[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: How enforce TLS connection to openldap server only?
Peter:
Thanks for the confirmation!
I only used olcSecurity, not olcAccess to enforce the TLS connection.
Man, I wish there is more detailed, updated and user-friendly information
about OpenLdap on the web.
I guess, that's why people are turning to Active Directory because it is
much easier to use.
Yan
-----Original Message-----
From: Peter Gietz [mailto:peter.gietz@daasi.de]
Sent: Thursday, September 20, 2012 11:47 AM
To: Yan Gong
Cc: 'Josh Miller'; openldap-technical@openldap.org
Subject: Re: How enforce TLS connection to openldap server only?
Am 20.09.2012 17:01, schrieb Yan Gong:
> Josh:
>
> Thanks for the info!
>
> Did some more test. Does this mean the olcSecurity setting for TLS
> works now?
>
> If I try to connect to the ldap server without TLS and unencrypted
> connection, I got the following error:
>
> root@ldap02:/etc/ldap# ldapsearch -x -D "cn=admin,dc=example,dc=com"
> -W Enter LDAP Password:
> ldap_bind: Confidentiality required (13)
> additional info: TLS confidentiality required
Following this thread, it seems to me that this is exactly what you
wanted.
Cheers,
Peter
>
> If I use the CA certificate and TLS connection, I can successfully
> connect with LDAP server:
>
> root@ldap02:/etc/ldap# ldapsearch -Z -D "cn=admin,dc=example,dc=com"
> -W Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=example,dc=com> (default) with scope subtree # filter:
> (objectclass=*) # requesting: ALL #
>
> # example.com
> dn: dc=example,dc=com
> objectClass: top
> objectClass: dcObject
> objectClass: organization
> o: Example Organization
> dc: Example
> description:: TERBUCBFeGFtcGxlIA==
>
> # admin, example.com
> dn: cn=admin,dc=example,dc=com
> objectClass: simpleSecurityObject
> objectClass: organizationalRole
> cn: admin
> description: LDAP administrator
> userPassword:: c2VjcmV0
>
> # people, example.com
> dn: ou=people,dc=example,dc=com
> objectClass: organizationalUnit
> ou: people
>
> # groups, example.com
> dn: ou=groups,dc=example,dc=com
> objectClass: organizationalUnit
> ou: groups
>
> # john, people, example.com
> dn: uid=john,ou=people,dc=example,dc=com
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> uid: john
> sn: Doe
> givenName: John
> cn: John Doe
> displayName: John Doe
> uidNumber: 1000
> gidNumber: 10000
> userPassword:: cGFzc3dvcmQ=
> gecos: John Doe
> loginShell: /bin/bash
> homeDirectory: /home/john
> shadowExpire: -1
> shadowFlag: 0
> shadowWarning: 7
> shadowMin: 8
> shadowMax: 999999
> shadowLastChange: 10877
> mail: john.doe@example.com
> postalCode: 31000
> l: Toulouse
> o: Example
> mobile: +33 (0)6 xx xx xx xx
> homePhone: +33 (0)5 xx xx xx xx
> title: System Administrator
> postalAddress:
> initials: JD
>
> # example, groups, example.com
> dn: cn=example,ou=groups,dc=example,dc=com
> objectClass: posixGroup
> cn: example
> gidNumber: 10000
>
> # search result
> search: 3
> result: 0 Success
>
> # numResponses: 7
> # numEntries: 6
> root@ldap02:/etc/ldap#
>
> Thanks a lot!
>
> Yan
>
>
>
> -----Original Message-----
> From: openldap-technical-bounces@OpenLDAP.org
> [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Yan Gong
> Sent: Thursday, September 20, 2012 8:06 AM
> To: 'Howard Chu'; 'Quanah Gibson-Mount'
> Cc: openldap-technical@openldap.org
> Subject: RE: How enforce TLS connection to openldap server only?
>
> Nope, olcSecurity didn't help. Still have the problem. I restared slapd.
