Re: connection problem with ldapmodify -Y EXTERNAL -H ldapi:///

[Andreas Rudat <rudat@endstelle.de>]

Am 03.10.2011 20:51, schrieb Dan White:
> On 03/10/11 19:41 +0200, Andreas Rudat wrote:
> > Am 03.10.2011 18:04, schrieb Dan White:
> > > On 03/10/11 17:43 +0200, Andreas Rudat wrote:
> > > > so tls issn't allowed in my configuration? I added tls on ldap.conf 
> > > > and /etc/default/slapd
> > > >
> > > > Debug says:
> > > > TLS: can't connect: A TLS packet with unexpected length was received..
> > >
> > > What are the contents of your ldap.conf, and your /etc/default/slapd?
> > >
> > > What is your TLS configuration on the server? In particular, your
> > > TLSVerifyClient/olcTLSVerifyClient setting (which should be something
> > > other than the default).
> >
> > What do you mena with TLS config? of /etc/ssl?
> > I worked with this tutorial for tls
> > https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html
> >
> > ldap.conf
> > ##########################################
> > #
> > host fs.foo.intern
> >
> > # The distinguished name of the search base.
> > base dc=foo,dc=intern
> >
> > # Another way to specify your LDAP server is to provide an
> > uri ldaps://127.0.0.1/
> > uri ldap://127.0.0.1/
>
> If you really want the ldap utilities to try multiple servers this
> way, you should do:
>
> uri ldaps://127.0.0.1/ ldap://127.0.0.1/
>
> but I'm guessing what you really want is:
>
> uri ldap://<fqdn>/
>
> in which case the server will attempt to authenticate your TLS client
> certificate based on its TLSVerifyClient configuration. FQDN should be 
> the
> server name (cn) corresponding to the certificate you created.
>
> > rootbinddn cn=admin,dc=foo,dc=intern
> >
> > ssl start_tls
> > ssl on
> >
> > tls_checkpeer yes
>
> Be aware these are not valid (openldap) ldap.conf config items, as
> specified in ldap.conf(5). They may be used by some other software you 
> have
> installed.
>
> > tls_cacertfile /etc/ssl/certs/ldap_cert.pem
> > tls_cacertdir /etc/ssl/certs
> >
> > tls_cert
> > tls_key
>
> My mail client may have corrupted this part of your configuration. You'll
> of course need valid entries here.
These options are defaults in my conf. With some comments, after 
installing the slapd package
> > sasl_secprops maxssf=0
> > #
> > ############################################
> >
> > default/slapd
> > ############################################
> > #
> > SLAPD_CONF=
> >
> > SLAPD_USER="openldap"
> > SLAPD_GROUP="openldap"
> >
> > SLAPD_SERVICES="ldap:/// ldaps:///"
> > #
> > ############################################
>
> ldaps:// is unnecessary (here, and in your uri statement) unless you have
> some software which requires it.
>
> And again, you'll need to properly configure
> TLSVerifyClient/olcTLSVerifyClient in your OpenLDAP server config.
So I added this to cn=config:

|*|add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem|*

I think, thats what you meant?

|

When properly configured, your list of supportedSASLMechanisms should
> include 'EXTERNAL'.
>
> For reference, see the manpages for ldap.conf and slapd-config (or
> slapd.conf), and see the OpenLDAP Administrator's Guide.