapd[3640]: attrs: Aug 27 14:18:29 testServer slapd[3640]: Aug 27 14:18:29 testServer slapd[3640]: conn=4 op=2 SRCH base="ou=users,dc=test,dc=com" scope=2 filter="(uid=testacct)" Aug 27 14:18:29 testServer slapd[3640]: => bdb_filter_candidates Aug 27 14:18:29 testServer slapd[3640]: ^IAND Aug 27 14:18:29 testServer slapd[3640]: => bdb_list_candidates 0xa0 Aug 27 14:18:29 testServer slapd[3640]: => bdb_filter_candidates Aug 27 14:18:29 testServer slapd[3640]: ^IDN SUBTREE Aug 27 14:18:29 testServer slapd[3640]: bdb_idl_fetch_key: @ou=users,dc=test,dc=com Aug 27 14:18:29 testServer slapd[3640]: <= bdb_filter_candidates: id=25381 first=3 last=25465 Aug 27 14:18:29 testServer slapd[3640]: => bdb_filter_candidates Aug 27 14:18:29 testServer slapd[3640]: ^IOR Aug 27 14:18:29 testServer slapd[3640]: => bdb_list_candidates 0xa1 Aug 27 14:18:29 testServer slapd[3640]: => bdb_filter_candidates Aug 27 14:18:29 testServer slapd[3640]: ^IEQUALITY Aug 27 14:18:29 testServer slapd[3640]: bdb_idl_fetch_key: [b49d1940] Aug 27 14:18:29 testServer slapd[3640]: <= bdb_filter_candidates: id=0 first=0 last=0 Aug 27 14:18:29 testServer slapd[3640]: => bdb_filter_candidates Aug 27 14:18:29 testServer slapd[3640]: ^IEQUALITY Aug 27 14:18:29 testServer slapd[3640]: bdb_idl_fetch_key: [45f58aed] Aug 27 14:18:29 testServer slapd[3640]: <= bdb_filter_candidates: id=1 first=785 last=785 Aug 27 14:18:29 testServer slapd[3640]: <= bdb_list_candidates: id=1 first=785 last=785 Aug 27 14:18:29 testServer slapd[3640]: <= bdb_filter_candidates: id=1 first=785 last=785 Aug 27 14:18:29 testServer slapd[3640]: <= bdb_list_candidates: id=1 first=785 last=785 Aug 27 14:18:29 testServer slapd[3640]: <= bdb_filter_candidates: id=1 first=785 last=785 Aug 27 14:18:29 testServer slapd[3640]: => test_filter Aug 27 14:18:29 testServer slapd[3640]: EQUALITY Aug 27 14:18:29 testServer slapd[3640]: => access_allowed: search access to "uid=testacct,ou=users,dc=test,dc=com" "uid" requested Aug 27 14:18:29 testServer slapd[3640]: <= root access granted Aug 27 14:18:29 testServer slapd[3640]: <= test_filter 6 Aug 27 14:18:29 testServer slapd[3640]: => access_allowed: read access to "uid=testacct,ou=users,dc=test,dc=com" "entry" requested Aug 27 14:18:29 testServer slapd[3640]: <= root access granted Aug 27 14:18:29 testServer slapd[3640]: => access_allowed: read access to "uid=testacct,ou=users,dc=test,dc=com" "uid" requested Aug 27 14:18:29 testServer slapd[3640]: <= root access granted Aug 27 14:18:29 testServer slapd[3640]: => access_allowed: read access to "uid=testacct,ou=users,dc=test,dc=com" "telephoneNumber" requested
Aug 27 14:18:29 testServer slapd[3640]: <= root access granted Aug 27 14:18:29 testServer slapd[3640]: => access_allowed: read access to "uid=testacct,ou=users,dc=test,dc=com" "title" requested Aug 27 14:18:29 testServer slapd[3640]: <= root access granted Aug 27 14:18:29 testServer slapd[3640]: => access_allowed: read access to "uid=testacct,ou=users,dc=test,dc=com" "departmentNumber" requested
