Attribute type is operational
Hi, I'm running Openldap 2.4 on Rhel5. I've got the basics working, user accounts etc, but have tried adding some new schemas which I'm getting problems with. I followed a VERY helpful Blog at http://oracle-cookies.blogspot.com/2007/01/get-tnsnamesora-from-openldap.html which allowed me to install some Oracle OID schema's so we can move away from Oracle OID. This Blog is a little out of date and I have some attributetypes which I need to add-in to the schema. I've added the following 2 lines: attributetypes ( 2.16.840.1.113894.1.1.37 NAME 'orclGuid' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) attributetypes ( 2.16.840.1.113894.1.1.1000 NAME 'orclnormdn' EQUALITY distinguishedNameMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) I took these from the current 10.2.0 OID installation so wasn't 100% sure they were correct but they are similar in construct the others found on the blog. When I restart ldap2.4 I get error: service ldap2.4 restart Checking config file /etc/openldap2.4/slapd.conf: [FAILED] /etc/openldap2.4/schema/oidbase.schema: line 27 attributetypes: 2.16.840.1.113894.1.1.37 is operational slaptest2.4: bad configuration file! Having Googled it, I found this to mean that the attributetype had already been declared but I cannot find where, I checked in my current schemas and the defaults under /usr/share/openldap2.4/schema but found nothing. Anyone help here? Thanks, Stuart Cherrington. _ http://clk.atdmt.com/UKM/go/19780/direct/01/ Do you have a story that started on Hotmail? Tell us now
Re: Attribute type is operational
On Mon, 12 Jul 2010 08:10:56 +, Stuart Cherrington stuart_cherring...@hotmail.co.uk wrote: Hi, I'm running Openldap 2.4 on Rhel5. I've got the basics working, user accounts etc, but have tried adding some new schemas which I'm getting problems with. I followed a VERY helpful Blog at http://oracle-cookies.blogspot.com/2007/01/get-tnsnamesora-from-openldap.html which allowed me to install some Oracle OID schema's so we can move away from Oracle OID. This Blog is a little out of date and I have some attributetypes which I need to add-in to the schema. I've added the following 2 lines: attributetypes ( 2.16.840.1.113894.1.1.37 NAME 'orclGuid' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) attributetypes ( 2.16.840.1.113894.1.1.1000 NAME 'orclnormdn' EQUALITY distinguishedNameMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) I took these from the current 10.2.0 OID installation so wasn't 100% sure they were correct but they are similar in construct the others found on the blog. When I restart ldap2.4 I get error: service ldap2.4 restart Checking config file /etc/openldap2.4/slapd.conf: [FAILED] /etc/openldap2.4/schema/oidbase.schema: line 27 attributetypes: 2.16.840.1.113894.1.1.37 is operational slaptest2.4: bad configuration file! This error message is complaining that the attributetype declared is an operational attribute (USAGE directoryOperation). Reading through the code, I see the following comment: operational attributes should be defined internally. I therefore presume that you cannot define operational attributes by way of schema files. These attributes won't be operational anyway in the sense that they will not be automatically managed by the OpenLDAP server, since it knows nothing about them. If you just need them for compatibility with OID, I suggest you change the declaration to make them non-operational. You'll probably want to remove the NO-USER-MODIFICATION flag too, if you want to be able to modify them with user accounts. Hope this helps. Regards, Jonathan
Re: Attribute type is operational
