Le mar. 13 dÃc. 2011 15:16:08 CET, Raffael Sahli a Ãcrit :
On 12/13/2011 02:59 PM, rey sebastien wrote:
Le mar. 13 dÃc. 2011 13:00:16 CET, Raffael Sahli a Ãcrit :
On 12/13/2011 12:14 PM, rey sebastien wrote:
Le mar. 13 dÃc. 2011 11:08:43 CET, Raffael Sahli a Ãcrit :
On 12/13/2011 10:12 AM, rey sebastien wrote:
After what, you are right, you and other to point the old
debian package, so i try to recompile the last release with
open-ssl. This is the best solution, i agree.
I try to compile with this option :
./configure --with-tls=openssl --with-threads
--with-cyrus-sasl --enable-crypt --enable-debug
--enable-cleartext --enable-spasswd --enable-dynacl
--enable-aci --enable-modules --enable-wrappers
--enable-rewrite --enable-rlookups
After configure, i make-depend, make, make install; all
execution are ok,
after that, how can i install ldap as a service ? like debian
style => service slapd start | stop | restart ?
If you load the sources with apt-src, there's a debian init
script available in the openldap sources (debian folder, just
copy the script into you init.d folder and create the symlinks
with update-rc.d).
That's the simplest way, or find the script online or extract
it from the deb package....
Thanks again,
Sr
Le 12/12/2011 22:17, Raffael Sahli a Ãcrit :
On 12.12.2011 21:55, rey sebastien wrote:
Le 12/12/2011 21:07, Howard Chu a Ãcrit :
rey sebastien wrote:
Le 12/12/2011 19:24, Howard Chu a Ãcrit :
reyman wrote:
You have a self signed certificate,
Correct.
so you don't need to verify your certificate.
When you activate the tls on ldap, you only need this
two lines, and you don't
need the line with certificate
verification*olcTLSCACertificateFile : *
Wrong.
It true and false, with debian and openLdap compiled with
GnuTLS (my case), i
read this documentation :
http://wiki.debian.org/LDAP/OpenLDAPSetup and they said :
Pure garbage.
Procedure:
You're going to need the gnutls certificate generator:
certtool
<http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html>.
Run these two commands to generate a new self-signed key
(into the current
working directory):
certtool --generate-privkey --outfile ca-key.pem
certtool --generate-self-signed --load-privkey ca-key.pem
--outfile ca-cert.pem
Then, update your certificate locations in
/etc/ldap/slapd.conf
(TLSCertificateFile points to ca-cert.pem and
TLSCertificateKeyFile points to
ca-key.pem), *comment out TLSCACertificateFile*, and
change *TLSVerifyClient
to never.*
In /etc/ldap/ldap.conf, comment out TLS_CACERT and change
TLS_REQCERT to never.
This is utterly bogus. Turning off these checks disables
any spoofing detection; you might as well run without TLS
at all.
IMHO i know this problem but i think this is better than
nothing, and actually i have nothing. I wait for valid
certificate...
And sorry but your RTFM answer doesn't help me to resolve
this problem with gnutls and debian, i take many hours to
find a valid solution in my use case, and the manual
doesn't help me particulary on this point.
On Debian: You should compile OpenLDAP with OpenSSL Support
and don't use the dpkg package from the debian apt repos...
>In /etc/ldap/ldap.conf, comment out TLS_CACERT and change
TLS_REQCERT to never.
Like Howard Chu said, bad idea, just for testing or what
else.....
OpenLdap is a great software, but documentation it's a
little "cryptic" for beginner like me, so i think it's easy
to be rude with beginner on many points.
Best regards,
SR.
Since the certificate is self-signed, we can't have
gnutls trying to verify it
(hence the never), otherwise it will never run.
And RTFM is a little violent, i try to help with my
little experience, i'm not
an expert for sure.
RTFM is exactly the correct response.
Best regards,
SR.
RTFM.
http://www.openldap.org/doc/admin24/tls.html
On Mon, Dec 12, 2011 at 12:31 PM, Jayavant Patil
<jayavant.patil82@gmail.com
<mailto:jayavant.patil82@gmail.com>> wrote:
Hi,
>On Mon, Dec 12, 2011 at 4:19 PM, reyman
<reyman64@gmail.com
<mailto:reyman64@gmail.com>> wrote:
>With the option -ZZ i think, try this
|>ldapsearch -x -LLL -ZZ -d 150|
Yeah, It shows output containing ber_dump,
ldap_write,ldap_read,
tls_write, tls_read etc. But at the end is shows the
following:
TLS certificate verification: Error, self signed
certificate
TLS: can't connect: error:14090086:SSL
routines:SSL3_GET_SERVER_
CERTIFICATE:certificate verify failed (self signed
certificate).
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed (self
signed certificate)
Why it shows an error ? and how to resolve this?
and when I do ldapsearch with -ZZ option it gives error
$ldapsearch -x -v -D "cn=root,dc=abc,dc=com" -w cluster -b
"ou=People,dc=abc,dc=com" "uid=ldap_6" -h n0 -ZZ
ldap_initialize( ldap://n0 )
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
>On Mon, Dec 12, 2011 at 11:21 AM, Jayavant Patil
<jayavant.patil82@gmail.com
<mailto:jayavant.patil82@gmail.com>> wrote:
>>Hi,
>> I am using openldap-2.4.19-4.x86_64 on fedora 12
machine. I
have enabled openldap SSL/TLS. How do I know >>(test)
that I am
using SSL/TLS connections instead of normal ldap:///?
OK thanks, i find the script and re-configure the script,
I search another information to make a good fresh install.
