FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 11-30-2007, 01:17 PM
Timothy Murphy
 
Default Mysteries of openldap

I'm running openldap on my desktop,
and can access it fine from my laptop.
But I'd like to use TLS encryption
(as the desktop ldap is open to the world).

Unfortunately I find the openldap documentation
very difficult to follow.
It is almost as though they speak a different language,
say Finnish or Hungarian.

I've followed the instructions in chapter 14, "Using TLS",
in the OpenLDAP Software 2.4 Administrator's Guide
at <http://www.openldap.org/doc/admin24/>.
I've un-commented out the lines
-----------------------------
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
-----------------------------
and restarted "service ldap".

But I see no evidence that this has had any effect.
I can access the ldap directory from my laptop
exactly as I did before,
even if I make the change
-----------------------------
# TLS_REQCERT allow
TLS_REQCERT try
-----------------------------
in ldap.conf on my laptop,
which as far as I can see (from "man ldap.conf")
should require my certificate(s) to be checked.

But is seems to work, as I said, with or without certificates,
and I see no evidence from tcpdump that
any encryption has been requested or implemented.

If someone who speaks openldap could enlighten me
I should be very grateful.

Incidentally, I have avoided installing SASL authentication,
basically because I assumed that as it is comes from Cyrus
it was somehow related to Cyrus-Imap,
which caused me great grief before I moved to dovecot.

Is SASL in fact the standard way to authenticate openldap?
I read somewhere that there are "many ways"
of authenticating openldap ,
without unfortunately any particular way being suggested.

Apologies for addressing what is probably an inappropriate forum.
I tried posting to the gmane newsgroup
mirroring the mailing list at openldap-software@openldap.org
but unfortunately my postings there never appear.

Any advice or suggestions gratefully received.



--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 11-30-2007, 03:56 PM
Craig White
 
Default Mysteries of openldap

On Fri, 2007-11-30 at 14:17 +0000, Timothy Murphy wrote:
> I'm running openldap on my desktop,
> and can access it fine from my laptop.
> But I'd like to use TLS encryption
> (as the desktop ldap is open to the world).
>
> Unfortunately I find the openldap documentation
> very difficult to follow.
> It is almost as though they speak a different language,
> say Finnish or Hungarian.
>
> I've followed the instructions in chapter 14, "Using TLS",
> in the OpenLDAP Software 2.4 Administrator's Guide
> at <http://www.openldap.org/doc/admin24/>.
> I've un-commented out the lines
> -----------------------------
> TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
> TLSCertificateFile /etc/pki/tls/certs/slapd.pem
> TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
> -----------------------------
> and restarted "service ldap".
>
> But I see no evidence that this has had any effect.
> I can access the ldap directory from my laptop
> exactly as I did before,
> even if I make the change
> -----------------------------
> # TLS_REQCERT allow
> TLS_REQCERT try
> -----------------------------
> in ldap.conf on my laptop,
> which as far as I can see (from "man ldap.conf")
> should require my certificate(s) to be checked.
>
> But is seems to work, as I said, with or without certificates,
> and I see no evidence from tcpdump that
> any encryption has been requested or implemented.
>
> If someone who speaks openldap could enlighten me
> I should be very grateful.
>
> Incidentally, I have avoided installing SASL authentication,
> basically because I assumed that as it is comes from Cyrus
> it was somehow related to Cyrus-Imap,
> which caused me great grief before I moved to dovecot.
>
> Is SASL in fact the standard way to authenticate openldap?
> I read somewhere that there are "many ways"
> of authenticating openldap ,
> without unfortunately any particular way being suggested.
>
> Apologies for addressing what is probably an inappropriate forum.
> I tried posting to the gmane newsgroup
> mirroring the mailing list at openldap-software@openldap.org
> but unfortunately my postings there never appear.
>
> Any advice or suggestions gratefully received.
----
they don't appear because Kurt is very much the hands on moderator of
the list and if you e-mail him, he will tell you probably that you are
off-topic.

short answer, use ldaps - even though it is deprecated.

longer answer, you'll have to fight through it.