Jonathan Clarke wrote: On Mon, 12 Jul 2010 08:10:56 +, Stuart Cherrington stuart_cherring...@hotmail.co.uk wrote: Hi, I'm running Openldap 2.4 on Rhel5. I've got the basics working, user accounts etc, but have tried adding some new schemas which I'm getting problems with. I followed a VERY helpful Blog at http://oracle-cookies.blogspot.com/2007/01/get-tnsnamesora-from-openldap.html which allowed me to install some Oracle OID schema's so we can move away from Oracle OID. This Blog is a little out of date and I have some attributetypes which I need to add-in to the schema. I've added the following 2 lines: attributetypes ( 2.16.840.1.113894.1.1.37 NAME 'orclGuid' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) attributetypes ( 2.16.840.1.113894.1.1.1000 NAME 'orclnormdn' EQUALITY distinguishedNameMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) I took these from the current 10.2.0 OID installation so wasn't 100% sure they were correct but they are similar in construct the others found on the blog. When I restart ldap2.4 I get error: service ldap2.4 restart Checking config file /etc/openldap2.4/slapd.conf: [FAILED] /etc/openldap2.4/schema/oidbase.schema: line 27 attributetypes: 2.16.840.1.113894.1.1.37 is operational slaptest2.4: bad configuration file! This error message is complaining that the attributetype declared is an operational attribute (USAGE directoryOperation). Reading through the code, I see the following comment: operational attributes should be defined internally. I therefore presume that you cannot define operational attributes by way of schema files. Correct. Operational attributes are, by definition, used internally by a directory server. They have no meaning unless you provide code that implements them. These attributes won't be operational anyway in the sense that they will not be automatically managed by the OpenLDAP server, since it knows nothing about them. If you just need them for compatibility with OID, I suggest you change the declaration to make them non-operational. You'll probably want to remove the NO-USER-MODIFICATION flag too, if you want to be able to modify them with user accounts. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: How to best handle DN+String and DN+Binary in OL?
On Mon, 2010-07-12 at 11:28 +0200, Hallvard B Furuseth wrote: Andrew Bartlett writes: Looking over the definition of NameAndOptionalUID, shoehorn would certainly be the correct expression... Worse, check its usual matching rule uniqueMemberMatch: Noncommutative in X.520, pre-rfc4517 LDAP, and optionally in RFC 4517 implementations. Then filter (uniqueMember=cn=foo) matches cn=foo#any bitstring as well as cn=foo, but not vice versa: (uniqueMember=cn=foo#'10'B) does not match cn=foo. Unless I got that backwards, i don't remember. That's exactly the same semantics as DN+binary and DN+string, so it would work for me. So yeah, I'd say you need a new syntax or at least a new matching rule. Or revitalization of the Component Matching stuff, but I'm not volunteering... :-) I don't think I'll need that fortunately. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. signature.asc Description: This is a digitally signed message part
Re: Recommended way to modify cn=schema entries?
On 07/ 6/10 02:12 PM, Ian Collins wrote: I would like to re-order two schema entries to resolve a dependency issue (our local schema, included before dyngroup.schema, now references memberURL). However deleting a schema entry with ldapmodify does not appear to be supported: dn: cn={8}dyngroup,cn=schema,cn=config changetype: delete deleting entry cn={8}dyngroup,cn=schema,cn=config ldap_delete: Server is unwilling to perform (53) Any suggestions? To answer my own question, stopping slapd, editing the ldif and restarting appears to be the only way to do this. -- Ian.
Able to delete olcDbIndex config attribute, but not add it.
Hello, While attempting to add an extra index to an existing config, I was able to (accidentally!) delete the attribute, but not add it back: dn: olcDatabase={1}hdb,cn=config changetype: modify delete: olcDbIndex modifying entry olcDatabase={1}hdb,cn=config dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: objectClass eq - ldapmodify: wrong attributeType at line 8, entry olcDatabase={1}hdb,cn=config Is this a bug, or have I done something stupid? -- Ian.
Problem with ADS authentication - any alternatives?