Aug 27 14:18:29 testServer slapd[3640]: <= root access granted Aug 27 14:18:29 testServer slapd[3640]: => access_allowed: read access to "uid=testacct,ou=users,dc=test,dc=com" "description" requested Aug 27 14:18:29 testServer slapd[3640]: <= root access granted -------------------------------------------- Aug 27 14:18:29 testServer slapd[3640]: => access_allowed: read access to "uid=testacct,ou=users,dc=test,dc=com" "mailHost" requested Aug 27 14:18:29 testServer slapd[3640]: <= root access granted Aug 27 14:18:29 testServer slapd[3640]: => access_allowed: read access to "uid=testacct,ou=users,dc=test,dc=com" "eduPersonPrimaryAffiliation" requested
Aug 27 14:18:29 testServer slapd[3640]: <= root access granted Aug 27 14:18:29 testServer slapd[3640]: => access_allowed: read access to "uid=testacct,ou=users,dc=test,dc=com" "calstateEduPersonFerpaFlag" requested
Aug 27 14:18:29 testServer slapd[3640]: <= root access granted Aug 27 14:18:29 testServer slapd[3640]: => access_allowed: read access to "uid=testacct,ou=users,dc=test,dc=com" "eduPersonAffiliation" requested
Aug 27 14:18:29 testServer slapd[3640]: <= root access granted Aug 27 14:18:29 testServer slapd[3640]: => access_allowed: read access to "uid=testacct,ou=users,dc=test,dc=com" "objectClass" requested Aug 27 14:18:29 testServer slapd[3640]: <= root access granted Aug 27 14:18:29 testServer slapd[3640]: => access_allowed: read access to "uid=testacct,ou=users,dc=test,dc=com" "mailAlternateAddress" requested
Aug 27 14:18:29 testServer slapd[3640]: <= root access granted Aug 27 14:18:29 testServer slapd[3640]: => access_allowed: read access to "uid=testacct,ou=users,dc=test,dc=com" "mail" requested Aug 27 14:18:29 testServer slapd[3640]: <= root access granted Aug 27 14:18:29 testServer slapd[3640]: conn=4 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 27 14:18:29 testServer slapd[3640]: connection_get(13) Aug 27 14:18:29 testServer slapd[3640]: conn=4 op=3 UNBIND Aug 27 14:18:29 testServer slapd[3640]: conn=4 fd=13 closed ########################################################
########################################################
PROBLEM # 2
PHP Can't connect to directory using SSL or TLS PHP script - test
test using port 636, SSL PHP script <?php
{
$ldap_server = ldaps://testServer.test.com ; $ldap_user = "cn=ldap-admin,dc=test,dc=com" ; $ldap_pass = "secret" ; $ad = ldap_connect($ldap_server) ;
ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3) ; $bound = ldap_bind($ad, $ldap_user, $ldap_pass); return $ad ;
} ?> html output
Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server
in /usr/local/src/phpldapadmin-0.9.4b/ssl-test.php on line 10
slapd.log output
Aug 30 08:52:42 testServer slapd[3964]: conn=24 fd=14 ACCEPT from
IP=1.2.3.4:37533 (IP=4.3.2.1:636)
Aug 30 08:52:42 testServer slapd[3964]: connection_get(14) Aug 30 08:52:42 testServer slapd[3964]: conn=24 fd=14 closed ########################################################
########################################################
Question # 2 Continued
PHPldap admin Can't connect to directory using TLS 4 A Successful Bind test using port 389, No-TLS
phpldapadmin config.php for this server phpldapadmin
