Re: Reg OpenLdap on Ubuntu

[Asimananda Mohanty <asimananda.mohanty@gmail.com>]

Hi All,

Finally, I am able to solve the issue.

I just replaced the IP address used in AuthLDAPUrl in httpd.conf of apache with the hostname that has been used during creating the certificate (CN) and that worked for me.

Thank you very much for all the support.

Regards

Asimananda

On Tue, Sep 22, 2009 at 10:49 AM, Asimananda Mohanty <asimananda.mohanty@gmail.com> wrote:

Hi,

I did run some openssl commands and here is what I saw.

# openssl s_client -connect <ldap server ip>:636

verify error:num=20:unable to get local issuer certificate

verify return:1

verify error:num=21:unable to verify the first certificate

verify return:1

No client certificate CA names sent

---

SSL handshake has read 1162 bytes and written 450 bytes

---

Verify return code: 21 (unable to verify the first certificate)

The same thing I got when I ran the command on local ldap server too.

Are the certificates not OK? If this is so, how am I able to run ldapsearch with "-ZZ" option.

Regards

Asimananda

On Tue, Sep 22, 2009 at 10:15 AM, Asimananda Mohanty <asimananda.mohanty@gmail.com> wrote:

Hi,

Regarding the apache issue, as I expected, fingers raised towards the certificate file even if I have clarified that the same certificate works fine with the local client (installed along with the server).

Is there any way so as to prove that certificate file is Ok?

Regards

Asimananda

On Mon, Sep 21, 2009 at 3:53 PM, Asimananda Mohanty <asimananda.mohanty@gmail.com> wrote:

I think I am supposed to provide the bind DN with "-D" option i.e. cn=admin,dc=ldap-company,dc=com.

With this value, it works fine.

Sorry for the mistake.

Reg Apache issue, I will post it here once it is solved.

Regards

Asimananda

On Mon, Sep 21, 2009 at 3:42 PM, Asimananda Mohanty <asimananda.mohanty@gmail.com> wrote:

Hi Dieter,

I will try to look it from a different angle. Once I am able to solve it, I will post it here.

I have one more query.

On my server, I am able to get the result by :

# ldapsearch -d8 -H ldaps://ldap-company.com -b dc=ldap-company,dc=com uid=asimananda

SASL/DIGEST-MD5 authentication started

Please enter your password:

<Result>

But the following query doesn't show any result and throws error.

# ldapsearch -d8 -H ldaps://ldap-company.com -D dc=ldap-company,dc=com uid=asimananda -W

Enter LDAP Password:

ldap_bind: Invalid credentials (49)

#

Does this mean that I have still some configuration to do?

Please comment.

Regards

Asimananda

On Mon, Sep 21, 2009 at 10:54 AM, Dieter Kluenter <dieter@dkluenter.de> wrote:

Asimananda Mohanty <asimananda.mohanty@gmail.com> writes:

> Hi Dieter,
>

> Thanks for the reply.
>
> My Apache is built with openldap lib only.
>
> I am able to connect to ubuntu host my my solaris client on ports 389 and 636.
>
> Then I guess, apache is not able to verify the certificates presented. In that case, please let me know how do I debug
> slapd to watch apache connection.

As I mentioned many times, this topip is neither OpenLDAP nor Ubuntu
related, it is just a question of how to properly set up Apache on Sun
Solaris 10.
Did you configure mod_auth_ldap and mod_ldap to use TLS?
There are two sources of information, Sun Bigadmin and Apache
documentation. Lot of documentation is referring to *.der or cert7.db
files, note that OpenLDAP only handles *.pem files. For mor
information on this topic read openssl documentation.

http://httpd.apache.org/docs/2.0/mod/mod_ldap.html
http://www.sun.com/bigadmin/home/index.jsp

-Dieter

--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°37'09,95"N
10°08'02,42"E