Hi,
I hope this may fill in what you are missing, or at least provide some other
places to look. Or help someone else trying to figure this out. I have
oi_151.1.7 connecting to OpenDJ 2.4.6 through SSL.
Since you had this working before, I presume you have your certificates in the
right place. Getting these in the right place was the hardest part for me.
nate@mossflower:~$ ls -l /var/ldap
-rw-r--r-- 1 root root 65536 2012-09-01 23:24 cert8.db
-rw-r--r-- 1 root root 131072 2012-09-01 23:24 key3.db
-r-------- 1 root root 209 2013-01-27 18:14 ldap_client_cred
-r-------- 1 root root 354 2013-01-27 18:14 ldap_client_file
-rw-r--r-- 1 root root 131072 2012-09-01 23:19 secmod.db
nate@mossflower:/rpool/asgard$ certutil -L -d /var/ldap/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ca-cert CT,,
ldap-cert CT,,
With those in place, I use the following to query the LDAP server:
nate@mossflower:~$ cat ldapask
#!/bin/bash
ldapsearch -h XXXXXX.dyndns-home.com -p 1636 -Z -P /var/ldap/cert8.db \
-b dc=gateway,dc=2wire,dc=net -D
cn=XXXXXX,ou=people,dc=gateway,dc=2wire,dc=net \
-w YYYYYY ${*}
I've found the -v option to be helpful with troubleshooting. Although I've
found the ldapclient verbose logging to be more helpful. No Kerberos, so I
can't relate to how that authentication works. I've had no luck with anonymous
authentication; I have to have a bind account and password for the services.
And for adding a new node to use my LDAP:
nate@mossflower:~$ cat ldapinit
ldapclient -v -a authenticationMethod=tls:simple -a credentialLevel=proxy \
-a proxyDN=cn=XXXXXX,ou=people,dc=gateway,dc=2wire,dc=net \
-a proxyPassword=YYYYYY -D cn=XXXXXX,ou=people,dc=gateway,dc=2wire,dc=net \
-w YYYYYY init XXXXXX.dyndns-home.com:1636
That command use an LDAP entry for its profile:
dn: cn=default,ou=profile,dc=gateway,dc=2wire,dc=net
objectClass: top
objectClass: DUAConfigProfile
defaultServerList: XXXXXX.dyndns-home.com:1636
defaultSearchBase: dc=gateway,dc=2wire,dc=net
cn: default
defaultSearchScope: sub
authenticationMethod: tls:simple
profileTTL: 600
credentialLevel: proxy
Hope that helps, or help point the way,
Nathan
Subject: Re: [discuss] LDAP_DEBUG
From: [email protected]
Date: Mon, 8 Sep 2014 22:23:31 +0200
CC: [email protected]
To: [email protected]
When ldap_cachemgr is connected to the LDAP server without TLS/SSL, I get
something very similar. It does not explain why I can't connect with TLS/SSL,
hence my wish to run in DEBUG mode...
Any Illumos LDAP tools specialist out there ?
On 8 Sep 2014, at 15:10, Jonathan Adams <[email protected]> wrote:have you
run ldap_cachemgr -g ?
jadams@jadlaptop:~$ /usr/lib/ldap/ldap_cachemgr -g
cachemgr configuration:
server debug level 0
server log file "/var/ldap/cachemgr.log"
number of calls to ldapcachemgr 1179
cachemgr cache data statistics:
Configuration refresh information:
Configured to NO REFRESH.
Server information:
Previous refresh time: 2014/09/08 13:19:03
Next refresh time: 2014/09/08 14:44:23
server: 127.0.0.1, status: UP
Cache data information:
Maximum cache entries: 256
Number of cache entries: 0
On 8 September 2014 13:32, Vern Bingham <[email protected]> wrote:
Indeed, the Illumos ldapsearch command is definitely not the OpenLDAP homonym
which, by the way, works in TLS/SSL with my OpenDJ server...
I can also link in TLS/SSL to the OpenDJ server with Apache Directory Studio
(which, I believe, is quite lenient with SSL). (I have not tried with
JXplorer...)
My REAL problem is to make the ldap_cachemgr work with the OpenDJ server in
TLS/SSL. I am only interested in ldapsearch to debug my problem...
V.
On 8 Sep 2014, at 14:10, Jonathan Adams <[email protected]> wrote:
okay, the "ldapsearch" command is not the OpenLDAP "ldapsearch command"
(compare the help output and you'll see that they're different)
I use OpenLDAP for our server, so that works well (I couldn't stand the
absolutely humongous LDAP servers that were available ... L is supposed to
stand for Light-weight ...)
you could try compiling the OpenLDAP ldapsearch command and testing with that,
however that wouldn't test the entire system integration ...
Can you link to the OpenDJ with JXplorer? does that allow you to view/work with
the system?
Jon
On 8 September 2014 12:54, Vern Bingham <[email protected]> wrote:
I used to run an OpenDS server which I replaced with an OpenDJ server. Since
then, connections from LDAP client utilities in SSL/TLS stopped working.
Connections in the clear on port 1389 work just fine. Server-side logs are not
informative. I wish to see what is (not?) happening from the client side.
On 8 Sep 2014, at 13:41, Jonathan Adams <[email protected]> wrote:
I have the same issue, but I hadn't realised because I always run the debug
from the server side.
What issues are you having? What do you need to find out?
Jon
On 8 September 2014 12:15, Vern Bingham via illumos-discuss
<[email protected]> wrote:
In my distribution of Illumos, the LDAP utilities were not compiled with the
LDAP_DEBUG option:
$ ldapsearch -d 7 [...]
compile with -DLDAP_DEBUG for debugging
In order to solve this problem, I downloaded the Illumos source and built it
with -DLDAP_DEBUG in the LOCFLAGS in usr/src/lib/libsldap/Makefile.com.
As a consequence, it is now possible to use the -d argument for ldapsearch
but... it makes no difference!
What have I missed?
Thanks.
-------------------------------------------
illumos-discuss
Archives: https://www.listbox.com/member/archive/182180/=now
RSS Feed: https://www.listbox.com/member/archive/rss/182180/23508059-3f15f76a
Modify Your Subscription: https://www.listbox.com/member/?&;
Powered by Listbox: http://www.listbox.com
illumos-discuss | Archives
| Modify
Your Subscription
-------------------------------------------
illumos-discuss
Archives: https://www.listbox.com/member/archive/182180/=now
RSS Feed: https://www.listbox.com/member/archive/rss/182180/21175430-2e6923be
Modify Your Subscription:
https://www.listbox.com/member/?member_id=21175430&id_secret=21175430-6a77cda4
Powered by Listbox: http://www.listbox.com