config.php $i++; $servers[$i]['name'] = 'testServer.test.com'; $servers[$i]['host'] = 'testServer.test.com'; $servers[$i]['base'] = 'dc=test,dc=com'; $servers[$i]['port'] = 4032; $servers[$i]['auth_type'] = 'cookie'; $servers[$i]['login_dn'] = ''; $servers[$i]['login_pass'] = ''; $servers[$i]['tls'] = false; $servers[$i]['low_bandwidth'] = false; $servers[$i]['default_hash'] = 'crypt'; $servers[$i]['login_attr'] = 'dn'; $servers[$i]['login_class'] = ''; $servers[$i]['read_only'] = false; $servers[$i]['show_create'] = true; $servers[$i]['enable_auto_uid_numbers'] = false; $servers[$i]['auto_uid_number_mechanism'] = 'search'; $servers[$i]['auto_uid_number_search_base'] = 'ou=People,dc=example,dc=com'; $servers[$i]['auto_uid_number_min'] = 1000; $servers[$i]['auto_uid_number_uid_pool_dn'] = 'cn=uidPool,dc=example,dc=com'; Successfully logged into server testServer.test.com
Aug 30 09:41:33 testServer slapd[3964]: conn=25 fd=14 ACCEPT from
IP=1.2.3.4:37574 (IP=4.3.2.1:4032)
Aug 30 09:41:33 testServer slapd[3964]: connection_get(14) Aug 30 09:41:33 testServer slapd[3964]: conn=25 op=0 BIND dn="cn=ldap-admin,dc=test,dc=com" method=128 Aug 30 09:41:33 testServer slapd[3964]: ==> bdb_bind: dn: cn=ldap-admin,dc=test,dc=com Aug 30 09:41:33 testServer slapd[3964]: conn=25 op=0 BIND dn="cn=ldap-admin,dc=test,dc=com" mech=SIMPLE ssf=0 Aug 30 09:41:33 testServer slapd[3964]: send_ldap_result: err=0 matched="" text="" Aug 30 09:41:33 testServer slapd[3964]: conn=25 op=0 RESULT tag=97 err=0 text= Aug 30 09:41:33 testServer slapd[3964]: connection_get(14) Aug 30 09:41:33 testServer slapd[3964]: conn=25 op=1 UNBIND Aug 30 09:41:33 testServer slapd[3964]: conn=25 fd=14 closed Aug 30 09:41:33 testServer slapd[3964]: conn=26 fd=14 ACCEPT from IP=1.2.3.4:37575 (IP=4.3.2.1:4032) Aug 30 09:41:33 testServer slapd[3964]: connection_get(14) Aug 30 09:41:33 testServer slapd[3964]: conn=26 op=0 BIND dn="cn=ldap-admin,dc=test,dc=com" method=128 Aug 30 09:41:33 testServer slapd[3964]: ==> bdb_bind: dn: cn=ldap-admin,dc=test,dc=com Aug 30 09:41:33 testServer slapd[3964]: conn=26 op=0 BIND dn="cn=ldap-admin,dc=test,dc=com" mech=SIMPLE ssf=0 Aug 30 09:41:33 testServer slapd[3964]: send_ldap_result: err=0 matched="" text="" Aug 30 09:41:33 testServer slapd[3964]: conn=26 op=0 RESULT tag=97 err=0 text= Aug 30 09:41:33 testServer slapd[3964]: connection_get(14) Aug 30 09:41:33 testServer slapd[3964]: SRCH "dc=test,dc=com" 1 0 Aug 30 09:41:33 testServer slapd[3964]: 51 0 -1 Aug 30 09:41:33 testServer slapd[3964]: begin get_filter Aug 30 09:41:33 testServer slapd[3964]: PRESENT Aug 30 09:41:33 testServer slapd[3964]: end get_filter 0 Aug 30 09:41:33 testServer slapd[3964]: filter: (objectClass=*) Aug 30 09:41:33 testServer slapd[3964]: attrs: Aug 30 09:41:33 testServer slapd[3964]: dn Aug 30 09:41:33 testServer slapd[3964]: Aug 30 09:41:33 testServer slapd[3964]: conn=26 op=1 SRCH base="dc=test,dc=com" scope=1 filter="(objectClass=*)" Aug 30 09:41:33 testServer slapd[3964]: conn=26 op=1 SRCH attr=dn Aug 30 09:41:33 testServer slapd[3964]: => bdb_filter_candidates Aug 30 09:41:33 testServer slapd[3964]: ^IAND Aug 30 09:41:33 testServer slapd[3964]: => bdb_list_candidates 0xa0 Aug 30 09:41:33 testServer slapd[3964]: => bdb_filter_candidates Aug 30 09:41:33 testServer slapd[3964]: ^IDN ONE Aug 30 09:41:33 testServer slapd[3964]: bdb_idl_fetch_key: %dc=test,dc=com Aug 30 09:41:33 testServer slapd[3964]: <= bdb_filter_candidates: id=5 first=2 last=22516 Aug 30 09:41:33 testServer slapd[3964]: => bdb_filter_candidates Aug 30 09:41:33 