search for: tls_key

...39;ve included the configuration files for samba and ldap. I've hid the actual hostname and DIT. Thanks! /etc/openldap/ldap.conf ********************** URI ldaps://yyyy.com <- BASE dc=xxxx,dc=xxxx,dc=com TLS_REQCERT demand TLS_CACERT /etc/openldap/ca.crt TLS_CERT /etc/openldap/server.crt TLS_KEY /etc/openldap/server.key /etc/openldap/slap.conf ****************** include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/op...

...n a reply. * * The main thread does not have any associated TLS, *unless* it is * serving a request (the '-s' option). @@ -56,6 +58,7 @@ struct tls { size_t instance_num; /* Can be 0. */ struct sockaddr *addr; socklen_t addrlen; + int err; }; static pthread_key_t tls_key; @@ -150,3 +153,24 @@ tls_get_instance_num (void) return tls->instance_num; } + +void +tls_set_error (int err) +{ + struct tls *tls = pthread_getspecific (tls_key); + + if (tls) + tls->err = err; + else + errno = err; +} + +int +tls_get_error (void) +{ + int err = errno; + str...

...:21:48:38 +0200] conn=14 fd=65 slot=65 SSL connection from 192.168.1.2 to 192.168.1.2. [20/Jul/2010:21:48:38 +0200] conn=14 op=-1 fd=65 closed - Encountered end of file. The only entries in my /etc/ldap.conf are those: tls_cacertfile /etc/nss/ca.example.org-cert.pem tls_cert /etc/nss/nss-cert.pem tls_key /etc/nss/nss-key.pem The nss-{key,cert}.pem may be used to bind at the following DN: dn: cn=nss,ou=Special Users,dc=example,dc=org objectClass: top objectClass: person cn: nss sn: nss Again: It works for user root! $ ls -l /etc/ldap.conf /etc/nss/ -rw-r--r-- 1 root root 9186 Jul 20 22:05 /etc/ld...

...comment = Home directories browseable = yes writable = yes create mask = 0640 directory mask = 0750 valid users = %S ##/etc/ldap/ldap.conf URI ldap://omv.domain.local TLS_CACERT /etc/ssl/certs/ca-certificates.crt TLS_REQCERT demand ##/root/ldaprc TLS_CERT /etc/ssl/certs/omv-domain-local.crt TLS_KEY /etc/ssl/private/omv-domain-local.key Let me say also that ca-certificates.crt contains the certificate for my self signed authority. What am I missing to make it run smootly ?

...ify server certificate (yes/no) #tls_checkpeer yes # CA certificates for server certificate verification tls_cacertfile /etc/openldap/cacerts/cacert.pem tls_cacertdir /etc/openldap/cacerts # Client certificate and key tls_cert /etc/openldap/cacerts/servercert.pem tls_key /etc/openldap/cacerts/serverkey.pem Relevant parts of /etc/pam.d/system-auth: auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet...

...ify server certificate (yes/no) #tls_checkpeer yes # CA certificates for server certificate verification tls_cacertfile /etc/openldap/cacerts/cacert.pem tls_cacertdir /etc/openldap/cacerts # Client certificate and key tls_cert /etc/openldap/cacerts/servercert.pem tls_key /etc/openldap/cacerts/serverkey.pem Relevant parts of /etc/pam.d/system-auth: auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet...

...,dc=dbb,sc=su,dc=se nss_base_passwd dc=dbb,dc=su,dc=se?sub nss_base_shadow dc=dbb,dc=su,dc=se?sub nss_base_group ou=Groups,dc=dbb,dc=su,dc=se?one pam_password md5 tls_checkpeer yes TLS_CACERT /etc/ldap/ca.pem TLS_REQCERT demand ssl start_tls tls_cert /etc/nss/nssldap.pem tls_key /etc/nss/nssldap.key I can neither login through ssh or login when TLSVerifyClient is set to demand or try. Please enlight me here. Thanks Peter Peter Nyberg Institutionen f?r Biokemi och Biofysik (DBB) Sv.Arrhenius v?gen 12 106 91 Stockholm Tel: 08-16 24 69 Mobil: 070 339 24 69 Fax 08 153679

Dear Samba friends, I have setup a samba server 3.5 on FreeBSD 8.1-RELEASE-p2 with openldap-sasl-server-2.4. I have specified ``TLSVerifyClient demand'' in slapd.conf and want to enforce the clients to connect and show a valid certificate to the ldap server. As far as I have understood, Samba will act as a client as well and in order to access the ldap server it will need a client

...aag URI ldap://erde.aag:389 ldap://mond.aag:389 nss_base_passwd ou=users,dc=aag?one nss_base_passwd ou=computers,dc=aag?one nss_base_shadow ou=users,dc=aag?one nss_base_group ou=groups,dc=aag?one TLS_CACERT /etc/ldap/certs/cacert.pem TLS_CERT /etc/ldap/certs/memberserver_cert.pem TLS_KEY /etc/ldap/certs/memberserver_key.pem TLS_CHECKPEER yes SSL start_tls TLS_REQCERT allow It make no difference if I activate TLS or not. ****************************** /etc/nsswitch.conf ****************************** passwd: files ldap winbind group: fi...

