search for: tlscertificatefile

Hi everybody I have setting my ldap server. But I created an certificate with the following command: cd /usr/share/ssl/certs; make ldap.pem Then edit slapd.conf file a insert the following lines: TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /usr/share/ssl/certs/ldap.pem TLSCertificateFile /usr/share/ssl/certs/ldap.pem TLSCertificateKeyFile /usr/share/ssl/certs/ldap.pem I restart the service. Then, I run the comando authconfig and I select ldap with tls. I review the logs ldap server a thrown the following: Mar 5 11:54:38 eucalipto slapd[711]: conn=13 fd=14 ACCEPT from IP= 172.16.12...

...t work, here I what I've done. This is what netstat shows. tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:389 127.0.0.1:1873 ESTABLISHED tcp 0 0 :::389 :::* LISTEN tcp 0 0 :::636 :::* LISTEN in slapd.conf i have TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSCertificateFile /usr/local/etc/openldap/ssl/server.crt TLSCertificateKeyFile /usr/local/etc/openldap/ssl/server.key VerifyClient demand I created the certificate like this: openssl genrsa 2048 -out > server.key openssl req -new -key server.key -out server.csr openssl req -in server.csr -key server.key -x509 -...

...ssible values loglevel 3 # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_bdb ####################################################################### # SSL: # Uncomment the following lines to enable SSL and use the default # snakeoil certificates. #TLSCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem #TLSCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key # Chemin vers le certificat du serveur LDAP #TLSCertificateFile /etc/ldap/cert/servercert.pem # Chemin vers la clef priv??e du serveur LDAP #TLSCertificateKeyFile /etc/ldap/cert/serverke...

...tions using a dummy test # certificate, but you should generate a proper certificate by changing to # /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. #TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt #TLSCertificateFile /usr/share/ssl/certs/slapd.pem #TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem TLSCACertificateFile /usr/share/ssl/certs/cacert.pem TLSCertificateFile /usr/share/ssl/certs/slapdcrt.pem TLSCertificateKeyFile /usr/share/ssl/certs/slapdkey.pem # Sample security restrictions # Require integrity...

Sorry.. One more email.. I tried to create the IDMAP container on the LDAP with an example I found: dn: ou=Idmap,dc=softeng,dc=com objectClass: organizationalUnit ou: idmap structuralObjectClass: organizationalUnit and it gives: adding new entry "ou=Idmap,dc=softeng,dc=com" ldap_add: Constraint violation additional info: structuralObjectClass: no user modification allowed

...on: Connect error". Any idea??? Have I to use the "--with-ssl" option? It's said no. ############################################## LDAP CONF: -------------------------- ######################## # certificats et clefs TLSCertificateKeyFile /opt/openldap/pem/ldapuckey.pem TLSCertificateFile /opt/openldap/pem/ldapcert.pem TLSCACertificateFile /opt/openldap/pem/demoCA/cacert.pem ############################################## SMB CONF: -------------------------- # LDAP: ldap server = obiwan ldap port = 389 ldap suffix = "ou=samba, dc=obiwan,dc=fr"...

...] Specific Entry) access to dn.base="" by self write by * auth access to attrs=userPassword,sambaLMPassword,sambaNTPassword by self write by anonymous auth by * none access to * by * read by anonymous auth security tls=1 TLSCACertificateFile /etc/openldap/ca.crt TLSCertificateFile /etc/openldap/server.crt TLSCertificateKeyFile /etc/openldap/server.key TLSVerifyClient demand /etc/ldap.conf *********** uri ldap://yyyy.com host yyyy.com port 389 ssl start_tls tls_reqcert demand tls_checkpeer yes tls_cert /etc/openldap/server.crt tls_key /etc/openldap/server.key tls_cacertfile...

...LDAP search: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (Connect error) ldapsam_setsampwent: LDAP search failed: Connect error nss_ldap and pam_ldap both work well using TLS. For your information, here is ma configuration concerning TLS in: slapd.conf --> TLSCertificateFile /usr/local/etc/openldap/ldap.cert TLSCertificateKeyFile /usr/local/etc/openldap/ldap.key TLSCACertificateFile /usr/local/etc/openldap/ca.cert ldap.conf --> BASE dc=domain, dc=com URI ldap://server.domain.com TLS_CACERT /usr/local/etc/openldap/ca.cert smb.conf --> ldap passwd sync = y...

...file containing both the certificate and private key catenated. OpenVPN wants ca certificate chain used for signing.pem cert certificate.pem key privatekey.pem crl-verify crl.pem OpenLDAP appears similar to OpenVPN with (appears not to support CRLs): TLSCACertificatePath TLSCertificateFile TLSCertificateKeyFile Racoon wants (appears not to support CRLs): certificate_type x509 certfile keyfile ca_type x509 ca.pem But the man page doesn't talk about where the chain goes. So it appears one should generate the following file formats to satisfy all the software out the...

