Re: Communicate from php/apache to openLDAP over LDAPS
Am Fri, 11 Jun 2010 10:53:59 +0200 schrieb Jérémy ESCOLANO jeremyescol...@gmail.com: Hi, Thankyou for replying, I went a bit deeper with my problem, I can now do LDAPS but without verifying certificate, here is what I did : on the openLDAP server: ---slapd.conf TLSCertificateFile ./ssl2/srvLDAP.cer TLSCertificateKeyFile ./ssl2/srvLDAP.key TLSCACertificateFile./ssl2/cacert.cer TLSVerifyClient never ---ldap.conf TLS_CACERT ./ssl2/cacert.cer TLS_REQCERT never Then ran my service using: slapd -h ldap:/// ldaps:/// -d 1 That's all for the openLDAP server, but not enought with apache. On the apache server I created a folder C:\openldap\sysconf in this directory i created openldap.conf and this contains : TLS_CACERT ./ssl/cacert.cer TLS_REQCERT never (with cacert.cer in c:\openldap\sysconf\ssl) It works from now BUT does NOT verify the certificate. [...] TLS: can't accept. TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate s3_srvr.c:2471 connection_read(1176): TLS accept error error=-1 id=0, closing connection_closing: readying conn=0 sd=1176 for close connection_close: conn=0 sd=1176 The question is now : How can I configure my certificate on apache SERVER so that I will be able to do LDAPS with PHP and certificates will be verified. (I know should ask it on Apache list too) bear in mind that apache is a ldap client operation, thus configure ldap clients to verify the server certificate and not the server to verfiy a client certificate. -Dieter -- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Re: Communicate from php/apache to openLDAP over LDAPS
According to what's you are saying, Apache has to verify which certificate ? the CA certificate ? the apache server certificate or the ldap certificate? Thank you for your information that help me to understand better. 2010/6/11 Dieter Kluenter die...@dkluenter.de Am Fri, 11 Jun 2010 10:53:59 +0200 schrieb Jérémy ESCOLANO jeremyescol...@gmail.com: Hi, Thankyou for replying, I went a bit deeper with my problem, I can now do LDAPS but without verifying certificate, here is what I did : on the openLDAP server: ---slapd.conf TLSCertificateFile ./ssl2/srvLDAP.cer TLSCertificateKeyFile ./ssl2/srvLDAP.key TLSCACertificateFile./ssl2/cacert.cer TLSVerifyClient never ---ldap.conf TLS_CACERT ./ssl2/cacert.cer TLS_REQCERT never Then ran my service using: slapd -h ldap:/// ldaps:/// -d 1 That's all for the openLDAP server, but not enought with apache. On the apache server I created a folder C:\openldap\sysconf in this directory i created openldap.conf and this contains : TLS_CACERT ./ssl/cacert.cer TLS_REQCERT never (with cacert.cer in c:\openldap\sysconf\ssl) It works from now BUT does NOT verify the certificate. [...] TLS: can't accept. TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate s3_srvr.c:2471 connection_read(1176): TLS accept error error=-1 id=0, closing connection_closing: readying conn=0 sd=1176 for close connection_close: conn=0 sd=1176 The question is now : How can I configure my certificate on apache SERVER so that I will be able to do LDAPS with PHP and certificates will be verified. (I know should ask it on Apache list too) bear in mind that apache is a ldap client operation, thus configure ldap clients to verify the server certificate and not the server to verfiy a client certificate. -Dieter -- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Re: Restricting client access using pam_groupdn with dynamic groups : Was[Re: restrict host login based on group]