testServer slapd[3964]: ^IPRESENT Aug 30 09:41:33 testServer slapd[3964]: <= bdb_filter_candidates: id=-1 first=1 last=25465 Aug 30 09:41:33 testServer slapd[3964]: <= bdb_list_candidates: id=5 first=2 last=22516 Aug 30 09:41:33 testServer slapd[3964]: <= bdb_filter_candidates: id=5 first=2 last=22516 Aug 30 09:41:33 testServer slapd[3964]: => test_filter Aug 30 09:41:33 testServer slapd[3964]: PRESENT Aug 30 09:41:33 testServer slapd[3964]: => access_allowed: search access to "cn=ldap-admin,dc=test,dc=com" "objectClass" requested Aug 30 09:41:33 testServer slapd[3964]: <= root access granted Aug 30 09:41:33 testServer slapd[3964]: <= test_filter 6 Aug 30 09:41:33 testServer slapd[3964]: => access_allowed: read access to "cn=ldap-admin,dc=test,dc=com" "entry" requested Aug 30 09:41:33 testServer slapd[3964]: <= root access granted Aug 30 09:41:33 testServer slapd[3964]: => test_filter Aug 30 09:41:33 testServer slapd[3964]: PRESENT Aug 30 09:41:33 testServer slapd[3964]: => access_allowed: search access to "ou=users,dc=test,dc=com" "objectClass" requested Aug 30 09:41:33 testServer slapd[3964]: <= root access granted Aug 30 09:41:33 testServer slapd[3964]: <= test_filter 6 Aug 30 09:41:33 testServer slapd[3964]: => access_allowed: read access to "ou=users,dc=test,dc=com" "entry" requested Aug 30 09:41:33 testServer slapd[3964]: <= root access granted Aug 30 09:41:33 testServer slapd[3964]: => test_filter Aug 30 09:41:33 testServer slapd[3964]: PRESENT Aug 30 09:41:33 testServer slapd[3964]: => access_allowed: search access to "ou=groups,dc=test,dc=com" "objectClass" requested Aug 30 09:41:33 testServer slapd[3964]: <= root access granted Aug 30 09:41:33 testServer slapd[3964]: <= test_filter 6 Aug 30 09:41:33 testServer slapd[3964]: => access_allowed: read access to "ou=groups,dc=test,dc=com" "entry" requested Aug 30 09:41:33 testServer slapd[3964]: <= root access granted Aug 30 09:41:33 testServer slapd[3964]: => test_filter Aug 30 09:41:33 testServer slapd[3964]: PRESENT Aug 30 09:41:33 testServer slapd[3964]: => access_allowed: search access to "ou=samba,dc=test,dc=com" "objectClass" requested Aug 30 09:41:33 testServer slapd[3964]: <= root access granted Aug 30 09:41:33 testServer slapd[3964]: <= test_filter 6 Aug 30 09:41:33 testServer slapd[3964]: => access_allowed: read access to "ou=samba,dc=test,dc=com" "entry" requested Aug 30 09:41:33 testServer slapd[3964]: <= root access granted Aug 30 09:41:33 testServer slapd[3964]: => test_filter Aug 30 09:41:33 testServer slapd[3964]: PRESENT Aug 30 09:41:33 testServer slapd[3964]: => access_allowed: search access to "ou=Computers,dc=test,dc=com" "objectClass" requested Aug 30 09:41:33 testServer slapd[3964]: <= root access granted Aug 30 09:41:33 testServer slapd[3964]: <= test_filter 6 Aug 30 09:41:33 testServer slapd[3964]: => access_allowed: read access to "ou=Computers,dc=test,dc=com" "entry" requested Aug 30 09:41:33 testServer slapd[3964]: <= root access granted Aug 30 09:41:33 testServer slapd[3964]: conn=26 op=1 SEARCH RESULT tag=101 err=0 nentries=5 text= Aug 30 09:41:33 testServer slapd[3964]: connection_get(14) Aug 30 09:41:33 testServer slapd[3964]: SRCH "dc=test,dc=com" 0 1 Aug 30 09:41:33 testServer slapd[3964]: 0 0 0 Aug 30 09:41:33 