Secure ldap problem
Solution 1
First of all, your question needs editing. It is not clear.
It might be a good idea to start with a working setup without SSL and then adding bits and pieces one by one until something breaks so that you can find the problem. If the problem is with GnuTLS not supporting TLSCipherSuite, then take it away. Do you really need it? Why do you insist on OpenSSL? GnuTLS has worked fine for me, including LDAPS -connections on port 636, you don't need OpenSSL to do that.
Solution 2
Regarding to this link http://wiki.debian.org/LDAP/OpenLDAPSetup It said "Diagnosis: If you try to install the OpenLDAP server (slapd) with Debian Lenny, it comes compiled against the GnuTLS library. It means you cannot use an OpenSSL style directive like TLSCipherSuite HIGH:MEDIUM:-SSLv2 in slapd.conf. "
I think it means that on Debian5 (Lenny) can not use openssl as security connection. Maybe that why I never accomplish it ...Do you guys think it is so?
Related videos on Youtube
Comments
-
Return_Of_The_Archons over 1 year
I have tried to config my openldap to have secure connection by using openssl on Debian5. By the way, I got trouble during the below command. ldap:/etc/ldap# slapd -h 'ldap:// ldaps://' -d1
>>> slap_listener(ldaps://) connection_get(15): got connid=7 connection_read(15): checking for input on id=7 connection_get(15): got connid=7 connection_read(15): checking for input on id=7 connection_get(15): got connid=7 connection_read(15): checking for input on id=7 connection_get(15): got connid=7 connection_read(15): checking for input on id=7 connection_read(15): unable to get TLS client DN, error=49 id=7 connection_get(15): got connid=7 connection_read(15): checking for input on id=7 ber_get_next ber_get_next on fd 15 failed errno=0 (Success) connection_closing: readying conn=7 sd=15 for close connection_close: conn=7 sd=15
Then I have search for "unable to get TLS client DN, error=49 id=7" but it seems no where has a good solution to this yet. Please help. Thanks
#Well, I try to fix something to get it work but now I got this ldap:~# slapd -d 256 -f /etc/openldap/slapd.conf @(#) $OpenLDAP: slapd 2.4.11 (Nov 26 2009 09:17:06) $ root@SD6-Casa:/tmp/buildd/openldap-2.4.11/debian/build/servers/slapd could not stat config file "/etc/openldap/slapd.conf": No such file or directory (2) slapd stopped. connections_destroy: nothing to destroy. What should I do now?
log : ldap:~# /etc/init.d/slapd start
Starting OpenLDAP: slapd - failed.
The operation failed but no output was produced. For hints on what went wrong please refer to the system's logfiles (e.g. /var/log/syslog) or try running the daemon in Debug mode like via "slapd -d 16383" (warning: this will create copious output).
Below, you can find the command line options used by this script to run slapd. Do not forget to specify those options if you want to look to debugging output: slapd -h 'ldaps:///' -g openldap -u openldap -f /etc/ldap/slapd.conf
ldap:~# tail /var/log/messages Feb 8 16:53:27 ldap kernel: [ 123.582757] intel8x0_measure_ac97_clock: measured 57614 usecs Feb 8 16:53:27 ldap kernel: [ 123.582801] intel8x0: measured clock 172041 rejected Feb 8 16:53:27 ldap kernel: [ 123.582825] intel8x0: clocking to 48000 Feb 8 16:53:27 ldap kernel: [ 131.469687] Adding 240932k swap on /dev/hda5. Priority:-1 extents:1 across:240932k Feb 8 16:53:27 ldap kernel: [ 133.432131] EXT3 FS on hda1, internal journal Feb 8 16:53:27 ldap kernel: [ 135.478218] loop: module loaded Feb 8 16:53:27 ldap kernel: [ 141.348104] eth0: link up, 100Mbps, full-duplex Feb 8 16:53:27 ldap rsyslogd: [origin software="rsyslogd" swVersion="3.18.6" x-pid="1705" x-info="http://www.rsyslog.com"] restart Feb 8 16:53:34 ldap kernel: [ 159.217171] NET: Registered protocol family 10 Feb 8 16:53:34 ldap kernel: [ 159.220083] lo: Disabled Privacy Extensions
-
kmarsh about 14 yearsIt looks like something is connecting, but not communicating the Distinquished Name properly. It could be a misconfigured client or another process entirely trying to talk to that port.
-
-
Admin about 14 yearsSSL is only I know how to, I could not find document on howto do tls yet.
-
ptman about 14 yearsTLS and SSL are the same thing. Always on SSL/TLS differs from StartTLS however.
-
ptman almost 14 yearsGnuTLS and OpenSSL are SSL/TLS-libraries. OpenLDAP can be compiled against either of them. GnuTLS just doesn't support all OpenSSL options. But SSL-connections work just fine using GnuTLS, I use it.