...ude /etc/ldap/schema/misc.schema >> >> pidfile /var/run/slapd/slapd.pid >> argsfile /var/run/slapd/slapd.args >> >> TLSDHParamFile /etc/ssl/certs/dhparam.pem >> TLSCACertificateFile /etc/ssl/certs/ca.pem >> # Enable tls by providing the server cert >> TLSCertificateFile /etc/ssl/certs/<HOSTNAME>.crt >> TLSCertificateKeyFile /etc/ssl/private/<HOSTNAME>.key >> >> # loglevel 896 = acl-processing,stat,stat2, this logs queries and >> responses >> #????????? -1 = enable all >> loglevel 896 >> >> modulepath /us...

...clude /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args TLSCACertificateFile /etc/pki/tls/certs/hypothalamus.cer TLSCertificateFile /etc/pki/tls/certs/brain-new.cer TLSCertificateKeyFile /etc/pki/tls/private/privkey.pem TLSCRLCheck none database bdb suffix "dc=som,dc=com" rootdn "cn=Manager,dc=som,dc=com" rootpw <password removed> checkpoint 1024 5 directory /var...

...smb.conf: ldap server = localhost #ldap port = 389 ldap port = 636 ldap suffix = o=zolnott,dc=de ldap admin dn = uid=ldaproot,o=zolnott,dc=de ldap filter = (&(uid=%u)(objectclass=sambaAccount)) ldap ssl = start_tls Here my slapd.conf: TLSCipherSuite HIGH:MEDIUM:+SSLv2:RSA TLSCertificateFile /etc/openldap/www.zolnott.de-ldap-crt.pem TLSCertificateKeyFile /etc/openldap/www.zolnott.de-ldap-key-nopw.pem Here my log.smbd: [2003/02/18 01:40:12, 0] passdb/pdb_ldap.c:ldap_open_connection(182) Failed to issue the StartTLS instruction: Can't contact LDAP server [2003/02/18 01:40:12, 1]...

Hi, sorry for the stupid question, but however i am following all howtos and tutorials it is not working 1) i have created CA certificate - /etc/pki/tls/misc/CA -newca 2) i have generated a new request - /etc/pki/tls/misc/CA -newreq 3) i have signed certificate /etc/pki/tls/misc/CA -signreq SO i have CA in /etc/pki/CA i have newkey.pem i have newcert.pem i have also cealrkey.pem (without

...tation with SASL2 support openldap-sasl-server-2.4.23 Open source LDAP server implementation I have setup the certificate chain in my slapd.conf like so: [root at LBSD2:/usr/home/bluethundr]#grep -i tls /usr/local/etc/openldap/slapd.conf## TLS options for slapd TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /usr/local/etc/openldap/cacerts/LBSD2.summitnjhome.com.crt TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_issuing.crt I have tried each of the following certs with no luck in getting my cert to talk to it's CA: -rw-r--...

.../etc/openldap/schema/nis.schema include /etc/openldap/schema/qmail.schema include /etc/openldap/schema/samba.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt TLSCertificateFile /etc/pki/tls/certs/slapd.pem TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem database bdb ... directory /var/lib/ldap index objectClass eq index uid eq index cn eq,pres index sn eq,pres,sub index mai...

...hema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema allow bind_v2 passwd-hash {SSHA] pidfile /var/run/slapd.pid TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /var/ssl/cacert.pem TLSCertificateFile /var/ssl/ldapcrt.pem TLSCertificateKeyFile /var/ssl/ldapkey.pem TLSVerifyClient 0 security ssf=1 update_ssf=112 simple_bind=64 access to dn=".*,dc=soil,dc=ncsu,dc=edu" attr=userPassword by dn="cn=Manager,dc=soil,dc=ncsu,dc=edu" write by self write by *...

...erson.schema include /etc/ldap/schema/samba3.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel conns stats filter idletimeout 30 modulepath /usr/lib/ldap moduleload back_hdb moduleload syncprov sizelimit unlimited tool-threads 1 TLSCertificateFile /etc/ssl/certs/srv3cert.pem TLSCertificateKeyFile /etc/ssl/private/srv3key.pem TLSCACertificateFile /etc/ssl/certs/cacert.pem TLSVerifyClient never ####################################################################### # Specific Backend Directives for hdb: # Backend specific directives apply to...

...by * read access to * by * read # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! # equivalent to TLS_CACERT TLSCertificateFile /etc/ssl/ldapcert.pem # selbst-signiertes Zertifikat # equivalent to TLS_KEY TLSCertificateKeyFile /etc/ssl/ldapkey.pem # privater Schluessel # equivalent to TLS_CERT TLSCACertificateFile /etc/ssl/demoCA/cacert.pem # Certificate Authority # this is equivalent to TLS_REQCERT #TLSVerifyClie...

...ou can generate by changing to # /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. Your client software # may balk at self-signed certificates, however. # TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt # TLSCertificateFile /etc/pki/tls/certs/slapd.pem # TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update...

Der Rowland, We share that concerns actually and of course if there is a way to avoid it, it is always better. Another fellow suggested us an LDAP-Proxy instead (personally have never setup one). What we actually need in our case scenario, is only that service and not the rest of bells and whistles of an RODC. I just was wondering if someone had experience with what happens if one does