testServer slapd[3964]: begin get_filter Aug 30 09:41:33 testServer slapd[3964]: PRESENT Aug 30 09:41:33 testServer slapd[3964]: end get_filter 0 Aug 30 09:41:33 testServer slapd[3964]: filter: (objectClass=*) Aug 30 09:41:33 testServer slapd[3964]: attrs: Aug 30 09:41:33 testServer slapd[3964]: objectClass Aug 30 09:41:33 testServer slapd[3964]: Aug 30 09:41:33 testServer slapd[3964]: conn=26 op=2 SRCH base="dc=test,dc=com" scope=0 filter="(objectClass=*)" Aug 30 09:41:33 testServer slapd[3964]: conn=26 op=2 SRCH attr=objectClass Aug 30 09:41:33 testServer slapd[3964]: base_candidates: base: "dc=test,dc=com" (0x00000001) Aug 30 09:41:33 testServer slapd[3964]: => test_filter Aug 30 09:41:33 testServer slapd[3964]: PRESENT Aug 30 09:41:33 testServer slapd[3964]: => access_allowed: search access to "dc=test,dc=com" "objectClass" requested Aug 30 09:41:33 testServer slapd[3964]: <= root access granted Aug 30 09:41:33 testServer slapd[3964]: <= test_filter 6 Aug 30 09:41:33 testServer slapd[3964]: => access_allowed: read access to "dc=test,dc=com" "entry" requested Aug 30 09:41:33 testServer slapd[3964]: <= root access granted Aug 30 09:41:33 testServer slapd[3964]: => access_allowed: read access to "dc=test,dc=com" "objectClass" requested Aug 30 09:41:33 testServer slapd[3964]: <= root access granted Aug 30 09:41:33 testServer slapd[3964]: conn=26 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 30 09:41:33 testServer slapd[3964]: connection_get(14) Aug 30 09:41:33 testServer slapd[3964]: connection_get(14) Aug 30 09:41:33 testServer slapd[3964]: conn=26 op=3 UNBIND Aug 30 09:41:33 testServer slapd[3964]: conn=26 fd=14 closed ########################################################
########################################################
Question 2 Continued
PHPldap admin Can't connect to directory using TLS Un-Successful Bind test using port 389, TLS
phpldapadmin config.php for this server
phpldapadmin
config.php phpldapadmin config.php for this server
test using port 389, Start-TLS $servers[$i]['name'] = 'testServer.test.com'; $servers[$i]['host'] = 'testServer.test.com'; $servers[$i]['base'] = 'dc=test,dc=com'; $servers[$i]['port'] = 389; $servers[$i]['auth_type'] = 'cookie'; $servers[$i]['login_dn'] = ''; $servers[$i]['login_pass'] = ''; $servers[$i]['tls'] = true; $servers[$i]['low_bandwidth'] = false; $servers[$i]['default_hash'] = 'crypt'; $servers[$i]['login_attr'] = 'dn'; $servers[$i]['login_class'] = ''; $servers[$i]['read_only'] = false; $servers[$i]['show_create'] = true; $servers[$i]['enable_auto_uid_numbers'] = false; $servers[$i]['auto_uid_number_mechanism'] = 'search'; $servers[$i]['auto_uid_number_search_base'] = 'ou=People,dc=example,dc=com'; $servers[$i]['auto_uid_number_min'] = 1000; $servers[$i]['auto_uid_number_uid_pool_dn'] = 'cn=uidPool,dc=example,dc=com'; (html)
Error Could not start TLS. Please check your LDAP server configuration. slapd.log error
Aug 30 09:46:40 testServer slapd[3964]: conn=27 fd=14 ACCEPT from IP=1.2.3.4:37580 (IP=4.3.2.1:389) Aug 30 09:46:40 testServer slapd[3964]: connection_get(14) Aug 30 09:46:40 testServer slapd[3964]: do_extended: oid=1.3.6.1.4.1.1466.20037 Aug 30 09:46:40 testServer slapd[3964]: connection_get(14) Aug 30 09:46:40 testServer slapd[3964]: conn=27 fd=14 closed ######################################################## Changed slapd to run on ldap:/// and ldaps:/// rather than IP address of server phpldapadmin config.php for this server test using port 389, Start-TLS $servers[$i]['name'] = 'testServer.test.com';
