Re: LDAP over SSL ( ldaps )

To: Aneela Saleem <aneela@platalytics.com>

Subject: Re: LDAP over SSL ( ldaps )

From: Abdelkader Chelouah <a.chelouah@gmail.com>

Date: Tue, 18 Aug 2015 20:24:01 +0200

Cc: Michael Ströder <michael@stroeder.com>, openldap-technical@openldap.org

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-type; bh=7ZRk2WzSfvfTP0YrwAzigK7FnO6h/4ViqqdKzkNkBgQ=; b=gh55yeUBnq9KRDD4utTAcLVSwTbF94esuDNriP1dld7Sh2N96fJ8Bsan1pZ/akFq3y NpbLOfsz75oTeZU8hf98fH2Pim/2MKHWFJyGvQhLeX3HXXTWPbJSPgTAFQ1eSjX0bmR6 /Dtkva6nXpHxe0kh8CYBLmzMgYfCrl9nl+pGAoDuYjC0yz0GgNKI+O4UvuNTx4HnKi0I Xdizf6x5wxwuFv//C6wvGCZDG0gHO6ohuwMK7Gj35Ylf459FUnN2/UxSZEnsSZdGeDkQ UCg6ZEX2glBj9LPTYVfRL+oMgjeYP1PPO+HBi0WkPPOj4/CmbKQnoIUWe/qpjttijJni AneQ==

In-reply-to: <CAC1K3K9f6tVtJrOBDa-OPqHKKGOQzXKUKw-X61mUkAe8HpSMPQ@mail.gmail.com>

References: <CAC1K3K_KGuwy-PzeMbxmuFQcxb++n699Oz8Lwhu0B2BizJTgmg@mail.gmail.com> <55D33623.1020206@stroeder.com> <55D336E7.6060907@gmail.com> <CAC1K3K_vb82VqGvG8bj8+R9rj4J88bJwxjcMMudU+poH8rJevQ@mail.gmail.com> <55D3392B.3030503@gmail.com> <CAC1K3K_tYxihED8=yykFKFCx0gye_D2FOn8uehaXZ62rb+1LeA@mail.gmail.com> <55D33C88.7030904@gmail.com> <CAC1K3K8d1v76W8Xyh-dsjM2b2JzCYr3bYMGD_psjL_xJoqR7vQ@mail.gmail.com> <CAC1K3K__YxSz7npiHjjMJ=8NKY1wHkov_gARPekAyRshoEBMpA@mail.gmail.com> <CAC1K3K_qjJ4dWtk2hqdJPGZwjX8GSLpRm3bT1AKyRJ7snkiwng@mail.gmail.com> <CAC1K3K9f6tVtJrOBDa-OPqHKKGOQzXKUKw-X61mUkAe8HpSMPQ@mail.gmail.com>

User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0

On 18/08/2015 20:11, Aneela Saleem wrote:

When i add below file i.e., ssl_mod.ldif

dn: cn=config

changetype: modify

add: olcTLSCACertificateFile

olcTLSCACertificateFile: /etc/ldap/cacert.pem

-

add: olcTLSCertificateFile

olcTLSCertificateFile: /etc/ldap/servercrt.pem

-

add: olcTLSCertificateKeyFile

olcTLSCertificateKeyFile: /etc/ldap/serverkey.pem

-

add: olcTLSCipherSuite

olcTLSCipherSuite: HIGH:MEDIUM:!SSLv3:!SSLv2

using following command:

ldapmodify -h localhost -p 389 -D "cn=admin,cn=config" -w 123 -f mod_ssl.ldif

i get ldap_result: Can't contact LDAP server (-1) error.

Although LDAP is running. I can run following command i.e.,

ldapsearch -h localhost -p 389 -D "cn=admin,dc=platalytics,dc=com" -w 123 -b "dc=platalytics,dc=com" "objectclass=*"

How can i make ldaps work?

On Tue, Aug 18, 2015 at 7:37 PM, Aneela Saleem <aneela@platalytics.com> wrote:

Where i can find the logs?

On Tue, Aug 18, 2015 at 7:36 PM, Aneela Saleem <aneela@platalytics.com> wrote:

I wrote the above lines in olcDatabase={0}config.ldif file. When i restart slapd it gets failed.

On Tue, Aug 18, 2015 at 7:14 PM, Aneela Saleem <aneela@platalytics.com> wrote:

Which file i need to write this in?

On Tue, Aug 18, 2015 at 7:09 PM, Abdelkader Chelouah <a.chelouah@gmail.com> wrote:

On 18/08/2015 16:05, Aneela Saleem wrote:

I have no slapd.conf. I have cn=conf

On Tue, Aug 18, 2015 at 6:54 PM, Abdelkader Chelouah <a.chelouah@gmail.com> wrote:

On 18/08/2015 15:51, Aneela Saleem wrote:

Thanks Michael and Abdelkader.

Abdelkaded the link you provided is for slapd.conf distribution. Can you please guide me how to do "cn=config" distribution?

On Tue, Aug 18, 2015 at 6:45 PM, Abdelkader Chelouah <a.chelouah@gmail.com> wrote:

On 18/08/2015 15:41, Michael Ströder wrote:

Aneela Saleem wrote:

Can anyone please provide me some link for enabling "ldaps"

http://www.openldap.org/doc/admin24/tls.html

Ciao, Michael.

or http://www.openldap.org/faq/data/cache/185.html

regards

You can convert a slapd.conf to cn=config using slaptest

slaptest -f path/to/slapd.conf -F path/to/slapd.d

# cn=config
dn: cn=config
objectClass: olcGlobal
cn: config
...
olcTLSCACertificateFile: /path/to/cacert
olcTLSCertificateFile: /path/to/cert
olcTLSCertificateKeyFile: /path/to/key
olcTLSCipherSuite: HIGH:MEDIUM:!SSLv3:!SSLv2
...

Can you run

ldapwhoami -vxD cn=admin,cn=config -w 123 -H ldap://localhost:389

Follow-Ups:

Re: LDAP over SSL ( ldaps )
- From: Aneela Saleem <aneela@platalytics.com>

References:

LDAP over SSL ( ldaps )
- From: Aneela Saleem <aneela@platalytics.com>
Re: LDAP over SSL ( ldaps )
- From: Michael Ströder <michael@stroeder.com>
Re: LDAP over SSL ( ldaps )
- From: Abdelkader Chelouah <a.chelouah@gmail.com>
Re: LDAP over SSL ( ldaps )
- From: Aneela Saleem <aneela@platalytics.com>
Re: LDAP over SSL ( ldaps )
- From: Abdelkader Chelouah <a.chelouah@gmail.com>
Re: LDAP over SSL ( ldaps )
- From: Aneela Saleem <aneela@platalytics.com>
Re: LDAP over SSL ( ldaps )
- From: Abdelkader Chelouah <a.chelouah@gmail.com>
Re: LDAP over SSL ( ldaps )
- From: Aneela Saleem <aneela@platalytics.com>
Re: LDAP over SSL ( ldaps )
- From: Aneela Saleem <aneela@platalytics.com>
Re: LDAP over SSL ( ldaps )
- From: Aneela Saleem <aneela@platalytics.com>
Re: LDAP over SSL ( ldaps )
- From: Aneela Saleem <aneela@platalytics.com>