[prev in list] [next in list] [prev in thread] [next in thread]
List: ldap
Subject: [ldap] Secure LDAP
From: "Net Warrior" <netwarrior863 () gmail ! com>
Date: 2006-10-30 17:58:12
Message-ID: f66a6bc10610300958q1db26aebo52a11be84bb71d2d () mail ! gmail ! com
[Download RAW message or body]
Hi guys.
I've configured my LDAP server to authenticate all my users to the system,
no want to secure the conection with ssl
everithings sems to work fine, getent returns the groups in the LDAP
database, samba works fine, slapcat shows me
the structure of my database, the problem is that wnen I enable certificates
I cannot add users to ldap using
the IDEALX scripts I get the following:
./smbldap-useradd test
failed to perform search; Can't contact LDAP server at
/usr/local/sbin//smbldap_tools.pm line 362.
Error looking for next uid at /usr/local/sbin//smbldap_tools.pm line 993.
LDAP Version 2.3.19 SUSE SLES10 x64Bits
OpenSSL 0.9.8a
This is what I've got in my ldap.conf
BASE dc=netwarrior,dc=com
HOST 127.0.0.1:636
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_REQCERT allow
In my slapd.conf
This is what when enabled, do not let me add users.
security ssf=1 update_ssf=112 simple_bind=64
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCACertificateFile /etc/ssl/cacert.pem
TLSCertificateFile /etc/ssl/servercrt.pem
TLSCertificateKeyFile /etc/ssl/serverkey.pem
TLSVerifyClient try
In the file under /etc/ldap.conf I've got uncommented, the rest of the
options a comented out.
#Your LDAP server. Must be resolvable without using LDAP.
host 127.0.0.1:636
# The distinguished name of the search base.
base dc=domues,dc=com
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# Don't try forever if the LDAP server is not reacheable
bind_policy soft
# The port.
# Optional: default is 389.
port 636
# The search scope.
scope sub
#scope one
#scope base
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
ssl on
For example with pdbedit
-Lv I can list the content of the database, getenet returns the groups
in LDAP as well.
What am I missign?
Thanks for your time.
---
You are currently subscribed to ldap@umich.edu as: [ldap@progressive-comp.com]
To unsubscribe send email to ldap-request@umich.edu with the word UNSUBSCRIBE as the \
SUBJECT of the message.
[Attachment #3 (text/html)]
Hi guys.<br><br>I've configured my LDAP server to authenticate all my users to the \
system, no want to secure the conection with ssl<br>everithings sems to work \
fine, getent returns the groups in the LDAP database, samba works fine, slapcat shows \
me <br>the structure of my database, the problem is that wnen I enable certificates I \
cannot add users to ldap using<br>the IDEALX scripts I get the \
following:<br><br>./smbldap-useradd test<br>failed to perform search; Can't contact \
LDAP server at /usr/local/sbin//smbldap_tools.pm line 362. <br>Error looking for next \
uid at /usr/local/sbin//smbldap_tools.pm line 993.<br><br>LDAP Version 2.3.19 SUSE \
SLES10 x64Bits<br>OpenSSL 0.9.8a<br><br><br>This is what I've got in my \
ldap.conf<br><br>BASE dc=netwarrior,dc=com <br>HOST <a \
href="http://127.0.0.1:636">127.0.0.1:636</a><br>#URI ldap://ldap.example.com \
ldap://ldap-<a href="http://master.example.com:666">master.example.com:666</a><br><br>#SIZELIMIT \
12<br>#TIMELIMIT 15 <br>#DEREF never<br>TLS_REQCERT allow<br><br>In my \
slapd.conf<br><br>This is what when enabled, do not let me add users.<br><br>security \
ssf=1 update_ssf=112 simple_bind=64<br>TLSCipherSuite HIGH:MEDIUM:+SSLv3<br> \
TLSCACertificateFile /etc/ssl/cacert.pem<br>TLSCertificateFile \
/etc/ssl/servercrt.pem<br>TLSCertificateKeyFile \
/etc/ssl/serverkey.pem<br>TLSVerifyClient try<br><br>In the file under /etc/ldap.conf \
I've got uncommented, the rest of the options a comented out. <br><br>#Your LDAP \
server. Must be resolvable without using LDAP.<br>host <a \
href="http://127.0.0.1:636">127.0.0.1:636</a><br><br># The distinguished name of the \
search base.<br>base dc=domues,dc=com<br><br># The LDAP version to use (defaults to 3 \
<br># if supported by client library)<br>ldap_version 3<br><br># Don't try forever if \
the LDAP server is not reacheable<br>bind_policy soft<br><br># The port.<br># \
Optional: default is 389.<br>port 636<br><br># The search scope. <br>scope \
sub<br>#scope one<br>#scope base<br><br><br># OpenLDAP SSL mechanism<br># start_tls \
mechanism uses the normal LDAP port, LDAPS typically 636<br>#ssl start_tls<br>ssl \
on<br><br><br>For example with pdbedit \
-Lv I can list the content of the database,&nb \
sp;getenet returns the groups in LDAP as well.
<br> What am I missign?<br><br><br>Thanks for your time.<br><br><br><br><br><br>
---
You are currently subscribed to ldap@umich.edu as: [ldap@progressive-comp.com]
To unsubscribe send email to ldap-request@umich.edu with the word UNSUBSCRIBE as the \
SUBJECT of the message.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic