[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLSVerifyClient => no login possible

To: openldap-technical@openldap.org
Subject: Re: TLSVerifyClient => no login possible
From: Sebastian Reinhardt <snr@lmv-hartmannsdorf.de>
Date: Fri, 06 Mar 2009 14:42:34 +0100
In-reply-to: <87sklr83b7.fsf@rubin.l4b.de>
References: <49A4693D.2040205@lmv-hartmannsdorf.de> <87hc2i5028.fsf@rubin.l4b.de> <49A56823.3080803@lmv-hartmannsdorf.de> <871vtmh15q.fsf@rubin.l4b.de> <49A70157.6050101@lmv-hartmannsdorf.de> <87eixkugwd.fsf@rubin.l4b.de> <49AC5803.4070501@lmv-hartmannsdorf.de> <87ab83ezkz.fsf@rubin.l4b.de> <8763iqg6wl.fsf@rubin.l4b.de> <49B06DAE.8020405@lmv-hartmannsdorf.de> <49B07504.3080506@lmv-hartmannsdorf.de> <87sklr83b7.fsf@rubin.l4b.de>
User-agent: Thunderbird 2.0.0.19 (X11/20081227)

Dieter Kluenter schrieb:
> Sebastian Reinhardt <snr@lmv-hartmannsdorf.de> writes:
>
>   
>> Sorry, please forget everything I wrote in my last mail....stop! Not
>> everithing! Delte the "partial"!
>>
>> IT WORKS! I can login at both, "real" client pc and as client on server
>> machine! Everithing is set to demand and the test (ldapsearch and login)
>> works. So only the one point is left: the LDAP- Workshop (Stefan Kania's
>> one) uses the "TLSCipherSuite HIGH:MEDIUM:+SSLv2" option. If I activate
>> this in slapd.conf, ldap can not be started. Why? I do not know, because
>> I get no output.
>>     
>
> In order to find out run
> openssl ciphers SSLv2
> openssl ciphers HIGH
> openssl ciphers MEDIUM
>
> -Dieter
>
>   

Hi Dieter,
I get the following output:

lmvserver:~ #openssl ciphers SSLv2
DES-CBC3-MD5:DES-CBC-MD5:EXP-RC2-CBC-MD5:RC2-CBC-MD5:EXP-RC4-MD5:RC4-MD5

lmvserver:~ # openssl ciphers MEDIUM
ADH-RC4-MD5:RC4-SHA:RC4-MD5:RC2-CBC-MD5:RC4-MD5

lmvserver:~ # openssl ciphers HIGH
ADH-CAMELLIA256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:CAMELLIA256-SHA:ADH-CAMELLIA128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:CAMELLIA128-SHA:ADH-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:ADH-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:ADH-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5

So I think, this should work?! SSLv3 is also available. Is it better to
use  "TLSCipherSuite HIGH:MEDIUM:+SSLv3"?

Oh, I had not posted the solution of my major problem: I mixed ip's and
host names (in /etc/ldap.conf I used ip's and in certificates host
names). Due to the comment in /etc/ldap.conf "the LDAP- Server must be
resolveable without ldap" I thought that it is better to use the ip of
our server. Also, I used as common name instead of servers host name the
client name (in every client cert the according client host name). So
this could not work......I was a little bit confused of configuring
multiple ldap.conf- file, but thanks to Dieter the server is up and running.

-- 
Mit freundlichen GrÃÃen

Sebastian Reinhardt

Follow-Ups:
- Re: TLSVerifyClient => no login possible
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

References:
- Re: TLSVerifyClient => no login possible
  - From: Sebastian Reinhardt <snr@lmv-hartmannsdorf.de>
- Re: TLSVerifyClient => no login possible
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: TLSVerifyClient => no login possible
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: TLSVerifyClient => no login possible
  - From: Sebastian Reinhardt <snr@lmv-hartmannsdorf.de>
- Re: TLSVerifyClient => no login possible
  - From: Sebastian Reinhardt <snr@lmv-hartmannsdorf.de>
- Re: TLSVerifyClient => no login possible
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

Prev by Date: Re: openldap client configuration to connect to AD
Next by Date: Re: openldap client configuration to connect to AD
Index(es):
- Chronological
- Thread