[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Crafted Search Request Access Allowed

To: Net Warrior <netwarrior863@gmail.com>
Subject: Re: LDAP Crafted Search Request Access Allowed
From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Date: Thu, 30 Oct 2014 12:23:18 +0000
Cc: openldap-technical <openldap-technical@openldap.org>
Content-disposition: inline
In-reply-to: <CAP7y58O6a9tEW5ubAFcbHyoa2K_JC59FmXGA5gbD+Ci8KBxfMg@mail.gmail.com>
References: <CAP7y58OyhYQr9YYzwPvPU=b_+K11-nC6o1PM6paniSrZMAJz9A@mail.gmail.com> <20141028125548.GA28396@slab.skills-1st.co.uk> <CAP7y58O2tUWFvJkTq8UcHsMUciQAn9QnYpxoeX-M=QmrHRFrWQ@mail.gmail.com> <20141028144127.GB28396@slab.skills-1st.co.uk> <CAP7y58NXcuBAv6_q9mLxyogpxNQ5r05ppAL7eBgtLYxVpuGk2g@mail.gmail.com> <20141028184317.GC28396@slab.skills-1st.co.uk> <CAP7y58ND61TzHJpmtURw4zOBoKhEcSR_6XeiCcYb7-4N6yJ_nw@mail.gmail.com> <20141029164359.GD28396@slab.skills-1st.co.uk> <CAP7y58NrYRg=kxL3eS=B5rtAO0ES5sLk_7acWW3BwnuQY+h=9A@mail.gmail.com> <CAP7y58O6a9tEW5ubAFcbHyoa2K_JC59FmXGA5gbD+Ci8KBxfMg@mail.gmail.com>
User-agent: Mutt/1.5.21 (2010-09-15)

On Thu, Oct 30, 2014 at 08:11:31AM -0300, Net Warrior wrote:

> 1 ) Added tls_reqcert demand to the client side
> 2 ) Configured a user to bind instead of anonymous
>      binddn cn=ldapuser,Ou=Users,dc=server,dc=com
>      bindpwd  :$6$oZ8qYohy$lU0sYJXInOO1ISO4WKgzeuDyyFh9a

Good.

> 3 ) Added olcTLSVerifyClient:demand to server side:

I suspect that you do not want that. It would force every client to
have a client-side X.509 certificate. Good for secure authentication,
but more effort to manage than most people are prepared to handle.

> Object added to server:
> 
> dn: olcDatabase={2}bdb,cn=config
> changetype:modify
> add: olcTLSVerifyClient:demand
> 
> Still I did not corrected my ACL but I do not see olcTLSVerifyClient:demand
> reflected on my configuration

That is because you tried to add it to a database but it is a global option.


Are you really using the BDB database? It has been deprecated for some time now.
I would suggest using MDB.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------

Follow-Ups:
- Re: LDAP Crafted Search Request Access Allowed
  - From: Net Warrior <netwarrior863@gmail.com>

References:
- Re: LDAP Crafted Search Request Access Allowed
  - From: Net Warrior <netwarrior863@gmail.com>
- Re: LDAP Crafted Search Request Access Allowed
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
- Re: LDAP Crafted Search Request Access Allowed
  - From: Net Warrior <netwarrior863@gmail.com>
- Re: LDAP Crafted Search Request Access Allowed
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
- Re: LDAP Crafted Search Request Access Allowed
  - From: Net Warrior <netwarrior863@gmail.com>
- Re: LDAP Crafted Search Request Access Allowed
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
- Re: LDAP Crafted Search Request Access Allowed
  - From: Net Warrior <netwarrior863@gmail.com>
- Re: LDAP Crafted Search Request Access Allowed
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
- Re: LDAP Crafted Search Request Access Allowed
  - From: Net Warrior <netwarrior863@gmail.com>
- Re: LDAP Crafted Search Request Access Allowed
  - From: Net Warrior <netwarrior863@gmail.com>

Prev by Date: Re: LDAP Crafted Search Request Access Allowed
Next by Date: Re: LDAP Crafted Search Request Access Allowed
Index(es):
- Chronological
- Thread