...olicy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! # equivalent to TLS_CACERT TLSCertificateFile /etc/ssl/ldapcert.pem # selbst-signiertes Zertifikat # equivalent to TLS_KEY TLSCertificateKeyFile /etc/ssl/ldapkey.pem # privater Schluessel # equivalent to TLS_CERT TLSCACertificateFile /etc/ssl/demoCA/cacert.pem # Certificate Authority # this is equivalent to TLS_REQCERT #TLSVerifyClient allow #TLSVerifyClient try #TLSVerifyClient demand #Verfa...

Fix some things I noticed while reviewing v1, and follow Rich's idea to add a new nbdkit_set_error() utility function with a binding for Python users to request a particular error (rather than being forced to live with whatever stale value is in errno after all the intermediate binding glue code). I could not easily find out how to register a C function callable from perl bindings, and have

...least one of these are required if tls_checkpeer is "yes" #tls_cacertfile /etc/ssl/ca.cert #tls_cacertdir /etc/ssl/certs # SSL cipher suite # See man ciphers for syntax #tls_ciphers TLSv1 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key Any Tips what I am missing out on ????? I am trying to get authentication working with SAMBA through to AD Regards Pashii _____________________________________________________________________ Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! http://smartsurfer.web.de/?mc=1...

This cleans up the existing code base with regards to implicit use of errno from language bindings, then rebases the previous work in python on top of that. I'm still playing with the perl bindings, but got further after reading 'perldoc perlembed'. Eric Blake (4): plugins: Don't use bogus errno from non-C plugins plugins: Add new nbdkit_set_error() utility function python:

...t least one of these are required if tls_checkpeer is "yes" #tls_cacertfile /etc/ssl/ca.cert #tls_cacertdir /etc/ssl/certs # SSL cipher suite # See man ciphers for syntax #tls_ciphers TLSv1 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key # SASL mechanism for PAM authentication - use is experimental # at present and does not support password policy control uri ldap://ldap.summitnjhome.com/ ssl start_tls tls_cacertdir /etc/openldap/cacerts pam_password crypt This is how my nsswitch on the client side is setup: passwd: files lda...

...tdir /etc/ssl/certs #tls_cacertfile /etc/ssl/ca.cert # Seed the PRNG if /dev/urandom is not provided #tls_randfile /var/run/egd-pool # SSL cipher suite # See man ciphers for syntax #tls_ciphers TLSv1 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key # NDS mappings #map group uniqueMember member # Mappings for Services for UNIX 3.5 #filter passwd (objectClass=User) #map passwd uid msSFU30Name #map passwd userPassword msSFU30Password #map passwd homeDirectory msSFU30HomeDirectory #map passwd homeDirectory msSF...

...ls_cacert /usr/local/certs/cacert.pem # Seed the PRNG if /dev/urandom is not provided #tls_randfile /var/run/egd-pool # SSL cipher suite # See man ciphers for syntax tls_ciphers HIGH:MEDIUM:SSLv2 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key # Disable SASL security layers. This is needed for AD. #sasl_secprops maxssf=0 # Override the default Kerberos ticket cache location. #krb5_ccname FILE:/etc/.ldapcache # SASL mechanism for PAM authentication - use is experimental # at present and does not support password policy control #pam_sas...

...le /etc/ssl/ca.cert #tls_cacertdir /etc/ssl/certs # Seed the PRNG if /dev/urandom is not provided #tls_randfile /var/run/egd-pool # SSL cipher suite # See man ciphers for syntax #tls_ciphers TLSv1 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key # Disable SASL security layers. This is needed for AD. #sasl_secprops maxssf=0 # Override the default Kerberos ticket cache location. #krb5_ccname FILE:/etc/.ldapcache # SASL mechanism for PAM authentication - use is experimental # at present and does not support password policy control #pam_sas...

...tls_cacert /usr/local/certs/cacert.pem # Seed the PRNG if /dev/urandom is not provided #tls_randfile /var/run/egd-pool # SSL cipher suite # See man ciphers for syntax tls_ciphers HIGH:MEDIUM:SSLv2 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key # Disable SASL security layers. This is needed for AD. #sasl_secprops maxssf=0 # Override the default Kerberos ticket cache location. #krb5_ccname FILE:/etc/.ldapcache # SASL mechanism for PAM authentication - use is experimental # at present and does not support password policy control #pam_sas...

...le /etc/ssl/ca.cert #tls_cacertdir /etc/ssl/certs # Seed the PRNG if /dev/urandom is not provided #tls_randfile /var/run/egd-pool # SSL cipher suite # See man ciphers for syntax #tls_ciphers TLSv1 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key # Disable SASL security layers. This is needed for AD. #sasl_secprops maxssf=0 # Override the default Kerberos ticket cache location. #krb5_ccname FILE:/etc/.ldapcache # SASL mechanism for PAM authentication - use is experimental # at present and does not support password policy control #pam_sas...