Hi, sorry if this is slightly off topic, but I'm hoping this may be possible with OpenLDAP .. After a customer of ours migrated from using a local OpenLDAP server to using a central ADS, I've run into sort of a problem ... One of the apps that had been using LDAP to get certain information for a user has now got a problem as the formerly used bind with the user ID (which was present in multiple fields, like uid, cn etc.) now fails. The customer ADS now has the user name (in the format First Last) in the cn field, and as the complete dn in the dn field (with ou=...) Now, while stuff like Cyrus works fine through looking up the correct DN for a specified uid first and then using that DN for binding to the database, this app still just hands over the input to ADS ... of course, bind fails, as the supplied user ID doesn't match either DN or CN. Of course one could just change the user name input to the full CN contents, but as this is a customer with 600+ PCs, many of which have the old authentication information stored locally (with the user not necessarily being able to alter the information), this solution is only sub-optimal. Altering the CN field to contain the same info as the uid field is another option, which was rejected as it is uncertain to what extent this might cause some problems later on (in case M$ decides to do anything nasty with the cn field). I was thinking about creating some sort of proxy in between, that allows authentication with the uid contents, but this won't work as I'd need the password from the ADS entries, which I can't get ... So I'm wondering - is there some kind of proxy that would allow me to do something like this: - App connects to LDAP Proxy with uid and password, sending some query - Proxy queries ADS for the DN of the uid received - Proxy binds to ADS with the DN and the supplied user PW, sends the query and returns the information to the client And while I'm at it - if the proxy were able to use two backend ADS, this would be a definite plus ... ;) Thanks for any feedback! -garry
Re: Cannot authenticate with user/password
On Mon, 12 Jul 2010 14:13:27 +0100, Nicholas Syrotiuk syrot...@manchester.ac.uk wrote: Dear OpenLDAP users, We have downloaded OpenLDAP 2.4.22 from Sunfreeware.com and installed it. We have successfully imported the LDAP data from another server. We are using the *simple* authentication method. I can authenticate as rootdn but not as a user. Is there something wrong with my access control list: --- access to * by self write by users read by anonymous none - I have tried running slapd with debugging switched on but could not diagnose the problem. Any ideas on how to troubleshoot this? Troubleshooting ACLs is greatly made easier by using loglevel acl in slapd.conf or -d acl on the command line. In this case, you need to allow anonymous users auth privileges so that they can authenticate. See http://www.openldap.org/doc/admin24/access-control.html#The%20access%20to%20grant for details. Regards, Jonathan
Re: Cannot authenticate with user/password
On 07/12/2010 03:13 PM, Nicholas Syrotiuk wrote: Dear OpenLDAP users, We have downloaded OpenLDAP 2.4.22 from Sunfreeware.com and installed it. We have successfully imported the LDAP data from another server. We are using the *simple* authentication method. I can authenticate as rootdn but not as a user. Is there something wrong with my access control list: --- access to * by self write by users read by anonymous none - I have tried running slapd with debugging switched on but could not diagnose the problem. Any ideas on how to troubleshoot this? Cheers, Nick Shouldn't it be: by anonymous auth ? Zdenek -- Zdenek Styblik Net/Linux admin OS TurnovFree.net email: sty...@turnovfree.net jabber: sty...@jabber.turnovfree.net
Re: Cannot authenticate with user/password
Thanks guys! Now when I start slapd, I do not understand the output: --- @(#) $OpenLDAP: slapd 2.4.22 (Jun 9 2010 08:15:30) $ st...@v480:/bigdisk/SOURCES/S10/openldap-2.4.22/servers/slapd Backend ACL: access to * by self write by users read by anonymous auth Backend ACL: access to * by * none config_back_db_open: line 0: warning: cannot assess the validity of the ACL scope within backend naming context bdb_db_open: warning - no DB_CONFIG file found in directory /shibidp/LDAP/var/data: (2). Expect poor performance for suffix dc=ldap,dc=mimas,dc=ac,dc=uk. bdb_monitor_db_open: monitoring disabled; configure monitor database to enable slapd starting Jonathan Clarke wrote: On Mon, 12 Jul 2010 14:13:27 +0100, Nicholas Syrotiuk syrot...@manchester.ac.uk wrote: Dear OpenLDAP users, We have downloaded OpenLDAP 2.4.22 from Sunfreeware.com and installed it. We have successfully imported the LDAP data from another server. We are using the *simple* authentication method. I can authenticate as rootdn but not as a user. Is there something wrong with my access control list: --- access to * by self write by users read by anonymous none - I have tried running slapd with debugging switched on but could not diagnose the problem. Any ideas on how to troubleshoot this? Troubleshooting ACLs is greatly made easier by using loglevel acl in slapd.conf or -d acl on the command line. In this case, you need to allow anonymous users auth privileges so that they can authenticate. See http://www.openldap.org/doc/admin24/access-control.html#The%20access%20to%20grant for details. Regards, Jonathan -- N Syrotiuk | Mimas | University of Manchester | Manchester M13 9PL
