[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: TLS problems

To: Openldap-software <openldap-software@OpenLDAP.org>
Subject: Re: TLS problems
From: Pedro Silva <psilva@dcc.online.pt>
Date: Fri, 10 Sep 2004 17:11:33 +0100
In-reply-to: <6.1.2.0.0.20040910083209.040c9008@127.0.0.1>
References: <1094825547.29947.0.camel@kheijo.labcc.dcc.fc.up.pt> <6.1.2.0.0.20040910083209.040c9008@127.0.0.1>
> At 07:12 AM 9/10/2004, Pedro Silva wrote:
> >I have this weird problem with TLS configuration. I have this LDAP
> >server working for a long time but without any use off TLS/SSL. So I
> >decided to set it up to use TLS. I created a server.pem that i placed in
> >/etc/ssl/openldap an configured slapd.conf and ldap.conf as I show later
> >on. 
> >
> >All seemed well if it wasn't for the following problem. 
> >If I execute this command line: 
> >ldapsearch -LLL -H ldaps://fqdn/ -x -D"cn=root,dc=dcc"
> >-b"dc=alunos,dc=dcc" -W
> >
> >as root it works and with some other user it doesn't.
> 
> Sounds like a permissions problem to me.

LDAP permissions or file permissions?
LDAP permissisons are equal for ldap:// and ldaps:// right?

If it's file permissions what files are you talking about?

> >and my /etc/ldap.conf contains the following lines:
> 
> Doesn't look like an OpenLDAP ldap.conf(5) file to me.
> 
> Kurt 

This is /etc/ldap.conf from Mandrake distro. But isn't it correct that
the only thing you have to do is set the line ssl start_tls? If you see
the Mandrake HOWTO for LDAP Authentication that's all it says
(http://www.mandrakesecure.net/en/docs/ldap-auth2.php#tls)

my compelte /etc/ldap.conf file:

# @(#)$Id: ldap.conf,v 2.28 2001/08/28 12:17:29 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#

# Your LDAP server. Must be resolvable without using LDAP.
#host 127.0.0.1

# The distinguished name of the search base.
base dc=alunos,dc=dcc

# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
uri ldaps://FQDN/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=com

# The credentials to bind with. 
# Optional: default is no credential.
#bindpw secret

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=manager,dc=example,dc=com

# The port.
# Optional: default is 389.
#port 389

# The search scope.
#scope sub
scope one
#scope base

# Search timelimit
#timelimit 30

# Bind timelimit
#bind_timelimit 30

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600

# Filter to AND with uid=%s
pam_filter objectclass=posixaccount

# The user ID attribute (defaults to uid)
pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com

# Group member attribute
pam_member_attribute gid

# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody

# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.

# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service. 
#pam_password crypt

# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password nds

# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad

# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop

pam_password md5

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX		base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd	ou=People,
# to append the default base DN but this
# may incur a small performance impact.
nss_base_passwd		ou=Pessoas,dc=alunos,dc=dcc?one
nss_base_shadow		ou=Pessoas,dc=alunos,dc=dcc?one
nss_base_group		ou=Grupos,dc=alunos,dc=dcc?one
#nss_base_hosts		ou=Hosts,dc=example,dc=com?one
#nss_base_services	ou=Services,dc=example,dc=com?one
#nss_base_networks	ou=Networks,dc=example,dc=com?one
#nss_base_protocols	ou=Protocols,dc=example,dc=com?one
#nss_base_rpc		ou=Rpc,dc=example,dc=com?one
#nss_base_ethers	ou=Ethers,dc=example,dc=com?one
#nss_base_netmasks	ou=Networks,dc=example,dc=com?ne
#nss_base_bootparams	ou=Ethers,dc=example,dc=com?one
#nss_base_aliases	ou=Aliases,dc=example,dc=com?one
#nss_base_netgroup	ou=Netgroup,dc=example,dc=com?one

# attribute/objectclass mapping
# Syntax:
#nss_map_attribute	rfc2307attribute	mapped_attribute
#nss_map_objectclass	rfc2307objectclass	mapped_objectclass

# configure --enable-nds is no longer supported.
# For NDS now do:
#nss_map_attribute uniqueMember member

# configure --enable-mssfu-schema is no longer supported.
# For MSSFU now do:
#nss_map_objectclass posixAccount User
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad

# configure --enable-authpassword is no longer supported
# For authPassword support, now do:
#nss_map_attribute userPassword authPassword
#pam_password nds

# For IBM AIX SecureWay support, do:
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear

# Netscape SDK LDAPS
#ssl on

# Netscape SDK SSL options
#sslpath /etc/ssl/certs/cert7.db

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
#ssl off

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
#tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/openldap/ca.cert
#tls_cacertdir /etc/ssl/certs

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client sertificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
Follow-Ups:
- Re: TLS problems
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
References:
- TLS problems
  - From: Pedro Silva <psilva@dcc.online.pt>
- Re: TLS problems
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Prev by Date: Re: TLS problems
Next by Date: newbie's problem with replication of ldap
Index(es):
- Chronological
- Thread