Hi, Thanks for your help. I create my own OID in a .schema file that i include in slapd.conf and it works great !
attributetype ( 1.3.6.1.4.1.4203.2.3.159562 NAME 'sbzoneid' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) with "159562" a number of my choice that is not already used by openldap. Now i'm trying to get a ldaps connection with the backend ldap server. I want my openldap proxy to check the backend certificate with the CA certificate that i put after TLSCACertificateFile. The issue is that the ldaps connection works everytime without checking the backend server certificate. The configuration line with TLSCACertificateFile has no effect on the ssl connection ! I saw that TLSVerifyClient enable to force the certificate check of the client conneting to my openldap proxy but i don't see how to force the openldap proxy to check the backend server certificate. Then, i had 2 .cer CA certificate (a root and an intermediate) that i concat in 1 certificate. Does openldap support .cer ? or should i rename it in .pem ? my slapd.conf: TLSCACertificateFile /usr/local/etc/openldap/CAcert.cer #TLSVerifyClient never database ldap suffix ou=personnes,o=sg uri ldaps://192.168.239.210:1636 thank you for your help jerrrry > Message du 30/11/06 à 17h52 > De : "Kurt D. Zeilenga" > A : [EMAIL PROTECTED] > Copie à : [email protected] > Objet : Re: openldap proxy: schema issue > > At 02:09 AM 11/30/2006, [EMAIL PROTECTED] wrote: > > >Hi everybody, > > > >I'am configuring slapd(8) 2.3.27 for use as a proxy to another LDAP server. > > > >Unfortunately this (non-OpenLDAP) LDAP directory uses non standard > >attributes stored in a .ldif file. > > > >i have to use one of this non standard attributes in the slapd.conf file for > >binddn: > > > >database ldap > > > >uri ldap://192.168.239.210:1389 > > > >suffix ou=personnes,o=sg > > > >binddn "sbzoneid=appli_test,ou=exploit,ou=personnes,o=sb" > > > >bindpw secret > > > > > >maybe i have to convert this file in the openldap .schema format and include > >it in slapd.conf. > > If the LDIF contains RFC 4512 conformant schema descriptions, > that conversion is straight forward. However, it seems that > descriptions provided in the LDIF do not conform to RFC 4512. > > >A big issue seems to be that this ldif file doesn't use numericOIDs but > >string OID like: > > > >attributetype ( sbzoneid-oid NAME 'sbzoneid' SYNTAX 1.3.6.1.4.1.1466.115.12 > > slapd(8) requires either an OID, or a valid OID macro (which > will expand to the OID before the description is published in > the schema)... because LDAP does (see RFC 4512). > > >so when runing "sladp -d 1" i get the error: OID could not be expanded: > >"sbzoneid-oid" > > As "sbzoneid-oid" isn't a numbericoid, it assumed it was an > OID macro. But there is no such OID macro, hence the error. > > >or maybe with a more liberal parsing could be helpful ? > > The input is parsed just fine. The problem is semantics. > The field requires an OID. "sbzoneid-oid" is neither an OID, > nor something that represents an OID. Without an OID, slapd(8) > wouldn't be able to publish valid schema descriptions for > the schema element. > > >Do you have any idea to solve this problem ? > > Locate the proper OIDs for these schema elements and use them. > Or, assign your own OIDs (from your own name space). > > Kurt > > >