bdb/hdb cachesize calculation
Attached to this message you'll find a quick and dirty bash script that should determine the cachesize for an in-production bdb/hdb backend by taking dn2id and id2entry as well as all existing indexes into account. Internally the script calls the db_stat tool in combination with the formulas found in the 2.4 admin guide under: http://www.openldap.org/doc/admin24/tuning.html#Caching Based on our local production database files (run by slapd 2.4.21, bdb 4.5) which contain round about 460.000 (small) entries... # du -h dn2id.bdb id2entry.bdb 48M dn2id.bdb 755Mid2entry.bdb # du -h *.bdb | grep -v dn2id | grep -v id2entry 12M cn.bdb 20M entryCSN.bdb 14M entryUUID.bdb 1.1MloginDisabled.bdb 8.6Mmail.bdb 5.4MobjectClass.bdb ...the attached script produces the following results: DB Cachesize Results (dn2id.bdb and id2entry.bdb): Overall DB Cachesize: 1871872 bytes Index Cachesize Results: Overall Index Cachesize: 245760 bytes (50% Index HitRatio) Overall Index Cachesize: 491520 bytes Resulting Overall Cachesize (DB and Indexes): Overall Cache Size: 2117632 bytes (50% Index HitRatio) Overall Cache Size: 2363392 bytes Including +15% bytes for growth: Overall Cache Size: 2435276.80 bytes (50% Index HitRatio) Overall Cache Size: 2717900.80 bytes Do the above results (2.4 - 2.7 MBytes?!) sound reasonable in comparison to the above bdb file sizes? As I'm currently unsure whether the result is correct or not I would appreciate your feedback for example whether the script's result makes sense within your environment or not. Thanks a lot! db_config_calculator.sh Description: Bourne shell script
Re: Recommended way to modify cn=schema entries?
--On Monday, July 12, 2010 11:43 PM +1200 Ian Collins i...@ianshome.com wrote: On 07/ 6/10 02:12 PM, Ian Collins wrote: I would like to re-order two schema entries to resolve a dependency issue (our local schema, included before dyngroup.schema, now references memberURL). However deleting a schema entry with ldapmodify does not appear to be supported: dn: cn={8}dyngroup,cn=schema,cn=config changetype: delete deleting entry cn={8}dyngroup,cn=schema,cn=config ldap_delete: Server is unwilling to perform (53) Any suggestions? To answer my own question, stopping slapd, editing the ldif and restarting appears to be the only way to do this. Delete is not implemented for cn=config until OpenLDAP 2.5. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: bdb/hdb cachesize calculation
--On Monday, July 12, 2010 5:01 PM +0200 openldap...@stresst.net wrote: Attached to this message you'll find a quick and dirty bash script that should determine the cachesize for an in-production bdb/hdb backend by taking dn2id and id2entry as well as all existing indexes into account. Internally the script calls the db_stat tool in combination with the formulas found in the 2.4 admin guide under: http://www.openldap.org/doc/admin24/tuning.html#Caching Are you trying to determine the size of the cache in use, or what the size of the cache should be? If it is the latter, you just use the du -c -h output of *.bdb. If it is the former, it sounds like your script isn't calculating the right data. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: slapd goes down
--On Monday, July 12, 2010 10:10 PM +0300 Khalid Maslak mas...@ihlas.net.tr wrote: I installed openldap2, postfix, on freebsd7.3 Openldap2 what? There is openldap 2.0.x, 2.1.x, 2.2.x, 2.3.x, and 2.4.x. Nothing here in your email gives any useful information that would allow us to provide you any type of help. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: Adding replicant with ppolicy after the fact
I was able to get the correct password ages on a new test server by copying the contents of /var/lib/ldap/ (RHEL5) from a production machine while the database was halted to the test machine and then running slapd_db_recover -v -h /var/lib/ldap BEFORE starting the database. I found that the database was unrecoverable if I started slapd between copying the files and running slapd_db_recover. Are these the recommended actions to meet my needs?