self signed certs? add TLS_REQCERT to /etc/openldap/ldap.conf
and /etc/ldap.conf (openldap client apps use the one in /etc/openldap
folder, everything else uses the one is /etc directory)

this is old, obsolete but very useful

http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html

Craig

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 11-30-2007, 08:36 PM
Anthony Messina
 
Default Mysteries of openldap

On Friday 30 November 2007 10:56:13 am Craig White wrote:
> On Fri, 2007-11-30 at 14:17 +0000, Timothy Murphy wrote:
> > I'm running openldap on my desktop,
> > and can access it fine from my laptop.
> > But I'd like to use TLS encryption
> > (as the desktop ldap is open to the world).
> >
> > Unfortunately I find the openldap documentation
> > very difficult to follow.
> > It is almost as though they speak a different language,
> > say Finnish or Hungarian.
> >
> > I've followed the instructions in chapter 14, "Using TLS",
> > in the OpenLDAP Software 2.4 Administrator's Guide
> > at <http://www.openldap.org/doc/admin24/>.
> > I've un-commented out the lines
> > -----------------------------
> > TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
> > TLSCertificateFile /etc/pki/tls/certs/slapd.pem
> > TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
> > -----------------------------
> > and restarted "service ldap".
> >
> > But I see no evidence that this has had any effect.
> > I can access the ldap directory from my laptop
> > exactly as I did before,
> > even if I make the change
> > -----------------------------
> > # TLS_REQCERT allow
> > TLS_REQCERT try
> > -----------------------------
> > in ldap.conf on my laptop,
> > which as far as I can see (from "man ldap.conf")
> > should require my certificate(s) to be checked.
> >
> > But is seems to work, as I said, with or without certificates,
> > and I see no evidence from tcpdump that
> > any encryption has been requested or implemented.
> >
> > If someone who speaks openldap could enlighten me
> > I should be very grateful.
> >
> > Incidentally, I have avoided installing SASL authentication,
> > basically because I assumed that as it is comes from Cyrus
> > it was somehow related to Cyrus-Imap,
> > which caused me great grief before I moved to dovecot.
> >
> > Is SASL in fact the standard way to authenticate openldap?
> > I read somewhere that there are "many ways"
> > of authenticating openldap ,
> > without unfortunately any particular way being suggested.
> >
> > Apologies for addressing what is probably an inappropriate forum.
> > I tried posting to the gmane newsgroup
> > mirroring the mailing list at openldap-software@openldap.org
> > but unfortunately my postings there never appear.
> >
> > Any advice or suggestions gratefully received.
>
> ----
> they don't appear because Kurt is very much the hands on moderator of
> the list and if you e-mail him, he will tell you probably that you are
> off-topic.
>
> short answer, use ldaps - even though it is deprecated.
>
> longer answer, you'll have to fight through it.
>
> self signed certs? add TLS_REQCERT to /etc/openldap/ldap.conf
> and /etc/ldap.conf (openldap client apps use the one in /etc/openldap
> folder, everything else uses the one is /etc directory)
>
> this is old, obsolete but very useful
>
> http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html
>
> Craig

if you're doing a command line test like ldapsearch, you'll have to add -ZZ to
enforce TLS encryption with the search.

--
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 11-30-2007, 08:59 PM
Timothy Murphy
 
Default Mysteries of openldap

Craig White wrote:

>> I'm running openldap on my desktop,
>> and can access it fine from my laptop.
>> But I'd like to use TLS encryption
>> (as the desktop ldap is open to the world).
>>
>> Unfortunately I find the openldap documentation
>> very difficult to follow.
...
> short answer, use ldaps - even though it is deprecated.

Well, thanks very much for your response.
I'll try ldaps, as you suggest.
I couldn't tell, from the documentation,
what the difference is between ldap + TLS and ldaps,
except that they seem to use different ports.

> self signed certs? add TLS_REQCERT to /etc/openldap/ldap.conf
> and /etc/ldap.conf (openldap client apps use the one in /etc/openldap
> folder, everything else uses the one is /etc directory)

I hadn't realized there was a second ldap.conf .
That's just about par for the course ...

> this is old, obsolete but very useful
>
> http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html

Thanks, I had seen that but ignored it after the rather prissy warning,
"This independently authored paper is considered to have obsolete status".
But with your recommendation I'll study it closely.