Hi Adam, sorry coz of workload it took me while to revisit my configuration verify things you mentioned. As far as I could understand things look quite in place. I have pasted my configurations mapping exactly yours. Could you kindly take a look at it for me pls? PWD=/etc/openldap/slapd.d # ls -lR cn=config cn=config.ldif ./cn=config: ../ cn=schema/ olcDatabase={0}config/ olcDatabase={1}hdb/ cn=module{0}.ldif cn=schema.ldif olcDatabase={-1}frontend.ldif olcDatabase={0}config.ldif olcDatabase={1}hdb.ldif /cn=config/cn=schema: adm...@x6:/etc/ldap$ sudo ls -ltr /etc/ldap/slapd.d/cn\=config/cn=schema total 60 -rw-r- 1 openldap openldap 15474 2010-04-01 00:30 cn={0}core.ldif -rw--- 1 openldap openldap 11316 2010-04-01 00:30 cn={1}cosine.ldif -rw--- 1 openldap openldap 2810 2010-04-01 00:31 cn={2}inetorgperson.ldif -rw--- 1 openldap openldap 6446 2010-04-01 00:31 cn={3}nis.ldif -rw--- 1 openldap openldap 12510 2010-04-13 22:59 cn={4}samba.ldif -rw--- 1 openldap openldap 468 2010-04-15 04:07 cn={5}hostobj.ldi ./cn=config/olcDatabase={0}config === i probably messed this up while trying multimaster replication, but didnt knw the way how to delete these to left it there thinking it will not anyway harm my dynlist config. pls correct me if i'm wrong. sudo ls /etc/ldap/slapd.d//cn=config/olcDatabase={0}config olcOverlay={0}syncprov.ldif olcOverlay={5}syncprov.ldif olcOverlay={10}syncprov.ldif olcOverlay={6}syncprov.ldif olcOverlay={1}syncprov.ldif olcOverlay={7}syncprov.ldif olcOverlay={2}syncprov.ldif olcOverlay={8}syncprov.ldif olcOverlay={3}syncprov.ldif olcOverlay={9}syncprov.ldif olcOverlay={4}syncprov.ldif adm...@x6:/etc/ldap$ sudo ls /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb olcOverlay={0}dynlist.ldif adm...@x6:/etc/ldap$ sudo cat /etc/ldap/slapd.d/cn\=config.ldif dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: 342d7130-d1ac-102e-9cd4-e742ad24bbaf creatorsName: cn=config createTimestamp: 20100401073034Z olcServerID: 1 ldap://x6.testlab.com olcServerID: 2 ldap://x6slave.testlab.com entryCSN: 20100415071243.393226Z#00#000#00 modifiersName: cn=admin,cn=config modifyTimestamp: 20100415071243Z contextCSN: 20100415110741.696825Z#00#000#00 # cat cn\=config/cn\=module\{0\}.ldif dn: cn=module{0} adm...@x6:/etc/ldap$ sudo cat /etc/ldap/slapd.d/cn\=config/cn\=module\{0\}.ldif dn: cn=module{0} objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_hdb olcModuleLoad: {1}dynlist.la olcModuleLoad: {2}syncprov structuralObjectClass: olcModuleList entryUUID: d01365fa-d1ac-102e-845b-c590dd936017 creatorsName: cn=localroot,cn=config createTimestamp: 20100401073455Z entryCSN: 20100414110801.212307Z#00#000#00 modifiersName: cn=admin,cn=config modifyTimestamp: 20100414110801Z adm...@x6:/etc/ldap$ sudo cat /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}hdb/olcOverlay\=\{0\}dynlist.ldif dn: olcOverlay={0}dynlist objectClass: olcOverlayConfig objectClass: olcDynamicList olcOverlay: {0}dynlist olcDlAttrSet: {0}groupOfNames labeledURI member structuralObjectClass: olcDynamicList entryUUID: 4a9d0a38-d5b3-102e-8fe9-d7eabe4068a1 creatorsName: cn=admin,cn=config createTimestamp: 20100406103123Z entryCSN: 20100406103123.135808Z#00#000#00 modifiersName: cn=admin,cn=config modifyTimestamp: 20100406103123Z My ldap.conf is there in the first thread. Do you see any issues that I need to take care? Anything you think I could be missing here? Thanks Shamika On Mon, Jun 7, 2010 at 3:38 PM, Shamika Joshi shamika.jo...@gmail.comwrote: Thanks for the reply details Adam I shall try matching my config to this get back to you. thanks a ton Shamika On Sat, Jun 5, 2010 at 10:22 AM, Adam Hough a...@gradientzero.com wrote: My guess is that your config on the server is not right. So it looks like you are using the slap.d which is what i am using as well. (I need to upload some updated rpms I think to gradientzero as well). I used this site to help me get my configuration working http://www.zytrax.com/books/ldap/ch6/slapd-config.html So my directory structural looks like: NOTE: While you can edit these files through the filesystem I higly recommend that you edit the files through ldap commands. I use Apache Directory Studio as my GUI type front end and use ldapvi when I just one to make changes to values already in the ldap server and then to make major changes I use ldapmodify to make them. PWD=/etc/openldap/slapd.d # ls -lR .: total 8 drwxr-x--- 5 ldap ldap 4096 May 26 16:48 cn=config -rw--- 1 ldap ldap 1312 May 26 17:10 cn=config.ldif ./cn=config: total 100 -rw--- 1 ldap ldap 575 Sep 1 2009 cn=module{0}.ldif drwxr-x--- 2 ldap ldap 4096 Mar 4 12:42 cn=schema
