[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldap tunneling question

To: openldap-software@OpenLDAP.org
Subject: ldap tunneling question
From: blair christensen <blair@bsd.uchicago.edu>
Date: Fri, 2 Jun 2000 15:19:45 -0500
Content-disposition: inline
User-agent: Mutt/1.1.4i

hello,
i have two machines, blammo and odin.  odin is a solaris 8 box running
openldap 1.2.10.  i also have openssl 0.9.5a and stunnel 3.8 installed
on odin.  blammo is a redhat 6.1 box with openldap 1.2.10, openssl 0.9.5a
and stunnel 3.8 installed.

slapd listens on port 389 on odin.  in addition, ldaps requests sent
to port 636 on odin get forwarded via stunnel to localhost:389.  this
works fine, as i'm able to use ldapsearch (and the other openldap
tools) hitting against localhost:389 and things like web2ldap to hit
against odin:636.

now, what i would like to do is have blammo authenticate via ldap,
using odin as its ldap server.  as i don't want the ldap information
sent across the wire in the clear, i thought i would forward ldap
requests sent to blammo:389 via stunnel to odin.

so, on odin, stunnel is already up and running, listening on port 636
so that it can then be forwarded to localhost(odin):389.  then, on
blammo, i tried:

blammo#  stunnel -p .... -d localhost:ldap -c -r odin:ldaps -D 7 -f
LOG7[18894:1024]: Service name to be used: odin.ldaps
LOG7[18894:1024]: Certificate: /usr/local/ssl/certs/blammo.pem
LOG5[18894:1024]: stunnel 3.8 on i686-pc-linux-gnu PTHREAD+LIBWRAP
LOG7[18894:1024]: odin.ldaps bound to 127.0.0.1:389


blammo# ldapsearch -b "dc=bsd,dc=uchicago,dc=edu" -D
"cn=Manager,dc=bsd,dc=uchicago,dc=edu" -W '(uid=blair)'
Enter LDAP Password:
ldapsearch gives me "ldap_bind: Can't contact LDAP server"


stunnel then reports:

LOG7[18914:1026]: odin.ldaps started
LOG5[18914:1026]: odin.ldaps connected from 127.0.0.1:1811
LOG7[18914:1026]: odin.ldaps connecting 128.135.75.60:636
LOG7[18914:1026]: Remote host connected
LOG7[18914:1026]: before/connect initialization
LOG7[18914:1026]: before/connect initialization
LOG7[18914:1026]: SSLv3 write client hello A
LOG7[18914:1026]: SSLv3 read server hello A
LOG7[18914:1026]: SSLv3 read server certificate A
LOG7[18914:1026]: SSLv3 read server done A
LOG7[18914:1026]: SSLv3 write client key exchange A
LOG7[18914:1026]: SSLv3 write change cipher spec A
LOG7[18914:1026]: SSLv3 write finished A
LOG7[18914:1026]: SSLv3 flush data
LOG7[18914:1026]: SSLv3 read finished A
LOG7[18914:1026]: SSL negotiation finished successfully
LOG7[18914:1026]:    1 items in the session cache
LOG7[18914:1026]:    1 client connects (SSL_connect())
LOG7[18914:1026]:    1 client connects that finished
LOG7[18914:1026]:    0 client renegotiatations requested
LOG7[18914:1026]:    0 server connects (SSL_accept())
LOG7[18914:1026]:    0 server connects that finished
LOG7[18914:1026]:    0 server renegotiatiations requested
LOG7[18914:1026]:    0 session cache hits
LOG7[18914:1026]:    0 session cache misses
LOG7[18914:1026]:    0 session cache timeouts
LOG7[18914:1026]: SSL negotiation finished successfully

and the slapd log on odin reports:

Jun  2 15:13:36 odin slapd[582]: [ID 845145 local4.debug] conn=0 fd=5
connection from localhost (127.0.0.1) accepted.
Jun  2 15:13:36 odin slapd[582]: [ID 916583 local4.debug] conn=0 op=-1
fd=5 closed errno=0


i posed this question on the stunnel list already, and it appears as
though i am using stunnel correctly.   assuming stunnel is configured
correctly, should this work?  or am i going about something wrong in
regards to ldap?

thanks,
blair christensen

Follow-Ups:
- Re: ldap tunneling question
  - From: Doug Nazar <nazard@dragoninc.on.ca>
- Re: ldap tunneling question
  - From: Andreas Hasenack <andreas@conectiva.com.br>

Prev by Date: Re: Multiple Master, one slave replica?
Next by Date: Re: ldap tunneling question
Index(es):
- Chronological
- Thread