[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP self-signed certificates issue

ldaps has been deprecated in favour of keeping all communication open only at one port. try to use 

ldap://host:389
port 0
enable tls
Use above settings based on your client

I am using sssd client with following setting and it works on TLS.

[sssd]

config_file_version = 2

services = nss, pam, sudo

domains = default

[nss]

filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,ubuntu

[pam]

pam_verbosity = 3

[domain/default]

ldap_tls_reqcert = allow

auth_provider = ldap

ldap_schema = rfc2307bis

krb5_realm = EXAMPLE.COM

ldap_search_base = 

ldap_group_member = uniquemember

id_provider = ldap

sudo_provider = ldap

ldap_sudo_search_base = ou=sudoers,dc=xxxx,dc=xxxx,dc=xxxx

netgroup_provider = ldap

ldap_netgroup_search_base = ou=Netgroup,dc=xxxx,dc=xxxx,dc=xxxx

ldap_id_use_start_tls = True

chpass_provider = ldap

ldap_uri = ldap://host1:389/,ldap://ldap2:389/,ldap://ldap3:389/

ldap_chpass_uri = ldap://host1:389/

cache_credentials = True

entry_cache_timeout = 600

ldap_network_timeout = 3

ldap_access_filter = (&(object)(object)) 


On Mon, Sep 8, 2014 at 10:58 AM, Vijay Ganesan <vijay@thoughtspot.com> wrote:

Thanks Ryan for pointing me to the right link. I've configured TLS following those instructions.
But I can't seem to connect using ldaps://localhost:636 using Apache Directory Studio client. I get a "Error while opening connection - Cannot connect on the server: Connection refused" error.
I can connect fine using ldap://localhost:389. 
What diagnostics can be run to figure out if TLS is working correctly?

Thanks
Vijay


On Sun, Sep 7, 2014 at 3:00 PM, Ryan Tandy <ryan@nardis.ca> wrote:
The Ubuntu server guide has a chapter on setting up OpenLDAP, including a section on configuring TLS. Have you followed it?

https://help.ubuntu.com/12.04/serverguide/openldap-server.html

On 07/09/14 02:20 PM, Vijay Ganesan wrote:
2. Added following entries to /usr/share/slapd/slapd.conf:

 Are you sure that's the right file? By default Ubuntu 12.04 uses LDAP-based configuration (cn=config) instead of a slapd.conf file; and even if it did, it would usually be found in /etc/ldap/slapd.conf and not in /usr/share.



--
- Vijay





--
Udai Singh Mehra
Infrastructure Engineering and Operations