search for: tls_cert

...n try to debug this problem? I've included the configuration files for samba and ldap. I've hid the actual hostname and DIT. Thanks! /etc/openldap/ldap.conf ********************** URI ldaps://yyyy.com <- BASE dc=xxxx,dc=xxxx,dc=com TLS_REQCERT demand TLS_CACERT /etc/openldap/ca.crt TLS_CERT /etc/openldap/server.crt TLS_KEY /etc/openldap/server.key /etc/openldap/slap.conf ****************** include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/n...

...wing lines appear: [20/Jul/2010:21:48:38 +0200] conn=14 fd=65 slot=65 SSL connection from 192.168.1.2 to 192.168.1.2. [20/Jul/2010:21:48:38 +0200] conn=14 op=-1 fd=65 closed - Encountered end of file. The only entries in my /etc/ldap.conf are those: tls_cacertfile /etc/nss/ca.example.org-cert.pem tls_cert /etc/nss/nss-cert.pem tls_key /etc/nss/nss-key.pem The nss-{key,cert}.pem may be used to bind at the following DN: dn: cn=nss,ou=Special Users,dc=example,dc=org objectClass: top objectClass: person cn: nss sn: nss Again: It works for user root! $ ls -l /etc/ldap.conf /etc/nss/ -rw-r--r-- 1 root...

...Directories ======================= [homes] comment = Home directories browseable = yes writable = yes create mask = 0640 directory mask = 0750 valid users = %S ##/etc/ldap/ldap.conf URI ldap://omv.domain.local TLS_CACERT /etc/ssl/certs/ca-certificates.crt TLS_REQCERT demand ##/root/ldaprc TLS_CERT /etc/ssl/certs/omv-domain-local.crt TLS_KEY /etc/ssl/private/omv-domain-local.key Let me say also that ca-certificates.crt contains the certificate for my self signed authority. What am I missing to make it run smootly ?

...# OpenLDAP SSL options # Require and verify server certificate (yes/no) #tls_checkpeer yes # CA certificates for server certificate verification tls_cacertfile /etc/openldap/cacerts/cacert.pem tls_cacertdir /etc/openldap/cacerts # Client certificate and key tls_cert /etc/openldap/cacerts/servercert.pem tls_key /etc/openldap/cacerts/serverkey.pem Relevant parts of /etc/pam.d/system-auth: auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requ...

...# OpenLDAP SSL options # Require and verify server certificate (yes/no) #tls_checkpeer yes # CA certificates for server certificate verification tls_cacertfile /etc/openldap/cacerts/cacert.pem tls_cacertdir /etc/openldap/cacerts # Client certificate and key tls_cert /etc/openldap/cacerts/servercert.pem tls_key /etc/openldap/cacerts/serverkey.pem Relevant parts of /etc/pam.d/system-auth: auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requ...

...rootbinddn cn=nssldap,ou=DSA,dc=dbb,sc=su,dc=se nss_base_passwd dc=dbb,dc=su,dc=se?sub nss_base_shadow dc=dbb,dc=su,dc=se?sub nss_base_group ou=Groups,dc=dbb,dc=su,dc=se?one pam_password md5 tls_checkpeer yes TLS_CACERT /etc/ldap/ca.pem TLS_REQCERT demand ssl start_tls tls_cert /etc/nss/nssldap.pem tls_key /etc/nss/nssldap.key I can neither login through ssh or login when TLSVerifyClient is set to demand or try. Please enlight me here. Thanks Peter Peter Nyberg Institutionen f?r Biokemi och Biofysik (DBB) Sv.Arrhenius v?gen 12 106 91 Stockholm Tel: 08-16 24 69 Mobil:...

Dear Samba friends, I have setup a samba server 3.5 on FreeBSD 8.1-RELEASE-p2 with openldap-sasl-server-2.4. I have specified ``TLSVerifyClient demand'' in slapd.conf and want to enforce the clients to connect and show a valid certificate to the ldap server. As far as I have understood, Samba will act as a client as well and in order to access the ldap server it will need a client

...dap/ldap.conf **************************** BASE dc=aag URI ldap://erde.aag:389 ldap://mond.aag:389 nss_base_passwd ou=users,dc=aag?one nss_base_passwd ou=computers,dc=aag?one nss_base_shadow ou=users,dc=aag?one nss_base_group ou=groups,dc=aag?one TLS_CACERT /etc/ldap/certs/cacert.pem TLS_CERT /etc/ldap/certs/memberserver_cert.pem TLS_KEY /etc/ldap/certs/memberserver_key.pem TLS_CHECKPEER yes SSL start_tls TLS_REQCERT allow It make no difference if I activate TLS or not. ****************************** /etc/nsswitch.conf ******************************...

