HPE Community
Operating System - HP-UX
1834020 Members
2623 Online
110063 Solutions
New Discussion

Re: LDAPUX with SSL/TLS? HOW?

 
SOLVED
Go to solution
Mike Lancaster
Occasional Advisor

‎08-10-2004 08:53 AM

‎08-10-2004 08:53 AM

LDAPUX with SSL/TLS? HOW?

How do I configure ldapux to use SSL (ldaps://)?

I have it talking to an OpenLDAP server now over the freetext port 387 but I do not want to use that with pam_ldap. I need to do SSL so the passwords are encrypted.

I saw a reference to something about installing some cert files, but on my other clients I don't have to install anything since I am only doing SERVER based SSL and not doing any client ssl verification.

If I need to install these files, where do I put them and how do I get the ldapux client to start talking SSL via port 686?

Thanks.
0 Kudos
Reply
6 REPLIES 6
Doug Lamoureux_2
Valued Contributor

‎08-10-2004 10:46 AM

‎08-10-2004 10:46 AM

Solution

Re: LDAPUX with SSL/TLS? HOW?

You'll need to do a few things. First modify the LDAP-UX configuration profile:

1 - Change the port for the preferred servers:
preferredserverlist: 192.1.1.1:686
2 - Tell the ldap-ux client to use TLS by modifying the authenticationMethod attribute:
authenticationMethod=tls:simple

You'll also need the CA's cert in Netscape certificate database files, cert7.db and key3.db. These 2 files must be located in the /etc/opt/ldapux directory (or sym links to it).

If you have a PEM/DER encoded cert you can use the /opt/ldapux/contrib/bin/certutil command line tool to create the certificate database files, cert7.db and key3.db:

/opt/ldapux/contrib/bin/certutil -A -n "MY CA" -t TC,TC,TC -i ./ca.pem -d /etc/opt/ldapux

For detailed command options and their arguments, see Using the Certificate Database Tool available at http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html.

Verify the cert DB using ldapsearch:

/opt/ldapux/bin/ldapsearch -h ldapserver -Z -P /etc/opt/ldapux/ -s base -b "" "(objectclass=*)" supportedLDAPVersion
version: 1
dn:
supportedLDAPVersion: 2
supportedLDAPVersion: 3

---

Once the profile has been changed in the Directory, you'll need to download it to all LDAP-UX clients:

/opt/ldapux/config/get_profile_entry -s NSS

## Use -D binddn -w password options if the Directory requires you to authenticate to read the profile entry

Use:
/opt/ldapux/config/display_profile_cache | grep tls to verify the change has been made on the local configuration cache, then restart ldapclientd:

/sbin/init.d/ldapclientd.rc stop
/sbin/init.d/ldapclientd.rc start


You can also checkout the LDAP-UX documentation at:
http://docs.hp.com/hpux/internet/index.html#LDAP-UX%20Integration

Cheers,
Doug
Reply
Mike Lancaster
Occasional Advisor

‎08-12-2004 05:57 AM - last edited on ‎09-16-2024 02:22 AM by

‎08-12-2004 05:57 AM - last edited on ‎09-16-2024 02:22 AM by

Re: LDAPUX with SSL/TLS? HOW?

Ok thats for TLS over the regular port.

But can ldapux do straight SSL and not TLS eg. IMAPS:// ?

0 Kudos
Reply
Doug Lamoureux_2
Valued Contributor

‎08-12-2004 05:58 AM

‎08-12-2004 05:58 AM

Re: LDAPUX with SSL/TLS? HOW?

Yes, use the same steps.
0 Kudos
Reply
Mike Lancaster
Occasional Advisor

‎08-13-2004 05:40 AM

‎08-13-2004 05:40 AM

Re: LDAPUX with SSL/TLS? HOW?

Ok... it works.. now we are rocking.

However I think I have discovered one thing.

Apparently the process to automatically download the profile can only go over normal LDAP.

Frankly, I was hoping to turn off the unsecure /normal LDAP connections and banish them from our environment.

Is there a way to get the profile download (get_profile..) to also happen over SSL?

If we can do that we will have achieved ldapux nirvana.
0 Kudos
Reply
Doug Lamoureux_2
Valued Contributor

‎08-13-2004 07:03 AM

‎08-13-2004 07:03 AM

Re: LDAPUX with SSL/TLS? HOW?

Currently this functionality does not exist, possibly in a future release. One possible option would be to use stunnel to create an SSL tunnel between the ldap-ux client and the Directory Server. You need to modify the ldapux_client.conf file to point to a port on the local system that stunnel is listening to. Something like this:

Service: NSS
LDAP_HOSTPORT="127.0.0.1:99999"
PROFILE_ENTRY_DN="cn=ldapuxprofile, ou=profiles, ou=ldap-ux, dc=acme, dc=com"


Then configure stunnel to listen on 127.0.0.1 port 99999 and forward to the real ipaddress and SSL port of your Directory server.

Something like:

# cat stunnel.conf.client
pid = /tmp/stunnel.pid.client
client = yes
RNDfile = /tmp/rand.file
[ldap-ux]
accept = 127.0.0.1:99999
connect = ldap.acme.com:686

# /usr/sbin/stunnel stunnel.conf.client

I have not tested this, but I have used this method to secure LDAP-UX over SSL before LDAP-UX supported SSL (with an older version of stunnel):

http://h21007.www2.hp.com/dspp/tech/tech_TechDocumentDetailPage_IDX/1,1701,4002,00.html


0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.