Re: Communicate from php/apache to openLDAP over LDAPS
Am Fri, 11 Jun 2010 10:53:59 +0200 schrieb Jérémy ESCOLANO jeremyescol...@gmail.com: Hi, Thankyou for replying, I went a bit deeper with my problem, I can now do LDAPS but without verifying certificate, here is what I did : on the openLDAP server: ---slapd.conf TLSCertificateFile ./ssl2/srvLDAP.cer TLSCertificateKeyFile ./ssl2/srvLDAP.key TLSCACertificateFile./ssl2/cacert.cer TLSVerifyClient never ---ldap.conf TLS_CACERT ./ssl2/cacert.cer TLS_REQCERT never Then ran my service using: slapd -h ldap:/// ldaps:/// -d 1 That's all for the openLDAP server, but not enought with apache. On the apache server I created a folder C:\openldap\sysconf in this directory i created openldap.conf and this contains : TLS_CACERT ./ssl/cacert.cer TLS_REQCERT never (with cacert.cer in c:\openldap\sysconf\ssl) It works from now BUT does NOT verify the certificate. [...] TLS: can't accept. TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate s3_srvr.c:2471 connection_read(1176): TLS accept error error=-1 id=0, closing connection_closing: readying conn=0 sd=1176 for close connection_close: conn=0 sd=1176 The question is now : How can I configure my certificate on apache SERVER so that I will be able to do LDAPS with PHP and certificates will be verified. (I know should ask it on Apache list too) bear in mind that apache is a ldap client operation, thus configure ldap clients to verify the server certificate and not the server to verfiy a client certificate. -Dieter -- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Re: Communicate from php/apache to openLDAP over LDAPS
According to what's you are saying, Apache has to verify which certificate ? the CA certificate ? the apache server certificate or the ldap certificate? Thank you for your information that help me to understand better. 2010/6/11 Dieter Kluenter die...@dkluenter.de Am Fri, 11 Jun 2010 10:53:59 +0200 schrieb Jérémy ESCOLANO jeremyescol...@gmail.com: Hi, Thankyou for replying, I went a bit deeper with my problem, I can now do LDAPS but without verifying certificate, here is what I did : on the openLDAP server: ---slapd.conf TLSCertificateFile ./ssl2/srvLDAP.cer TLSCertificateKeyFile ./ssl2/srvLDAP.key TLSCACertificateFile./ssl2/cacert.cer TLSVerifyClient never ---ldap.conf TLS_CACERT ./ssl2/cacert.cer TLS_REQCERT never Then ran my service using: slapd -h ldap:/// ldaps:/// -d 1 That's all for the openLDAP server, but not enought with apache. On the apache server I created a folder C:\openldap\sysconf in this directory i created openldap.conf and this contains : TLS_CACERT ./ssl/cacert.cer TLS_REQCERT never (with cacert.cer in c:\openldap\sysconf\ssl) It works from now BUT does NOT verify the certificate. [...] TLS: can't accept. TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate s3_srvr.c:2471 connection_read(1176): TLS accept error error=-1 id=0, closing connection_closing: readying conn=0 sd=1176 for close connection_close: conn=0 sd=1176 The question is now : How can I configure my certificate on apache SERVER so that I will be able to do LDAPS with PHP and certificates will be verified. (I know should ask it on Apache list too) bear in mind that apache is a ldap client operation, thus configure ldap clients to verify the server certificate and not the server to verfiy a client certificate. -Dieter -- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Re: Restricting client access using pam_groupdn with dynamic groups : Was[Re: restrict host login based on group]
Hi Adam,
sorry coz of workload it took me while to revisit my configuration verify
things you mentioned. As far as I could understand things look quite in
place. I have pasted my configurations mapping exactly yours. Could you
kindly take a look at it for me pls?
PWD=/etc/openldap/slapd.d
# ls -lR
cn=config
cn=config.ldif
./cn=config:
../
cn=schema/
olcDatabase={0}config/
olcDatabase={1}hdb/
cn=module{0}.ldif
cn=schema.ldif
olcDatabase={-1}frontend.ldif
olcDatabase={0}config.ldif
olcDatabase={1}hdb.ldif
/cn=config/cn=schema:
adm...@x6:/etc/ldap$ sudo ls -ltr /etc/ldap/slapd.d/cn\=config/cn=schema
total 60
-rw-r- 1 openldap openldap 15474 2010-04-01 00:30 cn={0}core.ldif
-rw--- 1 openldap openldap 11316 2010-04-01 00:30 cn={1}cosine.ldif
-rw--- 1 openldap openldap 2810 2010-04-01 00:31
cn={2}inetorgperson.ldif
-rw--- 1 openldap openldap 6446 2010-04-01 00:31 cn={3}nis.ldif
-rw--- 1 openldap openldap 12510 2010-04-13 22:59 cn={4}samba.ldif
-rw--- 1 openldap openldap 468 2010-04-15 04:07 cn={5}hostobj.ldi
./cn=config/olcDatabase={0}config === i probably messed this up while
trying multimaster replication, but didnt knw the way how to delete these to
left it there thinking it will not anyway harm my dynlist config. pls
correct me if i'm wrong.