Reading openldap documentation is like driving through fog.
At least one has some sense of progress,
which is more than I can say for reading sendmail docs.





--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 11-30-2007, 09:07 PM
Anthony Messina
 
Default Mysteries of openldap

On Friday 30 November 2007 03:59:15 pm Timothy Murphy wrote:
> Craig White wrote:
> >> I'm running openldap on my desktop,
> >> and can access it fine from my laptop.
> >> But I'd like to use TLS encryption
> >> (as the desktop ldap is open to the world).
> >>
> >> Unfortunately I find the openldap documentation
> >> very difficult to follow.
>
> ...
>
> > short answer, use ldaps - even though it is deprecated.
>
> Well, thanks very much for your response.
> I'll try ldaps, as you suggest.
> I couldn't tell, from the documentation,
> what the difference is between ldap + TLS and ldaps,
> except that they seem to use different ports.

ldaps is ldap over ssl, port 636: this would be similar to using https://
instead of http://

ldap + tls is ldap using the start_tls mechanism, port 389

> > self signed certs? add TLS_REQCERT to /etc/openldap/ldap.conf
> > and /etc/ldap.conf (openldap client apps use the one in /etc/openldap
> > folder, everything else uses the one is /etc directory)
>
> I hadn't realized there was a second ldap.conf .
> That's just about par for the course ...
>
> > this is old, obsolete but very useful
> >
> > http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html
>
> Thanks, I had seen that but ignored it after the rather prissy warning,
> "This independently authored paper is considered to have obsolete status".
> But with your recommendation I'll study it closely.
>
> Reading openldap documentation is like driving through fog.
> At least one has some sense of progress,
> which is more than I can say for reading sendmail docs.



--
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 11-30-2007, 09:09 PM
Craig White
 
Default Mysteries of openldap

On Fri, 2007-11-30 at 21:59 +0000, Timothy Murphy wrote:
> Craig White wrote:
>
> >> I'm running openldap on my desktop,
> >> and can access it fine from my laptop.
> >> But I'd like to use TLS encryption
> >> (as the desktop ldap is open to the world).
> >>
> >> Unfortunately I find the openldap documentation
> >> very difficult to follow.
> ...
> > short answer, use ldaps - even though it is deprecated.
>
> Well, thanks very much for your response.
> I'll try ldaps, as you suggest.
> I couldn't tell, from the documentation,
> what the difference is between ldap + TLS and ldaps,
> except that they seem to use different ports.
>
> > self signed certs? add TLS_REQCERT to /etc/openldap/ldap.conf
> > and /etc/ldap.conf (openldap client apps use the one in /etc/openldap
> > folder, everything else uses the one is /etc directory)
>
> I hadn't realized there was a second ldap.conf .
> That's just about par for the course ...
>
> > this is old, obsolete but very useful
> >
> > http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html
>
> Thanks, I had seen that but ignored it after the rather prissy warning,
> "This independently authored paper is considered to have obsolete status".
> But with your recommendation I'll study it closely.
>
> Reading openldap documentation is like driving through fog.
> At least one has some sense of progress,
> which is more than I can say for reading sendmail docs.
----
should have been
TLS_REQCERT allow
for self-signed certs

important to realize...

# rpm -q --whatprovides /etc/ldap.conf
nss_ldap-257-3.fc6

# rpm -q --whatprovides /etc/openldap/ldap.conf
openldap-2.3.30-3.fc6

made me crazy not knowing why the 2 files...

# rpm -ql openldap-clients|grep man
/usr/share/man/man1/ldapadd.1.gz
/usr/share/man/man1/ldapcompare.1.gz
/usr/share/man/man1/ldapdelete.1.gz
/usr/share/man/man1/ldapmodify.1.gz
/usr/share/man/man1/ldapmodrdn.1.gz
/usr/share/man/man1/ldappasswd.1.gz
/usr/share/man/man1/ldapsearch.1.gz
/usr/share/man/man1/ldapwhoami.1.gz

there used to be 2 different man pages on ldap.conf but nss_ldap (padl)
has renamed theirs...