Re: Delta-syncrepl and delay in replication
--On Friday, June 11, 2010 9:58 PM +0900 MIKI Soichiro s-m...@hitachisoft.jp wrote: Hi All, I am testing delta-syncrepl using OpenLDAP 2.3.43.7(actually as ZimbraLDAP on ZCS 5.0.16). Please let us know if you need more information. You should be working with Zimbra Support to address your issues. But I would note you fail to detail any BDB configuration, which is where the bottleneck is likely to be. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: Communicate from php/apache to openLDAP over LDAPS
Dieter Kluenter wrote: Jérémy ESCOLANOjeremyescol...@gmail.com writes: I see, so I need to configure the Apache server to make it able verify the ldap server certificate by using the certificate authority. That is what I don't know how to do it. If it can help, here is the error I get : SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate s3_srvr:2471 You have configured slapd to request a client certificate which the client does not provide, just set TLSVerifyClient never in slapd.conf and TLS_REQCERT try (or demand) in ldap.conf or any other client configuration file. Just don't specify TLS_REQCERT at all in ldap.conf. The default is demand and should not be changed. In all of this thread no one has asked or stated what version of OpenLDAP is being used... -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: Restricting client access using pam_groupdn with dynamic groups : Was[Re: restrict host login based on group]
Shamika Joshi wrote: Hi Adam, sorry coz of workload it took me while to revisit my configuration verify things you mentioned. As far as I could understand things look quite in place. I have pasted my configurations mapping exactly yours. Could you kindly take a look at it for me pls? PWD=/etc/openldap/slapd.d This is not the way to list the contents of the config DB. cn=config is a slapd database, use slapcat or ldapsearch to dump its contents. slapcat -n0 Use the documented tools. You cannot rely on the slapd internal file formats remaining in any particular shape or form. # ls -lR cn=config cn=config.ldif ./cn=config: ../ cn=schema/ olcDatabase={0}config/ olcDatabase={1}hdb/ cn=module{0}.ldif cn=schema.ldif olcDatabase={-1}frontend.ldif olcDatabase={0}config.ldif olcDatabase={1}hdb.ldif /cn=config/cn=schema: adm...@x6:/etc/ldap$ sudo ls -ltr /etc/ldap/slapd.d/cn\=config/cn=schema total 60 -rw-r- 1 openldap openldap 15474 2010-04-01 00:30 cn={0}core.ldif -rw--- 1 openldap openldap 11316 2010-04-01 00:30 cn={1}cosine.ldif -rw--- 1 openldap openldap 2810 2010-04-01 00:31 cn={2}inetorgperson.ldif -rw--- 1 openldap openldap 6446 2010-04-01 00:31 cn={3}nis.ldif -rw--- 1 openldap openldap 12510 2010-04-13 22:59 cn={4}samba.ldif -rw--- 1 openldap openldap 468 2010-04-15 04:07 cn={5}hostobj.ldi ./cn=config/olcDatabase={0}config === i probably messed this up while trying multimaster replication, but didnt knw the way how to delete these to left it there thinking it will not anyway harm my dynlist config. pls correct me if i'm wrong. sudo ls /etc/ldap/slapd.d//cn=config/olcDatabase={0}config olcOverlay={0}syncprov.ldif olcOverlay={5}syncprov.ldif olcOverlay={10}syncprov.ldif olcOverlay={6}syncprov.ldif olcOverlay={1}syncprov.ldif olcOverlay={7}syncprov.ldif olcOverlay={2}syncprov.ldif olcOverlay={8}syncprov.ldif olcOverlay={3}syncprov.ldif olcOverlay={9}syncprov.ldif olcOverlay={4}syncprov.ldif adm...@x6:/etc/ldap$ sudo ls /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb olcOverlay={0}dynlist.ldif adm...@x6:/etc/ldap$ sudo cat /etc/ldap/slapd.d/cn\=config.ldif dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: 342d7130-d1ac-102e-9cd4-e742ad24bbaf creatorsName: cn=config createTimestamp: 20100401073034Z olcServerID: 1 ldap://x6.testlab.com http://x6.testlab.com olcServerID: 2 ldap://x6slave.testlab.com http://x6slave.testlab.com entryCSN: 20100415071243.393226Z#00#000#00 modifiersName: cn=admin,cn=config modifyTimestamp: 20100415071243Z contextCSN: 20100415110741.696825Z#00#000#00 # cat cn\=config/cn\=module\{0\}.ldif dn: cn=module{0} adm...