[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS problems



At 09:11 AM 9/10/2004, Pedro Silva wrote:
>> At 07:12 AM 9/10/2004, Pedro Silva wrote:
>> >I have this weird problem with TLS configuration. I have this LDAP
>> >server working for a long time but without any use off TLS/SSL. So I
>> >decided to set it up to use TLS. I created a server.pem that i placed in
>> >/etc/ssl/openldap an configured slapd.conf and ldap.conf as I show later
>> >on. 
>> >
>> >All seemed well if it wasn't for the following problem. 
>> >If I execute this command line: 
>> >ldapsearch -LLL -H ldaps://fqdn/ -x -D"cn=root,dc=dcc"
>> >-b"dc=alunos,dc=dcc" -W
>> >
>> >as root it works and with some other user it doesn't.
>> 
>> Sounds like a permissions problem to me.
>
>LDAP permissions or file permissions?

Well, depends on what you referring to as 'root' and 'other user'.
Where you refer to an different Linux account?  or a different
Directory entity?

I presumed you were referring to a different Linux account.
That is, that you executed the exact same ldapsearch(1)
command, once while logged in into Linux as 'root' and once
while logged into Linux as some non-root account.  That would
imply a Linux permissions issue (with file or other Linux
resource).

On the other hand, if you were entering in same basic ldapsearch(1)
command, except with different credentials, in the same Linux
login session, it not obvious as to how one could account for
the difference in behavior (as ldapsearch(1) establishes TLS
before attempting LDAP authentication).  Hence my above
presumption.

>If it's file permissions what files are you talking about?

For instance, file permissions on OpenLDAP ldap.conf(5)
file that ldapsearch(1) is attempting to read, or any
file (e.g., the CA certificate) which ldap.conf(5) refers
to.


>> >and my /etc/ldap.conf contains the following lines:
>> 
>> Doesn't look like an OpenLDAP ldap.conf(5) file to me.
>> 
>> Kurt 
>
>This is /etc/ldap.conf from Mandrake distro.

This isn't an OpenLDAP ldap.conf(5) as indicated by 
comment at the top of the file.
  # This is the configuration file for the LDAP nameservice
  # switch library and the LDAP PAM module.

>But isn't it correct that
>the only thing you have to do is set the line ssl start_tls?

The OpenLDAP ldap.conf(5) has no such directive.

In order to use TLS (either by ldaps:// or by Start TLS), one has
to configure the client with knowledge (e.g., the CA certificate)
used to verify the server's certificate.  See the OpenLDAP
Admin Guide and ldap.conf(5) for details.

Kurt