Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: TLS/SSL Openldap Centos 5.5
Top Forums UNIX for Dummies Questions & Answers TLS/SSL Openldap Centos 5.5 Post 302490840 by karlochacon on Tuesday 25th of January 2011 09:02:48 PM
Old 01-25-2011
TLS/SSL Openldap Centos 5.5
hi guys

I configured my openldap but now I want to implement SSL-TLS

This is my basic slapd.conf configuration

Code:
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
allow bind_v2
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
database        bdb
suffix          "dc=training,dc=com"
rootdn          "cn=manager,dc=training,dc=com"
rootpw          --Removed--
directory       /var/lib/ldap
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
access to attrs=userPassword,shadowLastChange
 by self write
 by anonymous auth
 by dn="cn=manager,dc=training,dc=com" write
 by * none
access to *
 by self write
 by dn="cn=manager,dc=training,dc=com" write
 by * read

And I created this script (simple I know) to create this TLS/SSL Config but it won't work users cannot login

path when I am moving certs /etc/openldap/cacerts
Code:
service ldap stop
cd /etc/openldap/
openssl genrsa -out server_key.pem 2048
chmod 440 server_key.pem
chown root.ldap server_key.pem
openssl req -new -key server_key.pem -x509 -days 3650 -out clients_cert.pem

chmod 444 clients_cert.pem
mv server_key.pem cacerts/
mv clients_cert.pem cacerts/

echo "TLSCertificateFile /.../clients_cert.pem" >> /.../slapd.conf

echo "TLSCertificateKeyFile /.../server_key.pem" >> /.../slapd.conf

echo "TLSCipherSuite HIGH" >> /...p/slapd.conf

echo "security ssf=128" >>  /.../slapd.conf
service ldap start
echo "Copying Files to LDAP Client Centos2"
rsync -av ./cacerts/clients_cert.pem centos2:/.../cacerts

As you see I create the key and certificate, assign permissions, add stuff to slapd.conf and finally copy thecer to a client PC

On client side
I use authconfig-tui
[x] Use LDAP
[x] Use LDAP Authentication
[x] Use TLS
Server: ldap://192.168.x.x
Base DN: dc=training,dc=com/

My environment is Centos 5.5

what is wrong on my config?
any idea? Something I am missing?
thanks a lotn
 

8 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Secure ftp using ssl/tls

We have a requirement to setup secure ftp between our AIX v5.3 system and our mainframe. We don't want to use openssh with sftp and scp. Our mainframe uses ftp over ssl/tls so we have to use this on our AIX box. We have openssl on our AIX system but I'm not sure how to setup ssl/tls over ftp on... (4 Replies)
Discussion started by: DANNYC
4 Replies

2. Cybersecurity

TLS/SSL vulnerability explained

Here's a pretty good, and even PHB-compatible, explanation of the current TLS/SSl protocol vulnerability, including samples. (0 Replies)
Discussion started by: pludi
0 Replies

3. Linux

SSL/TLS uses the public key to encrypt data ?

Hi, I have a doubt..whether the SSL/TLS protocol uses the public key of the web server to encrypt data before sending it. I knew the browser verifies the public key of the web server using the digital certificate (by verifying the signature of the certificate using trusted authority). whether... (2 Replies)
Discussion started by: chaitus.28
2 Replies

4. Red Hat

HOW TO DISABLE SSL/TLS RENEGOTIATION?

Hi guys, Those who work on Apache may help me on this. I have following problem Description: The remote service encrypts traffic using TLS / SSL and permits clients to renegotiate connections. The computational requirements for renegotiating a connection are asymmetrical between the... (3 Replies)
Discussion started by: manalisharmabe
3 Replies

5. UNIX for Advanced & Expert Users

ldap over tls -- ssl cert help

Hey Guys, I am trying to setup ldap over tls in our lab. I am generating a self signed cert on the ldap server and importing that into the ldap system so it will use ldap over port 636. The clients will be a mix of solaris and redhat. I am lost on what I need to do on the client side to get... (0 Replies)
Discussion started by: s ladd
0 Replies