> Please see below:
>
> dn: olcDatabase={1}hdb
> objectClass: olcDatabaseConfig
> objectClass: olcHdbConfig
> olcDatabase: {1}hdb
> olcDbDirectory: /var/lib/ldap
> olcSuffix: dc=example,dc=com
> olcSecurity: simple_bind=128
> olcSecurity: ssf=128
> olcSecurity: tls=1
> olcAccess: {0}to attrs=userPassword by tls_ssf=128 ssf=128
> dn="cn=admin,dc=example,dc=com" write b y tls_ssf=128 ssf=128
> anonymous auth by tls_ssf=128 ssf=128 self write by
> * none
> olcAccess: {1}to attrs=shadowLastChange by tls_ssf=128 ssf=128 self
> write by tls_ssf=128 ssf=128 * read
> olcAccess: {2}to dn.base="" by tls_ssf=128 ssf=128 * read
> olcAccess: {3}to * by tls_ssf=128 ssf=128
dn="cn=admin,dc=example,dc=com"
> write by tls_ssf=128 ssf=128 * read
> olcLastMod: TRUE
> olcRootDN: cn=admin,dc=example,dc=com
> olcRootPW:: c2VjcmV0
> olcDbCheckpoint: 512 30
> olcDbConfig: {0}set_cachesize 0 2097152 0
> olcDbConfig: {1}set_lk_max_objects 1500
> olcDbConfig: {2}set_lk_max_locks 1500
> olcDbConfig: {3}set_lk_max_lockers 1500
> olcDbIndex: objectClass eq
> olcDbIndex: uidNumber eq
> olcDbIndex: uid eq,pres,sub
> structuralObjectClass: olcHdbConfig
> entryUUID: a1f57758-96d0-1031-93fd-1108a4f5996c
> creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> createTimestamp: 20120919180734Z
> entryCSN: 20120919181117.233986Z#000000#000#000000
> modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> modifyTimestamp: 20120919181117Z
>
> Thanks a lot!
>
> Yan
>
>
> -----Original Message-----
> From: Howard Chu [mailto:hyc@symas.com]
> Sent: Thursday, September 20, 2012 7:50 AM
> To: Quanah Gibson-Mount
> Cc: Yan Gong; openldap-technical@openldap.org
> Subject: Re: How enforce TLS connection to openldap server only?
>
> Quanah Gibson-Mount wrote:
>>> Should I use olcAccess or olcSecurity? or both? I couldn't find any
>>> detailed steps/documentation
>> olcSecurity would enforce encryption for any and all connections.
>> Note that you have to restart slapd for it to take effect.
> Eh, no. olcSecurity changes take effect immediately. No restart needed.
>
> --
> -- Howard Chu
> CTO, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/project/
>
>
> Thanks a lot!
>
> Yan Gong
> System Administrator
> 770-792-8590 ext. 1248
>
>
>
> -----Original Message-----
> From: Josh Miller [mailto:joshua@itsecureadmin.com]
> Sent: Thursday, September 20, 2012 10:58 AM
> To: Yan Gong
> Cc: openldap-technical@openldap.org
> Subject: Re: How enforce TLS connection to openldap server only?
>
> On Sep 20, 2012, at 5:05 AM, Yan Gong wrote:
>
>> Nope, olcSecurity didn't help. Still have the problem. I restared
slapd.
>> Please see below:
>>
>> dn: olcDatabase={1}hdb
>> objectClass: olcDatabaseConfig
>> objectClass: olcHdbConfig
>> olcDatabase: {1}hdb
>> olcDbDirectory: /var/lib/ldap
>> olcSuffix: dc=example,dc=com
>> olcSecurity: simple_bind=128
>> olcSecurity: ssf=128
>> olcSecurity: tls=1
>
> I believe you're looking for:
>
> olcSecurity: minssf=128
>
> HTH,
> Josh
>
>
>
--
_______________________________________________________________________
Peter Gietz (CEO)
DAASI International GmbH phone: +49 7071 407109-0
Europaplatz 3 Fax: +49 7071 407109-9
D-72072 Tübingen mail: peter.gietz@daasi.de
Germany Web: www.daasi.de
DAASI International GmbH, Tübingen
Geschäftsführer Peter Gietz, Amtsgericht Stuttgart HRB 382175
_______________________________________________________________________