$servers[$i]['host'] = 'testServer.test.com'; $servers[$i]['base'] = 'dc=test,dc=com'; $servers[$i]['port'] = 389; $servers[$i]['auth_type'] = 'cookie'; $servers[$i]['login_dn'] = ''; $servers[$i]['login_pass'] = ''; $servers[$i]['tls'] = true; $servers[$i]['low_bandwidth'] = false; $servers[$i]['default_hash'] = 'crypt'; $servers[$i]['login_attr'] = 'dn'; $servers[$i]['login_class'] = ''; $servers[$i]['read_only'] = false; $servers[$i]['show_create'] = true; $servers[$i]['enable_auto_uid_numbers'] = false; $servers[$i]['auto_uid_number_mechanism'] = 'search'; $servers[$i]['auto_uid_number_search_base'] = 'ou=People,dc=example,dc=com'; $servers[$i]['auto_uid_number_min'] = 1000; $servers[$i]['auto_uid_number_uid_pool_dn'] = 'cn=uidPool,dc=example,dc=com'; (html)
Error Could not start TLS. Please check your LDAP server configuration. slapd.log error
Aug 30 10:08:00 testServer slapd[10391]: str2filter "(objectclass=*)"
Aug 30 10:08:00 testServer slapd[10391]: begin get_filter Aug 30 10:08:00 testServer slapd[10391]: PRESENT Aug 30 10:08:00 testServer slapd[10391]: end get_filter 0 Aug 30 10:08:00 testServer slapd[10391]: conn=0 fd=14 ACCEPT from IP=1.2.3.4:37598 (IP=4.3.2.1:389) Aug 30 10:08:00 testServer slapd[10391]: connection_get(14) Aug 30 10:08:00 testServer slapd[10391]: do_extended: oid=1.3.6.1.4.1.1466.20037 Aug 30 10:08:00 testServer slapd[10391]: connection_get(14) Aug 30 10:08:00 testServer slapd[10391]: conn=0 fd=14 closed Certificate Generation:
OpenLDAP Faq-O-Matic : OpenLDAP Software FAQ : Configuration : How do I use TLS/SSL? cd /var/myca
CA.sh -newca openssl req -new -nodes -keyout newreq.pem -out newreq.pem
CA.sh -sign
cp cacert.pem /usr/local/etc/openldap/cacert.pem
mv newcert.pem /usr/local/etc/openldap/servercrt.pem mv newreq.pem /usr/local/etc/openldap/serverkey.pem chmod 600 /usr/local/etc/openldap/serverkey.pem TLSCACertificateFile
/usr/local/etc/openldap/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/servercrt.pem TLSCertificateKeyFile /usr/local/etc/openldap/serverkey.pem install a copy of the CA certificate on all of your client machines.
Configuration is done in /usr/local/etc/openldap/ldap.conf
TLS_CACERT /usr/local/etc/openldap/cacert.pem What is simole bind
At 08:06 AM 10/31/00 -0800, Hans Zauner wrote:
>I had some troubles getting ldapadd to authenticate >with slapd (Im using SASL/TSL) and I posted to this >list. I was told to use -x for simple bind (which >worked) however I am curious. > >What is simple bind? Simple bind refers to the DN/password authentication
mechanism supported by both LDAPv2 and LDAPv3. This mechanism offers integrity or confidentiality protection. >I've read the FAQ and I used the ldapadd command
>syntax as described there, (which didn't work) however >it did not mention -x (simple bind) at all. The FAQ details OpenLDAP 1.2 which doesn't require the -x. OpenLDAP 2.0 requires -x to avoid the defaulting to SASL based authentication and security services. |