LDAP over SSL with secldapclntd Post: 302314388

Sponsored Content

Operating Systems AIX LDAP over SSL with secldapclntd Post 302314388 by zaxxon on Friday 8th of May 2009 07:31:53 AM

05-08-2009

Registered User

LDAP over SSL with secldapclntd

Hi all,

I have set up the AIX LDAP client on AIX 5.3.9 and it's working fine, using the descriptions in the Redbook for implementing LDAP in a heterogenous environment.
I added SSL encryption to the LDAP client demon's config and created a key-db and imported a signed certificate from our CA.

When I use ldapsearch with SSL and watch the traffic with tcpdump, everything is encrypted as it is supposed to be.
When issuing lsldap, the traffic is encrypted too.

When I try to login with an LDAP-only account, I can get on the system without problem, but the traffic is not encrypted at all. I can see in the tcpdump output everything uncrypted.

I tried a lot of different settings, but without success. Here is my current ldap.cfg:

Code:

serverschematype:rfc2307
ldapservers:10.10.10.10
binddn:cn=admin,o=services
bindpwd:{DESv2}somethingcryptedhere
authtype:ldap_auth
searchmode:OS
useSSL:yes
ldapsslport:636
ldapsslkeyf:/etc/security/ldap/key.kdb
ldapsslkeypwd:{DESv2}somethingcryptedhere
userclasses:posixaccount,account,shadowaccount
groupclasses:posixgroup
userattrmappath:/etc/security/ldap/2307user.map
groupattrmappath:/etc/security/ldap/2307group.map
userbasedn:ou=users,o=company,c=de
groupbasedn:ou=users,o=company,c=de
defaultentrylocation:LDAP

I can't see what I am missing or having setup wrong. I checked many sites about the topic but they all don't give more information than the Redbook already. Thanks a lot for any hint.

zaxxon

View Public Profile for zaxxon

Find all posts by zaxxon

9 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

Ssl Ldap

Has anyone managed to get LDAP to use SSL on AIX 5.2. I have managed to get the server running but not the client or any client.

2. UNIX for Advanced & Expert Users

implicit ssl vs explicit ssl

Can someone explain the difference between the two. Thanks

3. UNIX for Dummies Questions & Answers

to enable POP3(ssl) and SMTP(ssl) in Squid

i have configured Squid proxy server in Fedora 8 with two network interfaces. HTTP, HTTPS, FTP are working fine but we are unable to download mails using mail clients from mail server with POP3(ssl) and SMTP(ssl). so please someone help us how to enable pop and smtp in Squid.

4. Web Development

Apache, cgi script run twice when ssl, once when not ssl

I have interesting problem. https:/host/some/x.cgi - this script has run twice when I call this url But http:/host/some/x.cgi work fine, only once. Output is text/plain. If I change output format to the Content-type text/html, then both urls works fine - executed only once.

5. UNIX for Advanced & Expert Users

ldap over tls -- ssl cert help

Hey Guys, I am trying to setup ldap over tls in our lab. I am generating a self signed cert on the ldap server and importing that into the ldap system so it will use ldap over port 636. The clients will be a mix of solaris and redhat. I am lost on what I need to do on the client side to get...

6. UNIX for Advanced & Expert Users

something like LDAP Administrator 2011.1 "LDAP-SQL" but for the CLI

Hi I am searching a tool like "LDAP Administrator 2011.1"/ "LDAP-SQL" but for the CLI. Wish to use LDAP-SQL in scripts (non Windows GUI environment) http://ldapadministrator.com/resources/english/2011.1/images/sqlquery_large.png Softerra LDAP Administrator 2011.1 - What's New OS is...

7. AIX

AIX LDAP client authenticate against Linux Openldap server over TLS/SSL

Hi folks, How can i configure an AIX LDAP client to authenticate against an Linux Openldap server over TLS/SSL? It works like a charm without TLS/SSL. i would like to have SSL encrypted communication for ldap (secldapclntd) and ldapsearch etc. while accepting every kind of certificate/CA....

8. Solaris

LDAP Client not connecting to LDAP server

I have very limited knowledge on LDAP configuration and have been trying fix one issue, but unsuccessful. The server, I am working on, is Solaris-10 zone. sudoers is configured on LDAP (its not on local server). I have access to login directly on server with root, but somehow sudo is not working...

9. Linux

Apache wildcard ssl on subdomain serves same page for non ssl virtualhosts

Issue observed: I have configured ng.my-site.com using widlcard ssl cert. When I hit https://www.my-site.com it loads ng.my-site.com website! please advise if I missed any concept / configs... Thank you! httpd.conf <VirtualHost *:80> ServerName www.my-site.com ServerAdmin...

LEARN ABOUT OSX

net::ldaps

Net::LDAPS(3)						User Contributed Perl Documentation					     Net::LDAPS(3)

NAME

       Net::LDAPS - use LDAP over an SSL connection

SYNOPSIS

	use Net::LDAPS;

	$ldaps = Net::LDAPS->new('myhost.example.com',
				 port => '10000',
				 verify => 'require',
				 capath => '/usr/local/cacerts/');

	# alternate way
	use Net::LDAP;

	$ldaps = Net::LDAP->new('ldaps://myhost.example.com:10000',
				verify => 'require',
				capath => '/usr/local/cacerts/');

DESCRIPTION

       Communicate using the LDAP protocol to a directory server using an encrypted (SSL) network connection. This mechanism is non-standard but
       widely supported; consider using LDAPv3 with the standard TLS extension if possible (many servers do not support it yet.) See "start_tls"
       in Net::LDAP.

       All the normal "Net::LDAP" methods can be used with a "Net::LDAPS" object; see Net::LDAP for details.

CONSTRUCTOR

       new ( HOST [, OPTIONS ] )
	   Create a new connection. HOST is the hostname to contact. OPTIONS is a number of key/value pairs. See "new" in Net::LDAP for details.

SEE ALSO

       Net::LDAP, IO::Socket::SSL

BUGS

       You cannot have more than one LDAPS connection at any one time, due to restrictions in the underlying Net::SSLeay code.

AUTHOR

       Chris Ridd <chris.ridd@isode.com>

COPYRIGHT

       Copyright (c) 2000-2004, Chris Ridd and Graham Barr. All rights reserved. This library is free software; you can redistribute it and/or
       modify it under the same terms as Perl itself.

perl v5.16.2							    2012-09-20							     Net::LDAPS(3)