[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: problem enabling ssl on openldap 2.2.13

To: openldap-technical@openldap.org
Subject: Re: problem enabling ssl on openldap 2.2.13
From: rui <guideveloper@gmail.com>
Date: Wed, 5 Jan 2011 13:07:48 +0000
Cc: Dieter Kluenter <dieter@dkluenter.de>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=nWKdnpLcjA/6Dnxj6FpH6Yos/Uqx8au9az8bdRds2ic=; b=iB9x+OdfWC0wFGgulTcx7dKbuyv7weiNWXFVR1F3vKA3O7LbBMTfEtXIkMPa740pX+ kRNLxoTo6+HBKWKCp5cLiVqCpjxdc+XPFH+ZcGSJaihGjkymGUttAMB+JAKkwxihXi1X fh9QmvOecg60suj9fyghkyW43mT76HH2dLfGw=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=LmxNXffy717Fma4bGi6HtWRNH0hH6bNphInWeCg+TbTDG9Evwx2FhUNgNr/1bYy0RA futhoO3rNJc47QNeI258n+RFVMzvR3wuGBaHEb2ttAeXGFWM0JD4iHFamoP2WJzH8Cfl KZG0rz48VrB6lp+9zlK50NM/qmLzN0vCf9tNM=
In-reply-to: <AANLkTi=uBBTiEhfN+4i885GuJd0Mf06dgR6AJHW1A7d1@mail.gmail.com>
References: <AANLkTik90d-TcvEcg6Y++Y_YJ=fRX6=BjjPLtqA72vi0@mail.gmail.com> <20110105091223.491277c6@rubin.avci.de> <AANLkTi=uBBTiEhfN+4i885GuJd0Mf06dgR6AJHW1A7d1@mail.gmail.com>

Hi,

 The "is not readable by "ldap"" error happens when i start ldap using
 /etc/rc.d/init.d/ldap restart
 These three lines are the source of the problem, if i remove them then
 no warning message on restart.

  TLSCACertificateFile  server.pem
  TLSCertificateFile            server.pem
  TLSCertificateKeyFile server.pem

 I have moved this file to /etc/openldap/cacerts and changed the above
 three path accordingly.
 I have also modified ldap.conf to have TLS_CACERT which allows me to
 do ldapsearch(before it was giving ssl verify problem)now with
 ldaps://localhost on the same sytem.


 I still get this when i restart the ldap server using
 /etc/rc.d/init.d/ldap restart, notice the er.pem after ldap - is it
 not picking up the path. correctly or its a harmless warning now that
 ldaps is working i think it is harmless.

 is not readable by "ldap"er.pem                      [WARNING]
 is not readable by "ldap"er.pem                               [WARNING]
 is not readable by "ldap"er.pem                                 [WARNING]
 Checking configuration files for slapd:                    [  OK  ]
 Starting slapd:                                            [  OK  ]

 ------------------------------------------------
 Problem on windows:
 pLdapConnection = ldap_sslinit(pHost,LDAP_SSL_PORT, 1); // fine -
 connecting to 636
  iRtn = ldap_set_option(pLdapConnection,
                               LDAP_OPT_PROTOCOL_VERSION,
                               (void*)&version);  //fine

    long option;
    printf("Checking if SSL is enabled\n");
    iRtn = ldap_get_option(pLdapConnection,LDAP_OPT_SSL,(void*)&option);

 Here i get returned 0 in option meaning ssl is disabled.

 Also if i connect afterwards, i get 0x51(Cannot contact the LDAP server)
 connectSuccess = ldap_connect(pLdapConnection, NULL);

 How can i use ssl based openldap authentication on windows client? Do
 i have to move the self signed server.pem to windows, i tried to add
 it to certificate store by changing server.pem to server.cer?

 Regards,
 rui

> On Wed, Jan 5, 2011 at 8:12 AM, Dieter Kluenter <dieter@dkluenter.de> wrote:
>> Am Tue, 4 Jan 2011 16:52:06 +0000
>> schrieb rui <guideveloper@gmail.com>:
>>
>>> Hi
>>>
>>> I am trying to enable tls based session with openldap from a client. I
>>> created a self signed certificate based on command from
>>> http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.1
>>> My server.pem file is in /etc/openldap directory where slapd.conf is
>>> located.
>>
>> This document is not recommended
>>>
>>> Here are further settings in my slapd.conf
>>> TLSCACertificateFile  server.pem
>>> TLSCertificateFile            server.pem
>>> TLSCertificateKeyFile server.pem
>>>
>>> TLSVerifyClient               never
>>>
>>>
>>> When I restart the ldap, it gives me the following warnings.
>>>  is not readable by "ldap"                                 [WARNING]
>>>  is not readable by "ldap"                                 [WARNING]
>>>  is not readable by "ldap"                                 [WARNING]
>>> Checking configuration files for slapd:                    [  OK  ]
>>> Starting slapd:                                            [  OK  ]
>>
>> This are not slapd warnings, what is the sosurce of this result report?
>>
>>>
>>> I have checked the ps output and it is started as:
>>> ldap      6883     1  0 16:18 ?        00:00:00 /usr/sbin/slapd -u
>>> ldap -h ldap:/// ldaps:///
>>>
>>> AND
>>> netstat -anp | grep slapd
>>> tcp        0      0 0.0.0.0:389                 0.0.0.0:*
>>>      LISTEN      7850/slapd
>>> tcp        0      0 0.0.0.0:636                 0.0.0.0:*
>>>      LISTEN      7850/slapd
>>> tcp        0      0 ip:389               ip:43165
>>> ESTABLISHED 7850/slapd
>>> tcp        0      0 :::389                      :::*
>>>      LISTEN      7850/slapd
>>> tcp        0      0 :::636                      :::*
>>>      LISTEN      7850/slapd
>>> unix  2      [ ]         DGRAM                    302231743 7850/slapd
>>>
>> And what is your problem? slapd is listening on ports 389 and 636
>>
>> -Dieter
>>
>> --
>> Dieter Klünter | Systemberatung
>> http://dkluenter.de
>> GPG Key ID:DA147B05
>> 53°37'09,95"N
>> 10°08'02,42"E
>>
>

Follow-Ups:
- Re: problem enabling ssl on openldap 2.2.13
  - From: Dieter Kluenter <dieter@dkluenter.de>

References:
- problem enabling ssl on openldap 2.2.13
  - From: rui <guideveloper@gmail.com>
- Re: problem enabling ssl on openldap 2.2.13
  - From: Dieter Kluenter <dieter@dkluenter.de>

Prev by Date: Re: DynList + posixGroup and permission to Dir
Next by Date: Re: dynlist and group membership (libnss-ldap, posixGroup, samba)
Index(es):
- Chronological
- Thread