[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: connection problem with ldapmodify -Y EXTERNAL -H ldapi:///

To: Andreas Rudat <rudat@endstelle.de>
Subject: Re: connection problem with ldapmodify -Y EXTERNAL -H ldapi:///
From: Dan White <dwhite@olp.net>
Date: Tue, 4 Oct 2011 09:23:39 -0500
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <4E8A104B.80104@endstelle.de>
References: <4E89C65B.4010801@endstelle.de> <20111003144356.GC3445@dan.olp.net> <4E89D809.5030703@endstelle.de> <20111003160444.GF3445@dan.olp.net> <4E89F3CC.7030703@endstelle.de> <20111003185117.GD5527@dan.olp.net> <4E8A104B.80104@endstelle.de>
User-agent: Mutt/1.5.21 (2010-09-15)

On 03/10/11 21:43 +0200, Andreas Rudat wrote:

Am 03.10.2011 20:51, schrieb Dan White:

On 03/10/11 19:41 +0200, Andreas Rudat wrote:

tls_cert
tls_key


My mail client may have corrupted this part of your configuration. You'll
of course need valid entries here.

These options are defaults in my conf. With some comments, afterinstalling the slapd package


You'll need to create a (client) certificate and populate those two values,
or otherwise find a way to specify them while performing your ldapsearch
command.

I don't see how you will will be able to obtain SASL EXTERNAL over STARTTLS
otherwise.

And again, you'll need to properly configure
TLSVerifyClient/olcTLSVerifyClient in your OpenLDAP server config.

So I added this to cn=config:

|*|add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem|*

I think, thats what you meant?


... and olcTLSVerifyClient.

When properly configured, your list of supportedSASLMechanisms should

include 'EXTERNAL'.

For reference, see the manpages for ldap.conf and slapd-config (or
slapd.conf), and see the OpenLDAP Administrator's Guide.


I'd recommend depending a lot less on the howto you are reading, and a lot
more on the above documentation.

--
Dan White

Follow-Ups:
- Re: connection problem with ldapmodify -Y EXTERNAL -H ldapi:///
  - From: Howard Chu <hyc@symas.com>

References:
- connection problem with ldapmodify -Y EXTERNAL -H ldapi:///
  - From: Andreas Rudat <rudat@endstelle.de>
- Re: connection problem with ldapmodify -Y EXTERNAL -H ldapi:///
  - From: Dan White <dwhite@olp.net>
- Re: connection problem with ldapmodify -Y EXTERNAL -H ldapi:///
  - From: Andreas Rudat <rudat@endstelle.de>
- Re: connection problem with ldapmodify -Y EXTERNAL -H ldapi:///
  - From: Dan White <dwhite@olp.net>
- Re: connection problem with ldapmodify -Y EXTERNAL -H ldapi:///
  - From: Andreas Rudat <rudat@endstelle.de>
- Re: connection problem with ldapmodify -Y EXTERNAL -H ldapi:///
  - From: Dan White <dwhite@olp.net>
- Re: connection problem with ldapmodify -Y EXTERNAL -H ldapi:///
  - From: Andreas Rudat <rudat@endstelle.de>

Prev by Date: Re: Login takes more time (LDAP)
Next by Date: Re: Login takes more time (LDAP)
Index(es):
- Chronological
- Thread