Results 1 to 2 of 2

Thread: Open LDAP with TLS

  1. #1

    Open LDAP with TLS

    Hi,
    I have configured open ldap server and client with TLS enabled.
    LDAP have a user "ldapuser" which is getting display with ldapsearch on both with and without TLS option.
    But when we login with "ldapuser" on ldapclient it is not working with TLS it gets failed that no user "ldapuser".


    [root@ldapclient ~]# ldapsearch -x -D "cn=Manager, dc=ceylonlinux,dc=com" -H ldaps://ldapserver:636 -W|grep ldapuser
    Enter LDAP Password:
    # ldapuser, People, ceylonlinux.com
    dn: uid=ldapuser,ou=People,dc=ceylonlinux,dc=com
    uid: ldapuser
    cn: ldapuser
    homeDirectory: /home/ldapuser

    [root@ldapclient ~]# openssl s_client -connect ldapserver:636 -showcerts
    CONNECTED(00000003)
    depth=1 /C=In/ST=Maharastra/O=Persistent/OU=Platform/CN=ldapserver/emailAddress=ashwani_28@yahoo.co.in
    verify error:num=19:self signed certificate in certificate chain
    verify return:0
    ---
    Certificate chain
    0 s:/C=In/ST=Maharastra/L=Nagpur/O=Persistent/OU=Platform/CN=ldapserver/emailAddress=ashwani_28@yahoo.co.in
    i:/C=In/ST=Maharastra/O=Persistent/OU=Platform/CN=ldapserver/emailAddress=ashwani_28@yahoo.co.in
    -----BEGIN CERTIFICATE-----
    MIIDJjCCAo+gAwIBAgIJAOKq2vlJXRUxMA0GCSqGSIb3DQEBBQ UAMIGNMQswCQYD
    VQQGEwJJbjETMBEGA1UECBMKTWFoYXJhc3RyYTETMBEGA1UECh MKUGVyc2lzdGVu
    dDERMA8GA1UECxMIUGxhdGZvcm0xEjAQBgNVBAMTCXNjMTQzNS 0wNzEtMCsGCSqG
    SIb3DQEJARYeYXNod2FuaV9zaW5naEBwZXJzaXN0ZW50LmNvLm luMB4XDTA4MDMy
    JZnt341HpIvByUg8V+r3PrVpaF2deOkUwM12nLpdN+gFkwu23W 8/y4NGcgpaaxOZ
    PUlOBpRGrKlAi6CtEejsYIYHEW60HUkzKM1N3XYCDJ1thO717W rG4Hpn
    -----END CERTIFICATE-----
    1 s:/C=In/ST=Maharastra/O=Persistent/OU=Platform/CN=ldapserver/emailAddress=ashwani_28@yahoo.co.in
    i:/C=In/ST=Maharastra/O=Persistent/OU=Platform/CN=ldapserver/emailAddress=ashwani_28@yahoo.co.in
    -----BEGIN CERTIFICATE-----
    MIIDkDCCAvmgAwIBAgIJAOKq2vlJXRUwMA0GCSqGSIb3DQEBBQ UAMIGNMQswCQYD
    VQQGEwJJbjETMBEGA1UECBMKTWFoYXJhc3RyYTETMBEGA1UECh MKUGVyc2lzdGVu
    dDERMA8GA1UECxMIUGxhdGZvcm0xEjAQBgNVBAMTCXNjMTQzNS 0wNzEtMCsGCSqG
    SIb3DQEJARYeYXNod2FuaV9zaW5naEBwZXJzaXN0ZW50LmNvLm luMB4XDTA4MDMy
    NzEzMTExM1oXDTExMDMyNzEzMTExM1owgY0xCzAJBgNVBAYTAk luMRMwEQYDVQQI
    MrUkExW8rDjoE2u3uTwgPEQGpudsW+GE4a3hYiouUQ5t2d6BRF Ks47LvF6toMNlq
    EfMQ74dkYUBl/Nrt2gaOaWy0hRbXB6Bx6UMoXE2DcUr3C+q/G5vxBY1vMZ75VsTP
    /iqltQ==
    -----END CERTIFICATE-----
    ---
    Server certificate
    subject=/C=In/ST=Maharastra/L=Nagpur/O=Persistent/OU=Platform/CN=ldapserver/emailAddress=ashwani_28@yahoo.co.in
    issuer=/C=In/ST=Maharastra/O=Persistent/OU=Platform/CN=ldapserver/emailAddress=ashwani_28@yahoo.co.in
    ---
    Acceptable client certificate CA names
    /C=In/ST=Maharastra/O=Persistent/OU=Platform/CN=ldapserver/emailAddress=ashwani_28@yahoo.co.in
    /C=In/ST=Maharastra/L=Nagpur/O=Persistent/OU=Platform/CN=ldapserver/emailAddress=ashwani_28@yahoo.co.in
    ---
    SSL handshake has read 2209 bytes and written 352 bytes
    ---
    New, TLSv1/SSLv3, Cipher is AES256-SHA
    Server public key is 1024 bit
    SSL-Session:
    Protocol : TLSv1
    Cipher : AES256-SHA
    Session-ID: 8DA9C3C1040FBB1DB7125068EFBA0B47363C777442D3BDB0A3 AE417CA393CED5
    Session-ID-ctx:
    Master-Key: 1C54F6ADB913D69CD81AE57A0D43C792382C360641901E64A8 E03B7D5EB2ED8BD710AEFDBEC2F4874E469AB39749D41D
    Key-Arg : None
    Krb5 Principal: None
    Start Time: 1206654805
    Timeout : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    ---