sudo ls /etc/ldap/slapd.d//cn=config/olcDatabase={0}config
olcOverlay={0}syncprov.ldif olcOverlay={5}syncprov.ldif
olcOverlay={10}syncprov.ldif olcOverlay={6}syncprov.ldif
olcOverlay={1}syncprov.ldif olcOverlay={7}syncprov.ldif
olcOverlay={2}syncprov.ldif olcOverlay={8}syncprov.ldif
olcOverlay={3}syncprov.ldif olcOverlay={9}syncprov.ldif
olcOverlay={4}syncprov.ldif
adm...@x6:/etc/ldap$ sudo ls
/etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb
olcOverlay={0}dynlist.ldif
adm...@x6:/etc/ldap$ sudo cat /etc/ldap/slapd.d/cn\=config.ldif
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: none
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: 342d7130-d1ac-102e-9cd4-e742ad24bbaf
creatorsName: cn=config
createTimestamp: 20100401073034Z
olcServerID: 1 ldap://x6.testlab.com
olcServerID: 2 ldap://x6slave.testlab.com
entryCSN: 20100415071243.393226Z#00#000#00
modifiersName: cn=admin,cn=config
modifyTimestamp: 20100415071243Z
contextCSN: 20100415110741.696825Z#00#000#00
# cat cn\=config/cn\=module\{0\}.ldif
dn: cn=module{0}
adm...@x6:/etc/ldap$ sudo cat
/etc/ldap/slapd.d/cn\=config/cn\=module\{0\}.ldif dn: cn=module{0}
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb
olcModuleLoad: {1}dynlist.la
olcModuleLoad: {2}syncprov
structuralObjectClass: olcModuleList
entryUUID: d01365fa-d1ac-102e-845b-c590dd936017
creatorsName: cn=localroot,cn=config
createTimestamp: 20100401073455Z
entryCSN: 20100414110801.212307Z#00#000#00
modifiersName: cn=admin,cn=config
modifyTimestamp: 20100414110801Z
adm...@x6:/etc/ldap$ sudo cat
/etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}hdb/olcOverlay\=\{0\}dynlist.ldif
dn: olcOverlay={0}dynlist
objectClass: olcOverlayConfig
objectClass: olcDynamicList
olcOverlay: {0}dynlist
olcDlAttrSet: {0}groupOfNames labeledURI member
structuralObjectClass: olcDynamicList
entryUUID: 4a9d0a38-d5b3-102e-8fe9-d7eabe4068a1
creatorsName: cn=admin,cn=config
createTimestamp: 20100406103123Z
entryCSN: 20100406103123.135808Z#00#000#00
modifiersName: cn=admin,cn=config
modifyTimestamp: 20100406103123Z
My ldap.conf is there in the first thread. Do you see any issues that I need
to take care? Anything you think I could be missing here?
Thanks
Shamika
On Mon, Jun 7, 2010 at 3:38 PM, Shamika Joshi shamika.jo...@gmail.comwrote:
Thanks for the reply details Adam
I shall try matching my config to this get back to you.
thanks a ton
Shamika
On Sat, Jun 5, 2010 at 10:22 AM, Adam Hough a...@gradientzero.com wrote:
My guess is that your config on the server is not right. So it looks like
you are using the slap.d which is what i am using as well. (I need to
upload some updated rpms I think to gradientzero as well).
I used this site to help me get my configuration working
http://www.zytrax.com/books/ldap/ch6/slapd-config.html
So my directory structural looks like:
NOTE: While you can edit these files through the filesystem I higly
recommend that you edit the files through ldap commands. I use Apache
Directory Studio as my GUI type front end and use ldapvi when I just one to
make changes to values already in the ldap server and then to make major
changes I use ldapmodify to make them.