Re: Cannot authenticate with user/password
Nicholas, This has been covered before. Google: DB_CONFIG Expect poor performance It's just Berkeley DB complaining that there's no DB_CONFIG file... Harmless. - chris Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jac...@apollogrp.edu - Original Message - From: openldap-technical-boun...@openldap.org openldap-technical-boun...@openldap.org To: Jonathan Clarke jonat...@phillipoux.net Cc: sty...@turnovfree.net sty...@turnovfree.net; rahul.mancha...@bt.com rahul.mancha...@bt.com; openldap-technical@openldap.org openldap-technical@openldap.org Sent: Mon Jul 12 07:30:36 2010 Subject: Re: Cannot authenticate with user/password Thanks guys! Now when I start slapd, I do not understand the output: --- @(#) $OpenLDAP: slapd 2.4.22 (Jun 9 2010 08:15:30) $ st...@v480:/bigdisk/SOURCES/S10/openldap-2.4.22/servers/slapd Backend ACL: access to * by self write by users read by anonymous auth Backend ACL: access to * by * none config_back_db_open: line 0: warning: cannot assess the validity of the ACL scope within backend naming context bdb_db_open: warning - no DB_CONFIG file found in directory /shibidp/LDAP/var/data: (2). Expect poor performance for suffix dc=ldap,dc=mimas,dc=ac,dc=uk. bdb_monitor_db_open: monitoring disabled; configure monitor database to enable slapd starting Jonathan Clarke wrote: On Mon, 12 Jul 2010 14:13:27 +0100, Nicholas Syrotiuk syrot...@manchester.ac.uk wrote: Dear OpenLDAP users, We have downloaded OpenLDAP 2.4.22 from Sunfreeware.com and installed it. We have successfully imported the LDAP data from another server. We are using the *simple* authentication method. I can authenticate as rootdn but not as a user. Is there something wrong with my access control list: --- access to * by self write by users read by anonymous none - I have tried running slapd with debugging switched on but could not diagnose the problem. Any ideas on how to troubleshoot this? Troubleshooting ACLs is greatly made easier by using loglevel acl in slapd.conf or -d acl on the command line. In this case, you need to allow anonymous users auth privileges so that they can authenticate. See http://www.openldap.org/doc/admin24/access-control.html#The%20access%20to%20grant for details. Regards, Jonathan -- N Syrotiuk | Mimas | University of Manchester | Manchester M13 9PL This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Another question about LDAP over SSL
Hi everyone. I have another duh question. I am writing software for a proprietary piece of hardware. I will be using the C libraries for openldap. I need to write some functions for LDAP so that the UI of the software has the option to authenticate a user via LDAP and LDAP over SSL. Basically it will just act like a client that will Simple Bind to the LDAP server for authentication. I read the document here. http://www.openldap.org/faq/data/cache/185.html I followed the instructions on the website to generate the SSL certs. My question is, on the website above it says You must also install a copy of the CA certificate on all of your client machines. Configuration is done in /usr/local/etc/openldap/ldap.conf: Does this mean I need to provide a way to the customer to manually transfer his/her CA cert the proprietary hardware, if they want to use LDAP over SSL??? Or when I use the Start TLS function, do the certs automatically get transfered behind the scene? thanks
Re: Another question about LDAP over SSL
