[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: connection problem with ldapmodify -Y EXTERNAL -H ldapi:///



On 03/10/11 19:41 +0200, Andreas Rudat wrote:
Am 03.10.2011 18:04, schrieb Dan White:
On 03/10/11 17:43 +0200, Andreas Rudat wrote:
so tls issn't allowed in my configuration? I added tls on ldap.conf and /etc/default/slapd

Debug says:
TLS: can't connect: A TLS packet with unexpected length was received..

What are the contents of your ldap.conf, and your /etc/default/slapd?

What is your TLS configuration on the server? In particular, your
TLSVerifyClient/olcTLSVerifyClient setting (which should be something
other than the default).


What do you mena with TLS config? of /etc/ssl?
I worked with this tutorial for tls
https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html

ldap.conf
##########################################
#
host fs.foo.intern

# The distinguished name of the search base.
base dc=foo,dc=intern

# Another way to specify your LDAP server is to provide an
uri ldaps://127.0.0.1/
uri ldap://127.0.0.1/

If you really want the ldap utilities to try multiple servers this
way, you should do:

uri ldaps://127.0.0.1/ ldap://127.0.0.1/

but I'm guessing what you really want is:

uri ldap://<fqdn>/

in which case the server will attempt to authenticate your TLS client
certificate based on its TLSVerifyClient configuration. FQDN should be the
server name (cn) corresponding to the certificate you created.

rootbinddn cn=admin,dc=foo,dc=intern

ssl start_tls
ssl on

tls_checkpeer yes

Be aware these are not valid (openldap) ldap.conf config items, as
specified in ldap.conf(5). They may be used by some other software you have
installed.

tls_cacertfile /etc/ssl/certs/ldap_cert.pem
tls_cacertdir /etc/ssl/certs

tls_cert
tls_key

My mail client may have corrupted this part of your configuration. You'll
of course need valid entries here.

sasl_secprops maxssf=0
#
############################################

default/slapd
############################################
#
SLAPD_CONF=

SLAPD_USER="openldap"
SLAPD_GROUP="openldap"

SLAPD_SERVICES="ldap:/// ldaps:///"
#
############################################

ldaps:// is unnecessary (here, and in your uri statement) unless you have
some software which requires it.

And again, you'll need to properly configure
TLSVerifyClient/olcTLSVerifyClient in your OpenLDAP server config.

When properly configured, your list of supportedSASLMechanisms should
include 'EXTERNAL'.

For reference, see the manpages for ldap.conf and slapd-config (or
slapd.conf), and see the OpenLDAP Administrator's Guide.

--
Dan White