- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- OpenLdap - TSL-SSL
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-02-2011 05:23 AM
тАО02-02-2011 05:23 AM
OpenLdap - TSL-SSL
I configured OpenLdap and now I want to configure it using TLS-SSL
but I cannot get it working with the Linux clients. Enviroment: Centos 5.5
Openldap Server configuration:
1.
cd /etc/openldap/cacerts
openssl req -x509 -nodes -newkey rsa:1024 -days 730 -out slapd.crt -keyout slapd.key
chown ldap.ldap slapd.*
chmod 400 slapd.*
2.
Add lines below to
/etc/openldap/slapd.conf
TLSCACertificateFile /etc/openldap/cacerts/slapd.crt
TLSCertificateFile /etc/openldap/cacerts/slapd.crt
TLSCertificateKeyFile /etc/openldap/cacerts/slapd.key
and that's it
I see it works (or I think since JXplorer connects using SSL-636 port) see attachment
but Centos 5.5 clients don't want to connect
When there is no SSL users can connect normally
but when SSL configure the username is typed but prompt for password never comes up... users just get a session timeout
by the way nothing on messages neither openldap server or client
Client configuration is done via authconfig-tui (included in the attachment)
any idea why is not working guys?
Am I missing something?
thanks a lot
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-03-2011 01:16 AM
тАО02-03-2011 01:16 AM
Re: OpenLdap - TSL-SSL
What is your openldap's loglevel?
Can you set full debugging and drop any logs into this thread?
Regards,
M.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-13-2011 08:07 AM
тАО02-13-2011 08:07 AM
Re: OpenLdap - TSL-SSL
Now when I configured Centos clients with authconfig-tui to use TLS they connect with an OpenLdap user but in logs says 389... not 636
can be TLS enanbled and still using port 389?
I'm going to include both logs:
Scenario.
Openldap TLS Configured and enabled. OK. In both scenarios client connect with an LDAP user.
1. Client without TLS logs:
[code]Feb 13 08:42:50 masterdns slapd[3911]: conn=2 fd=16 ACCEPT from IP=192.168.2.73:45037 (IP=0.0.0.0:389)
Feb 13 08:42:50 masterdns slapd[3911]: conn=2 op=0 BIND dn="" method=128
Feb 13 08:42:50 masterdns slapd[3911]: conn=2 op=0 RESULT tag=97 err=0 text=
Feb 13 08:42:50 masterdns slapd[3911]: conn=2 op=1 SRCH base="dc=training,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=adri))"
Feb 13 08:42:50 masterdns slapd[3911]: conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Feb 13 08:42:50 masterdns slapd[3911]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb 13 08:42:52 masterdns slapd[3911]: conn=2 op=2 SRCH base="dc=training,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=adri))"
Feb 13 08:42:52 masterdns slapd[3911]: conn=2 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Feb 13 08:42:52 masterdns slapd[3911]: conn=2 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb 13 08:42:52 masterdns slapd[3911]: conn=2 op=3 SRCH base="dc=training,dc=com" scope=2 deref=0 filter="(&(objectClass=shadowAccount)(uid=adri))"
Feb 13 08:42:52 masterdns slapd[3911]: conn=2 op=3 SRCH attr=uid userPassword shadowLastChange shadowMax shadowMin shadowWarning shadowInactive shadowExpire shadowFlag
Feb 13 08:42:52 masterdns slapd[3911]: conn=2 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb 13 08:42:52 masterdns slapd[3911]: conn=2 op=4 SRCH base="dc=training,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=adri))"
Feb 13 08:42:52 masterdns slapd[3911]: conn=2 op=4 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Feb 13 08:42:52 masterdns slapd[3911]: conn=2 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=[/code]
2. Client with TLS enabled Logs
[code]Feb 13 09:41:35 masterdns slapd[4096]: conn=5 fd=15 ACCEPT from IP=192.168.2.74:35441 (IP=0.0.0.0:389)
Feb 13 09:41:35 masterdns slapd[4096]: conn=5 op=0 STARTTLS
Feb 13 09:41:35 masterdns slapd[4096]: conn=5 op=0 RESULT oid= err=0 text=
Feb 13 09:41:35 masterdns slapd[4096]: conn=5 fd=15 TLS established tls_ssf=256 ssf=256
Feb 13 09:41:35 masterdns slapd[4096]: conn=5 op=1 BIND dn="" method=128
Feb 13 09:41:35 masterdns slapd[4096]: conn=5 op=1 RESULT tag=97 err=0 text=
Feb 13 09:41:35 masterdns slapd[4096]: conn=5 op=2 SRCH base="dc=training,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=adri))"
Feb 13 09:41:35 masterdns slapd[4096]: conn=5 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Feb 13 09:41:35 masterdns slapd[4096]: conn=5 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb 13 09:41:38 masterdns slapd[4096]: conn=5 op=3 SRCH base="dc=training,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=adri))"
Feb 13 09:41:38 masterdns slapd[4096]: conn=5 op=3 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Feb 13 09:41:38 masterdns slapd[4096]: conn=5 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb 13 09:41:38 masterdns slapd[4096]: conn=5 op=4 SRCH base="dc=training,dc=com" scope=2 deref=0 filter="(&(objectClass=shadowAccount)(uid=adri))"
Feb 13 09:41:38 masterdns slapd[4096]: conn=5 op=4 SRCH attr=uid userPassword shadowLastChange shadowMax shadowMin shadowWarning shadowInactive shadowExpire shadowFlag
Feb 13 09:41:38 masterdns slapd[4096]: conn=5 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb 13 09:41:38 masterdns slapd[4096]: conn=5 op=5 SRCH base="dc=training,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=adri))"
Feb 13 09:41:38 masterdns slapd[4096]: conn=5 op=5 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Feb 13 09:41:38 masterdns slapd[4096]: conn=5 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text=[/code]
Can be TLS been enabled and TLS configured clients use 389 port? or I am still configuring this TLS incorrectly.
Thanks a lot
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-14-2011 04:20 AM
тАО02-14-2011 04:20 AM
Re: OpenLdap - TSL-SSL
When you're using TLS with LDAP, LDAP client can open a connection using a regular LDAP port, and then perform a StartTLS operation - essentially saying "start encryption now, please."
If the client does not request a StartTLS operation, the connection remains unencrypted. The server can be configured to reject unencrypted connections, or to accept them.
With SSL, the server port is configured to expect a SSL handshake immediately after opening the port. This requires a separate port for SSL traffic only for each service.
TLS is a successor of SSL, and removes the requirement of using a separate port for SSL-secured connections. Of course, most TLS-capable applications can use a different port and connect SSL-style too. This is typically indicated by adding a "s" to the URL scheme name, i.e. "ldaps:" instead of "ldap:".
MK
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-14-2011 07:49 AM
тАО02-14-2011 07:49 AM
Re: OpenLdap - TSL-SSL
well that means I'm OK or protected with TLS and my clients connections are encrypted...