  2. #2

    Open LDAP with TLS

    At LDAP Server
    # /etc/openldap/slapd.conf
    include /etc/openldap/schema/core.schema
    include /etc/openldap/schema/cosine.schema
    include /etc/openldap/schema/inetorgperson.schema
    include /etc/openldap/schema/nis.schema
    allow bind_v2
    pidfile /var/run/openldap/slapd.pid
    argsfile /var/run/openldap/slapd.args
    TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
    TLSCertificateFile /etc/openldap/cacerts/slapd-cert.pem
    TLSCertificateKeyFile /etc/openldap/cacerts/slapd-key.pem
    TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
    TLSVerifyClient allow
    #access to *
    #by * read
    #by anonymous auth
    ################################################## #####################
    # ldbm and/or bdb database definitions
    ################################################## #####################
    database bdb
    suffix "dc=ceylonlinux,dc=com"
    rootdn "cn=Manager,dc=ceylonlinux,dc=com"
    rootpw {SSHA}zuGMUo2xBjoC0T3EfOH8zfBOAfUH6a37
    directory /var/lib/ldap/ceylonlinux.com
    index objectClass eq,pres
    index ou,cn,mail,surname,givenname eq,pres,sub
    index uidNumber,gidNumber,loginShell eq,pres
    index uid,memberUid eq,pres,sub
    index nisMapName,nisMapEntry eq,pres,sub

    At LDAP Client
    # /etc/ldap.conf
    host 192.11.0.117
    base dc=ceylonlinux,dc=com
    timelimit 120
    bind_timelimit 120
    idle_timelimit 3600
    ssl start_tls
    tls_cacertdir /etc/openldap/cacerts
    pam_password md5

Similar Threads

  1. Open Ldap Error
    By sk_kgs in forum Linux - Software, Applications & Programming
    Replies: 0
    Last Post: 07-09-2008, 08:01 PM
  2. ldap
    By LinuX_Z in forum Linux - Hardware, Networking & Security
    Replies: 1
    Last Post: 08-20-2007, 08:29 AM
  3. LDAP help.....
    By pushpraj nimbalkar in forum Linux - General Topics
    Replies: 1
    Last Post: 07-17-2006, 11:55 AM
  4. Connecting an external LDAP browser to SUSE LDAP
    By vmarco in forum Linux - General Topics
    Replies: 1
    Last Post: 02-16-2005, 07:00 PM
  5. LDAP Help
    By Ashcrow in forum Linux - Hardware, Networking & Security
    Replies: 2
    Last Post: 07-28-2004, 03:24 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •