(There were some little errors in my previous mail, corrected here)
Sorry, I tried the solutions you posted, but OpenLDAP still doesn't work, from
a restored snapshot in VirtualBox and completely reinstalled by pkg_add
openldap-server (openldap-server-2.4.58-aci-gssapi).
Here is my whole slapd.conf (on which I did slaptest -f slapd.conf -F slapd.d
after having removed /etc/openldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif
and put the owner of /etc/openldap/slapd.d to _openldap:_openldap and
permissions to 0750 on the folder) :
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# MDB database definitions
#######################################################################
database mdb
maxsize 1073741824
suffix "dc=my_domain,dc=something,dc=someplace"
rootdn "cn=Manager,dc=my_domain,dc=something,dc=someplace"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/openldap-data
# Indices to maintain
index objectClass eq
index cn,sn,mail eq,sub
index uidNumber eq
index gidNumber eq
TLSCertificateFile /etc/openldap/certs/cert.pem
TLSCertificateKeyFile /etc/openldap/certs/privkey.pem
TLSCACertificateFile /etc/openldap/certs/fullchain.pem
TLSCipherSuite TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE
TLSCRLCheck none
TLSVerifyClient never
If I set this parameter, slaptest on the file will fail :
TLSProtocolMin 0.0
And if I set these settings in /etc/rc.conf.local, rcctl slapd will fail to
start :
slapd=YES
slapd_flags="-4 -u _openldap -g _openldap ldap:/// ldaps:/// ldapi:///"
ldap:/// ldaps:/// ldapi:/// pose a problem and prevent slapd from starting,
even if I put only ldap:/// or ldap:/// and ldapi:///
My current /etc/rc.conf.local is :
# cat /etc/rc.conf.local
pf=NO
pkg_scripts=apache2 slapd
slapd=YES
slapd_flags="-4 -u _openldap -g _openldap"
I still get this error with -ZZ option in ldap commands :
ldap_start_tls: Protocol error (2)
additional info: unsupported extended operation
Without the -ZZ option, everything works just fine.
OpenBSD 6.9 -release
________________________________
De : Stuart Henderson <s...@spacehopper.org>
Envoyé : vendredi 25 juin 2021 10:51
À : C. G. <idxtra...@hotmail.com>
Cc : bugs@openbsd.org <bugs@openbsd.org>
Objet : Re: Unable to make OpenLDAP work with TLS
On 2021/06/25 02:03, C. G. wrote:
> When I try to use the ldapsearch or ldapwhoami commands with the -ZZ option,
> I get this error :
>
> ldap_start_tls: Protocol error (2)
> additional info: unsupported extended operation
>
> The same commands work fine without the TLS -ZZ option.
I've confirmed -ZZ does work with openldap from packages.
This looks like the LDAP server you're contacting is not configured for
TLS yet (or at least for STARTTLS; it may work with "explicit TLS" using
an ldaps:// URI).
The server will need to be set to listen to TLS connections - if the
server is on OpenBSD then you probably want
slapd_flags="-u _openldap -h ldap:///\ ldaps:///\ ldapi:///"
in rc.conf.local. It also needs to be configured with certificates in
slapd config. If this isn't enough of a clue I suggest trying openldap
mailing lists if you need help configuring things.