PWD=/etc/openldap/slapd.d
# ls -lR
.:
total 8
drwxr-x--- 5 ldap ldap 4096 May 26 16:48 cn=config
-rw--- 1 ldap ldap 1312 May 26 17:10 cn=config.ldif
./cn=config:
total 100
-rw--- 1 ldap ldap 575 Sep 1 2009 cn=module{0}.ldif
drwxr-x--- 2 ldap ldap 4096 Mar 4 12:42 cn=schema
Re: Delta-syncrepl and delay in replication
--On Friday, June 11, 2010 9:58 PM +0900 MIKI Soichiro s-m...@hitachisoft.jp wrote: Hi All, I am testing delta-syncrepl using OpenLDAP 2.3.43.7(actually as ZimbraLDAP on ZCS 5.0.16). Please let us know if you need more information. You should be working with Zimbra Support to address your issues. But I would note you fail to detail any BDB configuration, which is where the bottleneck is likely to be. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: Communicate from php/apache to openLDAP over LDAPS
Dieter Kluenter wrote: Jérémy ESCOLANOjeremyescol...@gmail.com writes: I see, so I need to configure the Apache server to make it able verify the ldap server certificate by using the certificate authority. That is what I don't know how to do it. If it can help, here is the error I get : SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate s3_srvr:2471 You have configured slapd to request a client certificate which the client does not provide, just set TLSVerifyClient never in slapd.conf and TLS_REQCERT try (or demand) in ldap.conf or any other client configuration file. Just don't specify TLS_REQCERT at all in ldap.conf. The default is demand and should not be changed. In all of this thread no one has asked or stated what version of OpenLDAP is being used... -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: Restricting client access using pam_groupdn with dynamic groups : Was[Re: restrict host login based on group]
Shamika Joshi wrote:
Hi Adam,
sorry coz of workload it took me while to revisit my configuration verify
things you mentioned. As far as I could understand things look quite in place.
I have pasted my configurations mapping exactly yours. Could you kindly take a
look at it for me pls?
PWD=/etc/openldap/slapd.d
This is not the way to list the contents of the config DB. cn=config is a
slapd database, use slapcat or ldapsearch to dump its contents.
slapcat -n0
Use the documented tools. You cannot rely on the slapd internal file formats
remaining in any particular shape or form.
# ls -lR
cn=config
cn=config.ldif
./cn=config:
../
cn=schema/
olcDatabase={0}config/
olcDatabase={1}hdb/
cn=module{0}.ldif
cn=schema.ldif
olcDatabase={-1}frontend.ldif
olcDatabase={0}config.ldif
olcDatabase={1}hdb.ldif
/cn=config/cn=schema:
adm...@x6:/etc/ldap$ sudo ls -ltr /etc/ldap/slapd.d/cn\=config/cn=schema
total 60
-rw-r- 1 openldap openldap 15474 2010-04-01 00:30 cn={0}core.ldif
-rw--- 1 openldap openldap 11316 2010-04-01 00:30 cn={1}cosine.ldif
-rw--- 1 openldap openldap 2810 2010-04-01 00:31 cn={2}inetorgperson.ldif
-rw--- 1 openldap openldap 6446 2010-04-01 00:31 cn={3}nis.ldif
-rw--- 1 openldap openldap 12510 2010-04-13 22:59 cn={4}samba.ldif
-rw--- 1 openldap openldap 468 2010-04-15 04:07 cn={5}hostobj.ldi
./cn=config/olcDatabase={0}config === i probably messed this up while trying
multimaster replication, but didnt knw the way how to delete these to left it
there thinking it will not anyway harm my dynlist config. pls correct me if
i'm wrong.