After removing the debian package, i have an openldap user and
group,
Do you think i can delete this user, or it's better to reuse it
for better security, for example can i install all files for
ldap into /home/openldap user ( with --prefix option equal to
/home/openldap ) ?
Do you have a list/tutorial which indicate the files which need
an openldap:openldap user to execute ?
Thanks,
Best regards,
SR.
/home is not really the directory to install an application.
Better you use the default path located in /usr/local.
And of course you have to create a user named openldap or take
your exists openldap user. Start your daemon with this user
(@see /etc/default/slapd on debian for the init script, (you
have to copy this file from your openldap source installed per
apt-src, or use the file from the installed deb package.))
And your ok with the default permissions set by "make install".
Only your ssl certificates should be owned by "openldap" and mod
0400.
There is some modification between the old version i use and the
last release, i don't find the slapd file which contain
information like :
SLAPD_SERVICES, etc.
Replacement for this file is slapd.ldif ? This file is an example
of configuration, or the default loaded configuration when slapd
daemon start ?
There's a different between the default config from debian and the
OpenLDAP configuration (in .conf or .ldif format).
The default config, located in /etc/default/slapd, contains just
"daemon start" related options an has nothing to do with the
OpenLDAP configuration.
If you download OpenLDAP from the debian sources with apt-src, you
will get a directory named debian. There are a slapd.conf
(OpenLDAP Example Configuration) and
a file named slapd.default (Debian start parameters, copy it to
/etc/default/slapd), and last: slapd.init copy it to
/etc/init.d/slapd
i have no man for slapd.d, it's a bug, or it doesn't exist ?
Thanks,
SR.
Ok so i make :
mv slapd.default to /etc/default/slapd
mv slapd.init to /etc/init.d/slapd and i change some information
with nano :
# wants to can override the path in /etc/default/slapd
SLAPD=/usr/local/libexec/slapd
# Load the default location of the slapd config file
if [ -z "$SLAPD_CONF" ]; then
if [ -e /etc/ldap/slapd.d ]; then
SLAPD_CONF=/usr/local/etc/openldap/slapd.d
else
SLAPD_CONF=/usr/local/etc/openldap/slapd.conf
fi
fi
I change right for slapd init file :
chmod +x /etc/init.d/slapd
I change the service init level :
ln -s /etc/init.d/slapd /etc/rc3.d/S90slapd
ln -s /etc/init.d/slapd /etc/rc4.d/S90slapd
ln -s /etc/init.d/slapd /etc/rc5.d/S90slapd
ln -s /etc/init.d/slapd /etc/rc0.d/K10slapd
ln -s /etc/init.d/slapd /etc/rc6.d/K10slapd
update-rc.d slapd defaults
After that, i change right, else service slapd doesn't start :
chown -R openldap:openldap /usr/local/var/openldap-data/
chown -R openldap:openldap /usr/local/etc/openldap/
chown -R openldap:openldap /usr/local/var/run/
so here the right for the different folder :
/usr/local/var
drwxr-sr-x 2 openldap openldap 4096 13 dÃc. 16:20 openldap-data
drwxr-sr-x 2 openldap openldap 4096 13 dÃc. 16:20 run
/usr/local/libexec
-rwxr-xr-x 1 root staff 1891388 13 dÃc. 13:53 slapd
/usr/local/etc/openldap
-rw------- 1 openldap openldap 845 13 dÃc. 13:53 DB_CONFIG.example
-rw-r--r-- 1 openldap openldap 245 13 dÃc. 09:48 ldap.conf
-rw-r--r-- 1 openldap openldap 245 13 dÃc. 13:53 ldap.conf.default
drwxr-sr-x 2 openldap openldap 4096 13 dÃc. 13:53 schema
drwxr-sr-x 2 openldap openldap 4096 13 dÃc. 11:15 schema.17116
drwxr-sr-x 2 openldap openldap 4096 13 dÃc. 09:48 schema.8962
-rw------- 1 openldap openldap 2129 13 dÃc. 09:48 slapd.conf
-rw------- 1 openldap openldap 2129 13 dÃc. 13:53 slapd.conf.default
-rw------- 1 openldap openldap 2614 13 dÃc. 09:48 slapd.ldif
-rw------- 1 openldap openldap 2614 13 dÃc. 13:53 slapd.ldif.default
/usr/local/var/openldap-data/
-rw-r--r-- 1 openldap openldap 2048 13 dÃc. 16:20 alock
-rw------- 1 openldap openldap 24576 13 dÃc. 16:20 __db.001
-rw------- 1 openldap openldap 180224 13 dÃc. 16:20 __db.002
-rw------- 1 openldap openldap 270336 13 dÃc. 16:20 __db.003
-rw------- 1 openldap openldap 163840 13 dÃc. 16:20 __db.004
-rw------- 1 openldap openldap 540672 13 dÃc. 16:20 __db.005
-rw------- 1 openldap openldap 32768 13 dÃc. 16:20 __db.006
-rw------- 1 openldap openldap 845 13 dÃc. 13:53 DB_CONFIG.example
-rw------- 1 openldap openldap 8192 13 dÃc. 16:20 dn2id.bdb
-rw------- 1 openldap openldap 32768 13 dÃc. 16:20 id2entry.bdb
-rw------- 1 openldap openldap 10485760 13 dÃc. 16:20 log.0000000001
I have one warning but openldap start correctly :)
Dec 13 16:20:44 claroline slapd[17039]: bdb_db_open: warning - no
DB_CONFIG file found in directory /usr/local/var/openldap-data:
(2).#012Expect poor performance for suffix "dc=my-domain,dc=com".