Re: openldap client cert validation

2016-08-06 Thread Matwey V. Kornilov
2016-08-06 20:03 GMT+03:00 Ryan Tandy : > On Sat, Aug 06, 2016 at 07:14:37PM +0300, Matwey V. Kornilov wrote: >> >> After inspecting source code I've just found that TLS_KEY and TLS_CERT >> are ignored if located in /etc/openldap/ldap.conf. >> Why does it not written in man

Re: openldap client cert validation

2016-08-06 Thread Ryan Tandy
On Sat, Aug 06, 2016 at 07:14:37PM +0300, Matwey V. Kornilov wrote: After inspecting source code I've just found that TLS_KEY and TLS_CERT are ignored if located in /etc/openldap/ldap.conf. Why does it not written in man ldap.conf(5) explicitly? It is. TLS_CERT Specifies

Re: openldap client cert validation

2016-08-06 Thread btb
> On Aug 06, 2016, at 12.14, Matwey V. Kornilov > wrote: > > After inspecting source code I've just found that TLS_KEY and TLS_CERT > are ignored if located in /etc/openldap/ldap.conf. > Why does it not written in man ldap.conf(5) explicitly? from ldap.conf(5):

Re: openldap client cert validation

2016-08-06 Thread Howard Chu
Matwey V. Kornilov wrote: After inspecting source code I've just found that TLS_KEY and TLS_CERT are ignored if located in /etc/openldap/ldap.conf. Why does it not written in man ldap.conf(5) explicitly? The ldap.conf(5) manpage says clearly "This is a user-only option." I've spent two days

Re: openldap client cert validation

2016-08-06 Thread Matwey V. Kornilov
After inspecting source code I've just found that TLS_KEY and TLS_CERT are ignored if located in /etc/openldap/ldap.conf. Why does it not written in man ldap.conf(5) explicitly? I've spent two days of my precious life to dig it out. Now it works. 2016-08-06 16:07 GMT+03:00 Matwey V. Kornilov

Re: How do I allow root to edit mdb database? [SOLVED]

2016-08-06 Thread Michael Ströder
John Lewis wrote: > How is this? > > olcAccess: {0}to * by > dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage > by * break > olcAccess: {1}to dn.base="" by * read > olcAccess: {2}to attrs=userPassword,shadowLastChange by self write by > anonymous auth by * none >

openldap client cert validation

2016-08-06 Thread Matwey V. Kornilov
Hello, I am running openldap 2.4.41 and I've failed to setup client certificate validation. TLS works well until olcTLSVerifyClient is set to demand. Then I see ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) at client side. And connection_read(11): TLS accept failure error=-1 id=1021,

Re: How do I allow root to edit mdb database? [SOLVED]

2016-08-06 Thread John Lewis
On 08/05/2016 09:08 AM, Frank Swasey wrote: > Today at 8:10am, John Lewis wrote: > >> olcAccess: {0}to * by >> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage >> by * break >> olcAccess: {1}to dn.base="" by * read >> olcAccess: {2}to * by * read >> olcAccess: {3}to