sudo ls /etc/ldap/slapd.d//cn=config/olcDatabase={0}config
olcOverlay={0}syncprov.ldif olcOverlay={5}syncprov.ldif
olcOverlay={10}syncprov.ldif olcOverlay={6}syncprov.ldif
olcOverlay={1}syncprov.ldif olcOverlay={7}syncprov.ldif
olcOverlay={2}syncprov.ldif olcOverlay={8}syncprov.ldif
olcOverlay={3}syncprov.ldif olcOverlay={9}syncprov.ldif
olcOverlay={4}syncprov.ldif
adm...@x6:/etc/ldap$ sudo ls /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb
olcOverlay={0}dynlist.ldif
adm...@x6:/etc/ldap$ sudo cat /etc/ldap/slapd.d/cn\=config.ldif
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: none
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: 342d7130-d1ac-102e-9cd4-e742ad24bbaf
creatorsName: cn=config
createTimestamp: 20100401073034Z
olcServerID: 1 ldap://x6.testlab.com http://x6.testlab.com
olcServerID: 2 ldap://x6slave.testlab.com http://x6slave.testlab.com
entryCSN: 20100415071243.393226Z#00#000#00
modifiersName: cn=admin,cn=config
modifyTimestamp: 20100415071243Z
contextCSN: 20100415110741.696825Z#00#000#00
# cat cn\=config/cn\=module\{0\}.ldif
dn: cn=module{0}
adm...@x6:/etc/ldap$ sudo cat
/etc/ldap/slapd.d/cn\=config/cn\=module\{0\}.ldif dn: cn=module{0}
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb
olcModuleLoad: {1}dynlist.la http://dynlist.la
olcModuleLoad: {2}syncprov
structuralObjectClass: olcModuleList
entryUUID: d01365fa-d1ac-102e-845b-c590dd936017
creatorsName: cn=localroot,cn=config
createTimestamp: 20100401073455Z
entryCSN: 20100414110801.212307Z#00#000#00
modifiersName: cn=admin,cn=config
modifyTimestamp: 20100414110801Z
adm...@x6:/etc/ldap$ sudo cat
/etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}hdb/olcOverlay\=\{0\}dynlist.ldif
dn: olcOverlay={0}dynlist
objectClass: olcOverlayConfig
objectClass: olcDynamicList
olcOverlay: {0}dynlist
olcDlAttrSet: {0}groupOfNames labeledURI member
structuralObjectClass: olcDynamicList
entryUUID: 4a9d0a38-d5b3-102e-8fe9-d7eabe4068a1
creatorsName: cn=admin,cn=config
createTimestamp: 20100406103123Z
entryCSN: 20100406103123.135808Z#00#000#00
modifiersName: cn=admin,cn=config
modifyTimestamp: 20100406103123Z
My ldap.conf is there in the first thread. Do you see any issues that I need
to take care? Anything you think I could be missing here?
Thanks
Shamika
On Mon, Jun 7, 2010 at 3:38 PM, Shamika Joshi shamika.jo...@gmail.com
mailto:shamika.jo...@gmail.com wrote:
Thanks for the reply details Adam
I shall try matching my config to this get back to you.
thanks a ton
Shamika
On Sat, Jun 5, 2010 at 10:22 AM, Adam Hough a...@gradientzero.com
mailto:a...@gradientzero.com wrote:
My guess is that your config on the server is not right. So it looks
like you are using the slap.d which is what i am using as well. (I
need to upload some updated rpms I think to gradientzero as well).
I used this site to help me get my configuration working
http://www.zytrax.com/books/ldap/ch6/slapd-config.html
So
Re: Migratate Zimbra to Openldap
--On Friday, June 11, 2010 11:12 AM -0400 Claudio Guzman cguzm...@gmail.com wrote: Exporting the data will place all of your LDAP Data into a single, movable .LDIF file. su – zimbra openldap/sbin/slapcat -f /opt/zimbra/conf/slapd.conf -l /tmp/ldap.ldif 6.0+: /opt/zimbra/libexec/zmslapcat /backup Zimbra already uses OpenLDAP. Your question(s)?? are poorly formed, please try to expand on what you are asking. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: Migratate Zimbra to Openldap
when you place the export amount of zimbra and then only throw me different errors ldap Could not add object: cn=central,ou=people,dc=domainname,dc=org LDAP said: LDAP_UNDEFINED_TYPE The attribute type specified is invalid. would have to create the values to import the schema? best regard Claudio
Re: Migratate Zimbra to Openldap
--On Friday, June 11, 2010 3:55 PM -0400 Claudio Guzman cguzm...@gmail.com wrote: when you place the export amount of zimbra and then only throw me different errors ldap Could not add object: cn=central,ou=people,dc=domainname,dc=org LDAP said: LDAP_UNDEFINED_TYPE The attribute type specified is invalid. would have to create the values to import the schema? Sorry, I still don't understand what it is you are trying to do? Are you trying to use an OpenLDAP version other than what ships with Zimbra? You shouldn't do that, as Zimbra is tightly tied to what it ships with. If you want to have OpenLDAP 2.4.x, use Zimbra 6.0.x releases. If you have questions about upgrading Zimbra from 5.0.x to 6.0.x, I suggest you read the Zimbra documentation. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: Migratate Zimbra to Openldap
--On Friday, June 11, 2010 4:09 PM -0400 Claudio Guzman cguzm...@gmail.com wrote: I need not upgrade, I require the zimbra ldap export and import it into a machine that only has ldap Then you should simply install the zimbra-ldap package only on the system. There's no need to go and do all of this yourself. I suggest you read the multi-server install guide. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
