[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap proxy: schema issue





Hi,

Thanks for your help.
I create my own OID in a .schema file that i include in slapd.conf and it works great !

attributetype ( 1.3.6.1.4.1.4203.2.3.159562 NAME 'sbzoneid' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' )

 with "159562" a number of my choice that is not already used by openldap.



Now i'm trying to get a ldaps connection with the backend ldap server.
I want my openldap proxy to check the backend certificate with the CA certificate that i put after TLSCACertificateFile.

The issue is that the ldaps connection works everytime without checking the backend server certificate.

The configuration line with TLSCACertificateFile  has no effect on the ssl connection !

I saw that TLSVerifyClient enable to force the certificate check of the client conneting to my openldap proxy but i don't see how to force the openldap proxy to check the backend server certificate.

Then, i had 2 .cer CA certificate (a root and an intermediate)  that i concat in 1 certificate. Does openldap support .cer ? or should i rename it in .pem ?

my slapd.conf:

 

TLSCACertificateFile /usr/local/etc/openldap/CAcert.cer

#TLSVerifyClient never

 

database ldap

suffix ou=personnes,o=sg

uri ldaps://192.168.239.210:1636

 

thank you for your help

jerrrry 

> Message du 30/11/06 Ã 17h52
> De : "Kurt D. Zeilenga"
> A : jerrrry@voila.fr
> Copie à : openldap-software@openldap.org
> Objet : Re: openldap proxy: schema issue
>
> At 02:09 AM 11/30/2006, jerrrry@voila.fr wrote:
>
> >Hi everybody,
> >
> >I'am configuring slapd(8) 2.3.27 for use as a proxy to another LDAP server.
> >
> >Unfortunately this (non-OpenLDAP) LDAP directory uses non standard attributes stored in a .ldif file.
> >
> >i have to use one of this non standard attributes in the slapd.conf file for binddn:
> >
> >database ldap
> >
> >uri ldap://192.168.239.210:1389
> >
> >suffix ou=personnes,o=sg
> >
> >binddn "sbzoneid=appli_test,ou=exploit,ou=personnes,o=sb"
> >
> >bindpw secret
> >
> >
> >maybe i have to convert this file in the openldap .schema format and include it in slapd.conf.
>
> If the LDIF contains RFC 4512 conformant schema descriptions,
> that conversion is straight forward. However, it seems that
> descriptions provided in the LDIF do not conform to RFC 4512.
>
> >A big issue seems to be that this ldif file doesn't use numericOIDs but string OID like:
> >
> >attributetype ( sbzoneid-oid NAME 'sbzoneid' SYNTAX 1.3.6.1.4.1.1466.115.12
>
> slapd(8) requires either an OID, or a valid OID macro (which
> will expand to the OID before the description is published in
> the schema)... because LDAP does (see RFC 4512).
>
> >so when runing "sladp -d 1" i get the error: OID could not be expanded: "sbzoneid-oid"
>
> As "sbzoneid-oid" isn't a numbericoid, it assumed it was an
> OID macro. But there is no such OID macro, hence the error.
>
> >or maybe with a more liberal parsing could be helpful ?
>
> The input is parsed just fine. The problem is semantics.
> The field requires an OID. "sbzoneid-oid" is neither an OID,
> nor something that represents an OID. Without an OID, slapd(8)
> wouldn't be able to publish valid schema descriptions for
> the schema element.
>
> >Do you have any idea to solve this problem ?
>
> Locate the proper OIDs for these schema elements and use them.
> Or, assign your own OIDs (from your own name space).
>
> Kurt
>
>
>