# rpm -ql openldap|grep man
/usr/share/man/man5/ldap.conf.5.gz
/usr/share/man/man5/ldif.5.gz

# rpm -ql nss_ldap|grep man
/usr/share/man/man5/nss_ldap.5.gz
/usr/share/man/man5/pam_ldap.5.gz

/etc/openldap/ldap.conf is for openldap and openldap-clients software

Craig

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 11-30-2007, 09:12 PM
Craig White
 
Default Mysteries of openldap

On Fri, 2007-11-30 at 16:07 -0600, Anthony Messina wrote:
> On Friday 30 November 2007 03:59:15 pm Timothy Murphy wrote:
> > Craig White wrote:
> > >> I'm running openldap on my desktop,
> > >> and can access it fine from my laptop.
> > >> But I'd like to use TLS encryption
> > >> (as the desktop ldap is open to the world).
> > >>
> > >> Unfortunately I find the openldap documentation
> > >> very difficult to follow.
> >
> > ...
> >
> > > short answer, use ldaps - even though it is deprecated.
> >
> > Well, thanks very much for your response.
> > I'll try ldaps, as you suggest.
> > I couldn't tell, from the documentation,
> > what the difference is between ldap + TLS and ldaps,
> > except that they seem to use different ports.
>
> ldaps is ldap over ssl, port 636: this would be similar to using https://
> instead of http://
>
> ldap + tls is ldap using the start_tls mechanism, port 389
----
yes, more common these days to use URI than HOST designations.

uri ldaps://some.fqdn:636

similar to

uri ldap://some.fqdn:389
ssl start_tls

be sure that your self-signed certs, dns, system all use the same host
names

Craig

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 12-01-2007, 12:23 PM
Timothy Murphy
 
Default Mysteries of openldap

Anthony Messina wrote:

> if you're doing a command line test like ldapsearch, you'll have to add
> -ZZ to enforce TLS encryption with the search.

Yes, thanks, I had discovered that after some time.
I find I can access the ldap directory from the desktop
on which the openldap server is running:
-------------------------
[tim@alfred ~]$ ldapsearch -x -ZZ
# extended LDIF
...
# search result
search: 3
result: 0 Success

# numResponses: 7
# numEntries: 6
-------------------------
but not from my laptop:
-------------------------
[tim@elizabeth ~]$ ldapsearch -x -ZZ
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
-------------------------

I've never really understood this certificate business.
Is there a simple tutorial on that anywhere?

One minor source of confusion is that Fedora
seems to keep certificates in /etc/pki/tls/
whereas all the openldap documentation I have looked at
seems to expect them in other /etc/ directories.

But thanks very much for your help.
I am making progress, slowly but surely.





--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 12-01-2007, 06:33 PM
Craig White
 
Default Mysteries of openldap

On Sat, 2007-12-01 at 13:23 +0000, Timothy Murphy wrote:
> Anthony Messina wrote:
>
> > if you're doing a command line test like ldapsearch, you'll have to add
> > -ZZ to enforce TLS encryption with the search.
>
> Yes, thanks, I had discovered that after some time.
> I find I can access the ldap directory from the desktop
> on which the openldap server is running:
> -------------------------
> [tim@alfred ~]$ ldapsearch -x -ZZ
> # extended LDIF
> ...
> # search result
> search: 3
> result: 0 Success
>
> # numResponses: 7
> # numEntries: 6
> -------------------------
> but not from my laptop:
> -------------------------
> [tim@elizabeth ~]$ ldapsearch -x -ZZ
> ldap_start_tls: Connect error (-11)
> additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> -------------------------
>
> I've never really understood this certificate business.
> Is there a simple tutorial on that anywhere?
>
> One minor source of confusion is that Fedora
> seems to keep certificates in /etc/pki/tls/
> whereas all the openldap documentation I have looked at
> seems to expect them in other /etc/ directories.
>
> But thanks very much for your help.
> I am making progress, slowly but surely.
----
your laptop...contents of /etc/openldap/ldap.conf are probably the
issue...does it recognize your ca cert?

TLS_CACERT or TLS_CACERTDIR contain the ca cert?

Craig

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 

Thread Tools




All times are GMT. The time now is 04:20 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org