openssl on Solaris8 with Openldap

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

openssl on Solaris8 with Openldap

CPT-3
Hello list,

I'm using Solaris8 with Openldap2.2.26 and Openssl-0.9.8. What I want is an
encrypted authentification via ldap. On Solaris you have to use the native
ldapclient as client and I'm using Openldap as the server. The encryption
between Apache2.0 and Openldap works fine. But Apache2.0 brings the
contraint that I have to use SSL, not TLS. So created SSL certificates

openssl ... -nodes ....

and it works fine with Apache. So I want to use these SSL certificates. If I
start the ldap.client on port 636 I get the output

TLS: can't accept.
TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
s23_srvr.c:585

I think the certificates are also good for TLS. So I've got no problem to
use TLS. But there is just no reaction on the flag NS_LDAP_AUTH_TLS by the
ldapclient.

The error I got is an ssl error. Maybe somebody knows a workaround or a real
solution to get an encryption between openldap and the ldapclient.

Thx,
Sebastian Lorkowski

--
Highspeed-Freiheit. Bei GMX superg?nstig, z.B. GMX DSL_Cityflat,
DSL-Flatrate f?r nur 4,99 Euro/Monat*  http://www.gmx.net/de/go/dsl
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: openssl on Solaris8 with Openldap

Chevalier, Victor T.
Did you ever find a solution to your question?  I know the newer patches to solaris 8 add ssl capability.  If you posted your slapd.conf and ldap.conf files I could prolly figure it out unless its how your making your certs?

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of [hidden email]
Sent: Thursday, October 20, 2005 2:56 AM
To: [hidden email]
Subject: openssl on Solaris8 with Openldap

Hello list,

I'm using Solaris8 with Openldap2.2.26 and Openssl-0.9.8. What I want is an
encrypted authentification via ldap. On Solaris you have to use the native
ldapclient as client and I'm using Openldap as the server. The encryption
between Apache2.0 and Openldap works fine. But Apache2.0 brings the
contraint that I have to use SSL, not TLS. So created SSL certificates

openssl ... -nodes ....

and it works fine with Apache. So I want to use these SSL certificates. If I
start the ldap.client on port 636 I get the output

TLS: can't accept.
TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
s23_srvr.c:585

I think the certificates are also good for TLS. So I've got no problem to
use TLS. But there is just no reaction on the flag NS_LDAP_AUTH_TLS by the
ldapclient.

The error I got is an ssl error. Maybe somebody knows a workaround or a real
solution to get an encryption between openldap and the ldapclient.

Thx,
Sebastian Lorkowski

--
Highspeed-Freiheit. Bei GMX supergünstig, z.B. GMX DSL_Cityflat,
DSL-Flatrate für nur 4,99 Euro/Monat*  http://www.gmx.net/de/go/dsl
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: openssl on Solaris8 with Openldap

CPT-3
No, I didn't find a solution. The new patches are already installed(relevant
would be patch 108993-49, I think -->
http://sunsolve.sun.com/search/advsearch.do?collection=PATCH&type=collections&max=50&language=en&queryKey5=108993&toDocument=yes)
The server.pem file is a self signed certificate; created with
openssl req –new –x509 –nodes –out server.pem –keyout server.pem –days 830

slapd.conf:

[include schema]

# Define global ACLs to disable default read access.
include         /usr/local/etc/openldap/slapd.access.conf

pidfile         /usr/local/var/run/slapd.pid
argsfile        /usr/local/var/run/slapd.args

TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCertificateFile      /usr/local/etc/openldap/cert/server.pem
TLSCertificateKeyFile   /usr/local/etc/openldap/cert/server.pem
TLSCACertificateFile    /usr/local/etc/openldap/cert/server.pem

#######################################################################
# BDB database definitions
#######################################################################

database        bdb
suffix          "dc=root,dc=dn"
rootdn          "dc=bind,dc=dn"

rootpw          secret

directory       /usr/local/var/openldap-data
# Indices to maintain
index   objectClass     eq
index   uid,cn,sn,givenname,memberuid,gecos,description eq,sub
index   gidnumber,userpassword,uidnumber,homedirectory,loginShell       eq

loglevel        -1
#########



The ldap.conf is not very necessary for me, because I had to use the native
solaris ldapclient to get an authentification via pam_ldap.

Here the ldapconfigfile:

NS_LDAP_FILE_VERSION= 1.0
NS_LDAP_SERVERS= 127.0.0.1:636
NS_LDAP_SEARCH_BASEDN= dc=netlive,dc=arcor.net
NS_LDAP_AUTH= NS_LDAP_AUTH_SIMPLE
NS_LDAP_SEARCH_REF= NS_LDAP_FOLLOWREF
NS_LDAP_SEARCH_DN= passwd:(ou=people,dc=netlive,dc=arcor.net)
NS_LDAP_SEARCH_DN= shadow:(ou=people,dc=netlive,dc=arcor.net)
NS_LDAP_SEARCH_SCOPE= NS_LDAP_SCOPE_SUBTREE
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 3600
NS_LDAP_PROFILE= __default_config
NS_LDAP_BIND_TIME= 30
########


If really necessary for what ever, the ldap.conf:

BASE    dc=bind,dc=dn
URI     ldaps://127.0.0.1:636

TLS_CACERT /usr/local/etc/openldap/cert/demoCA/cacert.pem
TLS_CERT /usr/local/etc/openldap/cert/server.pem
TLS_KEY /usr/local/etc/openldap/cert/server.pem
TLS_REQCERT     never

rootbinddn cn=ldapprofile,ou=profile,dc=bind,dc=dn
pam_login_attribute uid
pam_filter objectclass=posixAccount
pam_member_attribute memberUid
pam_password exop
#######

Thx,
Sebastian Lorkowski



> --- Ursprüngliche Nachricht ---
> Von: "Chevalier, Victor T." <[hidden email]>
> An: <[hidden email]>
> Betreff: RE: openssl on Solaris8 with Openldap
> Datum: Fri, 21 Oct 2005 09:37:49 -0500
>
> Did you ever find a solution to your question?  I know the newer patches
> to solaris 8 add ssl capability.  If you posted your slapd.conf and
> ldap.conf files I could prolly figure it out unless its how your making
your certs?

>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of [hidden email]
> Sent: Thursday, October 20, 2005 2:56 AM
> To: [hidden email]
> Subject: openssl on Solaris8 with Openldap
>
> Hello list,
>
> I'm using Solaris8 with Openldap2.2.26 and Openssl-0.9.8. What I want is
> an
> encrypted authentification via ldap. On Solaris you have to use the native
> ldapclient as client and I'm using Openldap as the server. The encryption
> between Apache2.0 and Openldap works fine. But Apache2.0 brings the
> contraint that I have to use SSL, not TLS. So created SSL certificates
>
> openssl ... -nodes ....
>
> and it works fine with Apache. So I want to use these SSL certificates. If
> I
> start the ldap.client on port 636 I get the output
>
> TLS: can't accept.
> TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> s23_srvr.c:585
>
> I think the certificates are also good for TLS. So I've got no problem to
> use TLS. But there is just no reaction on the flag NS_LDAP_AUTH_TLS by the
> ldapclient.
>
> The error I got is an ssl error. Maybe somebody knows a workaround or a
> real
> solution to get an encryption between openldap and the ldapclient.
>
> Thx,
> Sebastian Lorkowski
>

--
10 GB Mailbox, 100 FreeSMS/Monat http://www.gmx.net/de/go/topmail
+++ GMX - die erste Adresse für Mail, Message, More +++
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]