Bryan, Please reply-to-all. :) Moving on: I'm NOT a dev (I'm a sysadmin), but my take is: 1) Use OpenSSL libraries to see if the cert is 'trusted' by the local OS (signed by a trusted CA - whether by an internal CA or an external CA). If a non-linux based client, then you'll need to explore other options (Windows has it's own mechanism for example). 2) If not, and user responds with 'trust this cert' then you'll need to add the cert to the whatever your app uses (whether a cert file it manages, or the local OS - it's up to how you write it). My take: if it's not already trusted by the local cert library (managed per OS install) then use a single file managed by your app. Or, add it to the list of locally trusted CA's, but I don't think that's a great idea. Perhaps it's not trusted by design? Perhaps your app won't have permission? That can turn into a support nightmare... As for OpenSUSE, perhaps it's ldap.conf doesn't specify to require a trusted cert... I don't know - never used it. I do not believe there is an OpenLDAP library/API/etc to handle untrusted certs and make them trusted. I recommend you play around with getting an OS to trust a CA you create to see how this works. Then see what it takes to get that OS to use the OpenLDAP server for auth. You'll learn quite a bit... Course, the source code may be more enlightening - but I'm not a dev. Bash or PERL is more my style :p. Warning: there are two ldap.conf files in most linux distros: /etc/ldap.conf : used by PAM /etc/openldap/ldap.conf : used by OpenLDAP tools. Primarily on OpenLDAP servers (whether masters or slaves - now referred to as providers and consumers). - chris Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jac...@apollogrp.edu From: Bryan Boone v_1bb...@yahoo.com To: Chris Jacobs Sent: Mon Jul 12 20:23:18 2010 Subject: Re: Another question about LDAP over SSL Hi Chris thanks for the reply. Here is my problem. I have two LDAP browsers that I am testing on a PC. One is called JXplorer and the other is called LDAPEditor. You probably heard of jxplorer but LDAPEditor is old and probably out of support. Anyway JXplorer you have to manually transfer the SSL cert and load it into the program before you can connect to LDAP over SSL. When I use LDAPEditor to connect to my openLDAP server via SSL. The program prompts me to accept the server cert. I do not have to manually upload the cert into the program. So my question is... How do I accomplish this in the client I am writting? How can I use the openLDAP library to prompt a customer that asks them if they want to accept the server cert or not? Does this make sense? Also built into OpenSUSE is an LDAP browser. It gives the option to connect to LDAP over SSL as well. On this one you do not have to manually load the cert before hand. thanks From: Chris Jacobs chris.jac...@apollogrp.edu To: v_1bb...@yahoo.com v_1bb...@yahoo.com; openldap-technical@openldap.org openldap-technical@openldap.org Sent: Mon, July 12, 2010 7:26:54 PM Subject: Re: Another question about LDAP over SSL This really is a basic 'cert' issue. There's a ton of non-openldap coverage of this topic (self-signed and CA purchased certs). In a nutshell, you'll need to provide a way for your customer's to use a cert of their choosing, and let them sort out how to get their clients to trust the signer of that cert. - chris Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jac...@apollogrp.edu From: openldap-technical-boun...@openldap.org openldap-technical-boun...@openldap.org To: openldap-technical@openldap.org openldap-technical@openldap.org Sent: Mon Jul 12 19:20:58 2010 Subject: Another question about LDAP over SSL Hi everyone. I have another duh question. I am writing software for a proprietary piece of hardware. I will be using the C libraries for openldap. I need to write some functions for LDAP so that the UI of the software has the option to authenticate a user via LDAP and LDAP over SSL. Basically it will just act like a client that will Simple Bind to the LDAP server for authentication. I read the document here. http://www.openldap.org/faq/data/cache/185.html I followed the instructions on the website to generate the SSL certs. My question is, on the website above it says You must also install a copy of the CA certificate on all of your client machines. Configuration is done in /usr/local/etc/openldap/ldap.conf: Does this mean I need to provide a way to the customer to manually transfer his/her CA cert the proprietary hardware, if they want