@x6:/etc/ldap$ sudo cat /etc/ldap/slapd.d/cn\=config/cn\=module\{0\}.ldif dn: cn=module{0} objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_hdb olcModuleLoad: {1}dynlist.la http://dynlist.la olcModuleLoad: {2}syncprov structuralObjectClass: olcModuleList entryUUID: d01365fa-d1ac-102e-845b-c590dd936017 creatorsName: cn=localroot,cn=config createTimestamp: 20100401073455Z entryCSN: 20100414110801.212307Z#00#000#00 modifiersName: cn=admin,cn=config modifyTimestamp: 20100414110801Z adm...@x6:/etc/ldap$ sudo cat /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}hdb/olcOverlay\=\{0\}dynlist.ldif dn: olcOverlay={0}dynlist objectClass: olcOverlayConfig objectClass: olcDynamicList olcOverlay: {0}dynlist olcDlAttrSet: {0}groupOfNames labeledURI member structuralObjectClass: olcDynamicList entryUUID: 4a9d0a38-d5b3-102e-8fe9-d7eabe4068a1 creatorsName: cn=admin,cn=config createTimestamp: 20100406103123Z entryCSN: 20100406103123.135808Z#00#000#00 modifiersName: cn=admin,cn=config modifyTimestamp: 20100406103123Z My ldap.conf is there in the first thread. Do you see any issues that I need to take care? Anything you think I could be missing here? Thanks Shamika On Mon, Jun 7, 2010 at 3:38 PM, Shamika Joshi shamika.jo...@gmail.com mailto:shamika.jo...@gmail.com wrote: Thanks for the reply details Adam I shall try matching my config to this get back to you. thanks a ton Shamika On Sat, Jun 5, 2010 at 10:22 AM, Adam Hough a...@gradientzero.com mailto:a...@gradientzero.com wrote: My guess is that your config on the server is not right. So it looks like you are using the slap.d which is what i am using as well. (I need to upload some updated rpms I think to gradientzero as well). I used this site to help me get my configuration working http://www.zytrax.com/books/ldap/ch6/slapd-config.html So
Re: Migratate Zimbra to Openldap
--On Friday, June 11, 2010 11:12 AM -0400 Claudio Guzman cguzm...@gmail.com wrote: Exporting the data will place all of your LDAP Data into a single, movable .LDIF file. su – zimbra openldap/sbin/slapcat -f /opt/zimbra/conf/slapd.conf -l /tmp/ldap.ldif 6.0+: /opt/zimbra/libexec/zmslapcat /backup Zimbra already uses OpenLDAP. Your question(s)?? are poorly formed, please try to expand on what you are asking. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: Migratate Zimbra to Openldap
when you place the export amount of zimbra and then only throw me different errors ldap Could not add object: cn=central,ou=people,dc=domainname,dc=org LDAP said: LDAP_UNDEFINED_TYPE The attribute type specified is invalid. would have to create the values to import the schema? best regard Claudio
Re: Migratate Zimbra to Openldap
--On Friday, June 11, 2010 3:55 PM -0400 Claudio Guzman cguzm...@gmail.com wrote: when you place the export amount of zimbra and then only throw me different errors ldap Could not add object: cn=central,ou=people,dc=domainname,dc=org LDAP said: LDAP_UNDEFINED_TYPE The attribute type specified is invalid. would have to create the values to import the schema? Sorry, I still don't understand what it is you are trying to do? Are you trying to use an OpenLDAP version other than what ships with Zimbra? You shouldn't do that, as Zimbra is tightly tied to what it ships with. If you want to have OpenLDAP 2.4.x, use Zimbra 6.0.x releases. If you have questions about upgrading Zimbra from 5.0.x to 6.0.x, I suggest you read the Zimbra documentation. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: Migratate Zimbra to Openldap
--On Friday, June 11, 2010 4:09 PM -0400 Claudio Guzman cguzm...@gmail.com wrote: I need not upgrade, I require the zimbra ldap export and import it into a machine that only has ldap Then you should simply install the zimbra-ldap package only on the system. There's no need to go and do all of this yourself. I suggest you read the multi-server install guide. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration