Bug#370337: Fwd: Re: Make /etc/default/slapd automatically configurable
[Ryan Tandy] > It looks like it's possible using gnutls-cli >= 3.5.0. > > gnutls-cli -p 389 --x509cafile /etc/ldap/certs/ca.crt > --starttls-proto=ldap --save-cert=ldap.example.org.crt > ldap.example.org < /dev/null Seem to work like a charm here: % gnutls-cli -p 389 --x509cafile /etc/ldap/certs/ca.crt \ --starttls-proto=ldap --save-cert=ldap.example.org.crt \ 192.168.1.16 < /dev/null Error setting the x509 trust file Resolving '192.168.1.16:389'... Connecting to '192.168.1.16:389'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `EMAIL=postmaster@postoffice.intern,CN=tjener.intern,OU=Automatically-generated LDAP SSL key,O=LDAP server,L=Skolen,ST=NA,C=NO', issuer `EMAIL=postmaster@postoffice.intern,CN=tjener.intern,OU=Automatically-generated LDAP SSL key,O=LDAP server,L=Skolen,ST=NA,C=NO', serial 0x00cbe2455339cab094, RSA key 1024 bits, signed using RSA-SHA1, activated `2012-02-02 17:24:28 UTC', expires `2022-01-30 17:24:28 UTC', key-ID `sha256:9885ac708688fa6fe941371a32ecdec6891a428647932e72ae9b01bc0075420a' Public Key ID: sha1:995429e2f6e72af62e353d864e8c276249ad0c25 sha256:9885ac708688fa6fe941371a32ecdec6891a428647932e72ae9b01bc0075420a Public key's random art: +--[ RSA 1024]+ | .. | | E . . ... | | o o ... | | . . +. o | | + + +So | |* o O = | | . . * = . | | + . . | | . =+. | +-+ - Status: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. *** handshake has failed: Error in the certificate. % diff -ur ~/ldap.example.org.crt /etc/ldap/ssl/ldap-server-pubkey.pem % I guess this mean we can change /etc/init.d/fetch-ldap-cert and stop editing /etc/default/slapd. -- Happy hacking Petter Reinholdtsen
Bug#370337: Fwd: Re: Make /etc/default/slapd automatically configurable
On Tue, Aug 10, 2010 at 12:05:33AM +0200, Petter Reinholdtsen wrote: [Andreas B. Mundt] We currently add the deprecated ldaps:/// protocoll here: SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///" It would be nice if we would not need ldaps and could only use TLS. This has to be checked. I've checked, and we still need ldaps to be able to download the SSL certificate from the LDAP server to the clients during the first boot. If someone can come up with a way to extract it using TLS, I am all for dropping ldaps. It looks like it's possible using gnutls-cli >= 3.5.0. gnutls-cli -p 389 --x509cafile /etc/ldap/certs/ca.crt --starttls-proto=ldap --save-cert=ldap.example.org.crt ldap.example.org < /dev/null
Bug#370337: Fwd: Re: Make /etc/default/slapd automatically configurable
[Andreas B. Mundt] > We currently add the deprecated ldaps:/// protocoll here: > > SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///" > > It would be nice if we would not need ldaps and could only use > TLS. This has to be checked. I've checked, and we still need ldaps to be able to download the SSL certificate from the LDAP server to the clients during the first boot. If someone can come up with a way to extract it using TLS, I am all for dropping ldaps. > We use: > SLAPD_OPTIONS="-4" > here, which might be there for traditional reasons. Not quite sure why we add that one. It was added 2006-01-13 with this changelog entry: [ Andreas Schuldei ] * making slapd use ipv4 only in cf.ldapserver (for uml testframework, where long timeouts occure when probing for ipv6 stuff) No idea if it can be dropped or not. Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#370337: Fwd: Re: Make /etc/default/slapd automatically configurable
On Sun, Aug 08, 2010 at 05:59:15PM +0200, Luk Claes wrote: > Hi > > Can someone more involved with Debian Edu have a look at this, TIA? [...] > This bug is open for a long time now, what reasonable defaults are > needed for debian-edu ? > > I've attached the default file currently shipped with OpenLDAP. [...] Here are the modifications needed/done by debian-edu: > # Default location of the slapd.conf file. If empty, use the compiled-in > # default (/etc/ldap/slapd.conf). If using the cn=config backend to store > # configuration in LDIF, set this variable to the directory containing the > # cn=config data. > SLAPD_CONF= > > # System account to run the slapd server under. If empty the server > # will run as root. > SLAPD_USER="openldap" > > # System group to run the slapd server under. If empty the server will > # run in the primary group of its user. > SLAPD_GROUP="openldap" > > # Path to the pid file of the slapd server. If not set the init.d script > # will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by > # default) > SLAPD_PIDFILE= > > # slapd normally serves ldap only on all TCP-ports 389. slapd can also > # service requests on TCP-port 636 (ldaps) and requests via unix > # sockets. > # Example usage: > # SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///" > SLAPD_SERVICES="ldap:/// ldapi:///" We currently add the deprecated ldaps:/// protocoll here: SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///" It would be nice if we would not need ldaps and could only use TLS. This has to be checked. > # If SLAPD_NO_START is set, the init script will not start or restart > # slapd (but stop will still work). Uncomment this if you are > # starting slapd via some other means or if you don't want slapd normally > # started at boot. > #SLAPD_NO_START=1 > > # If SLAPD_SENTINEL_FILE is set to path to a file and that file exists, > # the init script will not start or restart slapd (but stop will still > # work). Use this for temporarily disabling startup of slapd (when doing > # maintenance, for example, or through a configuration management system) > # when you don't want to edit a configuration file. > SLAPD_SENTINEL_FILE=/etc/ldap/noslapd > > # For Kerberos authentication (via SASL), slapd by default uses the system > # keytab file (/etc/krb5.keytab). To use a different keytab file, > # uncomment this line and change the path. > #export KRB5_KTNAME=/etc/krb5.keytab We add: KRB5_KTNAME=/etc/krb5.keytab.ldap; export KRB5_KTNAME here. We do not use the default keytab file because the user openldap needs to have read permissions on that file. > # Additional options to pass to slapd > SLAPD_OPTIONS="" > We use: SLAPD_OPTIONS="-4" here, which might be there for traditional reasons. I am currently not able to test the entries as I have no debian-edu installation around for the time being. Best regards, Andi -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