...g., "access to * by * read") # # rootdn can always read and write EVERYTHING! # equivalent to TLS_CACERT TLSCertificateFile /etc/ssl/ldapcert.pem # selbst-signiertes Zertifikat # equivalent to TLS_KEY TLSCertificateKeyFile /etc/ssl/ldapkey.pem # privater Schluessel # equivalent to TLS_CERT TLSCACertificateFile /etc/ssl/demoCA/cacert.pem # Certificate Authority # this is equivalent to TLS_REQCERT #TLSVerifyClient allow #TLSVerifyClient try #TLSVerifyClient demand #Verfahrensweise TLSCipherSuite HIGH:MEDIUM:+SSLv2 ######################################...

...tion # At least one of these are required if tls_checkpeer is "yes" #tls_cacertfile /etc/ssl/ca.cert #tls_cacertdir /etc/ssl/certs # SSL cipher suite # See man ciphers for syntax #tls_ciphers TLSv1 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key Any Tips what I am missing out on ????? I am trying to get authentication working with SAMBA through to AD Regards Pashii _____________________________________________________________________ Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! http://smartsurfer.web...

...cation # At least one of these are required if tls_checkpeer is "yes" #tls_cacertfile /etc/ssl/ca.cert #tls_cacertdir /etc/ssl/certs # SSL cipher suite # See man ciphers for syntax #tls_ciphers TLSv1 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key # SASL mechanism for PAM authentication - use is experimental # at present and does not support password policy control uri ldap://ldap.summitnjhome.com/ ssl start_tls tls_cacertdir /etc/openldap/cacerts pam_password crypt This is how my nsswitch on the client side is setup: passwd:...

...#tls_cacertdir /etc/ssl/certs #tls_cacertfile /etc/ssl/ca.cert # Seed the PRNG if /dev/urandom is not provided #tls_randfile /var/run/egd-pool # SSL cipher suite # See man ciphers for syntax #tls_ciphers TLSv1 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key # NDS mappings #map group uniqueMember member # Mappings for Services for UNIX 3.5 #filter passwd (objectClass=User) #map passwd uid msSFU30Name #map passwd userPassword msSFU30Password #map passwd homeDirectory msSFU30HomeDirectory #map passwd homeDirector...

...cert.pem tls_cacert /usr/local/certs/cacert.pem # Seed the PRNG if /dev/urandom is not provided #tls_randfile /var/run/egd-pool # SSL cipher suite # See man ciphers for syntax tls_ciphers HIGH:MEDIUM:SSLv2 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key # Disable SASL security layers. This is needed for AD. #sasl_secprops maxssf=0 # Override the default Kerberos ticket cache location. #krb5_ccname FILE:/etc/.ldapcache # SASL mechanism for PAM authentication - use is experimental # at present and does not support password policy control...

...s_cacertfile /etc/ssl/ca.cert #tls_cacertdir /etc/ssl/certs # Seed the PRNG if /dev/urandom is not provided #tls_randfile /var/run/egd-pool # SSL cipher suite # See man ciphers for syntax #tls_ciphers TLSv1 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key # Disable SASL security layers. This is needed for AD. #sasl_secprops maxssf=0 # Override the default Kerberos ticket cache location. #krb5_ccname FILE:/etc/.ldapcache # SASL mechanism for PAM authentication - use is experimental # at present and does not support password policy control...

...acert.pem tls_cacert /usr/local/certs/cacert.pem # Seed the PRNG if /dev/urandom is not provided #tls_randfile /var/run/egd-pool # SSL cipher suite # See man ciphers for syntax tls_ciphers HIGH:MEDIUM:SSLv2 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key # Disable SASL security layers. This is needed for AD. #sasl_secprops maxssf=0 # Override the default Kerberos ticket cache location. #krb5_ccname FILE:/etc/.ldapcache # SASL mechanism for PAM authentication - use is experimental # at present and does not support password policy control...

...s_cacertfile /etc/ssl/ca.cert #tls_cacertdir /etc/ssl/certs # Seed the PRNG if /dev/urandom is not provided #tls_randfile /var/run/egd-pool # SSL cipher suite # See man ciphers for syntax #tls_ciphers TLSv1 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key # Disable SASL security layers. This is needed for AD. #sasl_secprops maxssf=0 # Override the default Kerberos ticket cache location. #krb5_ccname FILE:/etc/.ldapcache # SASL mechanism for PAM authentication - use is experimental # at present and does not support password policy control...