[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: SSL connection to LDAP server
>Richard,
>
>I don't have the answer to your question, but I'm wondering
>if I could impose on you for some help.
I did get my answer and have attached the note.
> I'm very interested in
>how you have setup your Linux/Novell setup, and what you're now
>capable of achieving - i.e. can you now authenticate users
>to the linux box from the novell nds?
No, not yet. This is something that I want to play around with. LDAP is not really meant for authentication as the name suggests (LightWeight Directory Access Protocol).
> Can you authenticate them
>when they pop/imap to the linux box, off the novell server?
No. What you could do is use the NDS directory as a store for your information and then copy it onto your Unix machine at regular intervals by querying the NDS. The only problem is passwords. You are probably better off using Radius for this task. There is a Radius gateway into NDS that we use to authenticate dial-up users directly into the NDS.
>Can you now use your novell server's nds as your central Directory?
Yes. This is my ultimate goal. At the end of the day I want to be able to bring all my "directories" (OS/390, Radius, Oracle, Unix NIS etc) into the NDS.
>I'm also interested in how exactly you set this up, if you wouldn't
>mind spending a little time to describe it?
I have a large network with around 600 sites scattered around South Africa (yes, we also have networks here :-). We have around 25000 users registered in the NDS and I am not sure about the number of attributes. Novell NDS sits on top of this network and all users authenticate directly to the NDS. In my network core I have a NDS to LDAP gateway which I use to query information from the NDS into a database on UNIX. I also gather information about all our users from our HR systems running on OS/390. Using my databases, I correlate the information in the NDS with the info from our HR systems. This allows me to check if users have resigned, moved etc. Using this information, I can create LDIF information that I can write back into the NDS using LDAP. As security is a major concern, I did not want to do this in cleartext, thus the SSL implementation that I needed - the Novell LDAP server supports ssl connections.
Currently I am using the following tools to do the job:
MySql as my database: http://www.mysql.org
University of Michigan LDAP clients. I do not need the full OpenLDAP implementation as Novell acts as the server. The tools needed are ldapsearch and ldapmodify: http://www.umich.edu/~dirsvcs/ldap/
SSL tools to allow secure connections to the LDAP gateway for updates. Use v0.9.3a as v0.9.4 does not compile with stunnel: http://www.openssl.org/
Stunnel to establish a ssl tunnel to the Novell LDAP gateway: http://mike.daewoo.com.pl/computer/stunnel/stunnel.html
All this is running on Linux Redhat 6.0 with kernel 2.2.11 plus a memory leak patch. Very stable!
--
Richard Ellerbrock
richarde@eskom.co.za
--- Begin Message ---
On the client side run stunnel as
/usr/local/sbin/stunnel -c -d 389 -r your.ldap.server:636
this will make your side listen on port 389(ldap) and create a
secure connection to your.ldap.server on ldaps(636).
On the server side you should run a 636->389 ssl proxy, may be
bjorb, stunnel, sslwrap, etc
when using a ldp client on your side allway use localhost as
the server for SSL connections
Pedro
|o|... Mon, Sep 06, 1999 at 07:06:01PM +0200, Richard Ellerbrock ...|o| wrote:
> I have been very successful connecting from my UNIX box (RedHat 6.0) using LDAP to a Novell NDS. This works well for anonymous reads from the NDS via LDAP. I now want to be able to make updates to the NDS, but want to do this via SSL using the ldapmodify utility. I have compiled OpenSSL and also stunnel and sslwrap to allow me to tunnel LDAP through SSL. Many people on the list (looking at the archives) have said that this should be possible, but I cannot get it to work. Has anybody every done this and if so, could I have an example using either sslwrap or stunnel.
>
> Both utils appear to connect to the server (looking at the Novell console), but something goes wrong later.
>
>
>
>
> --
> Richard Ellerbrock
> richarde@eskom.co.za
>
> --
> Richard Ellerbrock
> richarde@eskom.co.za
>
>
--
.sig: license expired, contact your vendor
--- End Message ---