6. Shell Programming and Scripting

SSH shell script to access FTP over explicit TLS/SSL

Hello, I use the following SSH script to upload *.jpg files via FTP: #!/usr/bin/expect set timeout -1 spawn ftp -v -i expect "" send "\r" expect "Password:" send "\r" expect "ftp>" send "mput *.jpg\r" expect "ftp>" send "quit\r" replaced with actual ftp server/account data. ... (5 Replies)
Discussion started by: mrpi007
5 Replies

7. UNIX for Advanced & Expert Users

SSL/TLS with openldap

Hello to all, I'm beguinner in Linux instalations and I'm trying to Communicate from Web Sites that i have running under apache with openLDAP for users authentication using SSL mediation that seems to be connected with LDAPS. Can someone advise me how to do this, I have already installed... (1 Reply)
Discussion started by: CPMarco
1 Replies

8. AIX

AIX LDAP client authenticate against Linux Openldap server over TLS/SSL

Hi folks, How can i configure an AIX LDAP client to authenticate against an Linux Openldap server over TLS/SSL? It works like a charm without TLS/SSL. i would like to have SSL encrypted communication for ldap (secldapclntd) and ldapsearch etc. while accepting every kind of certificate/CA.... (6 Replies)
Discussion started by: paco699
6 Replies

LEARN ABOUT CENTOS

slapd-monitor

SLAPD-MONITOR(5)						File Formats Manual						  SLAPD-MONITOR(5)

NAME

       slapd-monitor - Monitor backend to slapd

SYNOPSIS

       /etc/openldap/slapd.conf

DESCRIPTION

       The  monitor  backend  to slapd(8) is not an actual database; if enabled, it is automatically generated and dynamically maintained by slapd
       with information about the running status of the daemon.

       To inspect all monitor information, issue a subtree search with base cn=Monitor, requesting that attributes "+" and "*" are returned.   The
       monitor	backend  produces  mostly  operational	attributes,  and  LDAP	only returns operational attributes that are explicitly requested.
       Requesting attribute "+" is an extension which requests all operational attributes.

CONFIGURATION

       These slapd.conf options apply to the monitor backend database.	That is, they must follow a "database monitor" line and  come  before  any
       subsequent "backend" or "database" lines.

       As  opposed to most databases, the monitor database can be instantiated only once, i.e. only one occurrence of "database monitor" can occur
       in the slapd.conf(5) file.  Moreover, the suffix of the database cannot be explicitly set by means of the suffix directive.  The suffix	is
       automatically set to "cn=Monitor".

       The monitor database honors the rootdn and the rootpw directives, and the usual ACL directives, e.g. the access directive.

       Other database options are described in the slapd.conf(5) manual page.

USAGE

       The usage is:

       1) enable the monitor backend at configure:

	      configure --enable-monitor

       2) activate the monitor database in the slapd.conf(5) file:

	      database monitor

       3) add ACLs as detailed in slapd.access(5) to control access to the database, e.g.:

	      access to dn.subtree="cn=Monitor"
		   by dn.exact="uid=Admin,dc=my,dc=org" write
		   by users read
		   by * none

       4) ensure that the core.schema file is loaded.
	      The monitor backend relies on some standard track attributeTypes that must be already defined when the backend is started.

ACCESS CONTROL

       The  monitor  backend honors access control semantics as indicated in slapd.access(5), including the disclose access privilege, on all cur-
       rently implemented operations.

KNOWN LIMITATIONS

       The monitor backend does not honor size/time limits in search operations.

FILES

       /etc/openldap/slapd.conf
	      default slapd configuration file

SEE ALSO

       slapd.conf(5), slapd-config(5), slapd.access(5), slapd(8), ldap(3).

ACKNOWLEDGEMENTS

       OpenLDAP Software is developed and maintained by The OpenLDAP Project <http://www.openldap.org/>.  OpenLDAP Software is derived	from  Uni-
       versity of Michigan LDAP 3.3 Release.

OpenLDAP 2.4.39 						    2014/01/26							  SLAPD-MONITOR(5)
All times are GMT -4. The time now is 06:49 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy