search for: tlsverifyclient

I have Samba 3.0.13 and LDAP 2.2.24 installed. I have placed the following directive in my slapd.conf file. TLSVerifyClient demand I have the PADL stuff configured and working fine. ldapsearch with -ZZ works fine. I even have the Idealx smbldap-tools working fine. Samba won't work though unless I set TLSVerifyClient try According to the slapd.conf man page, "try" causes a client certificate to be reque...

Hi all! I'm very close to have a fully functional samba and openldap. Thanks to idealx.org. I just need to understand how it works. Everything works accept one thing. When I change TLSVerifyClient allow to TLSVerifyClient demand in slapd.conf and do: ldapsearch -x -ZZ -b 'dc=yourdomain,dc=com' '(objectclass=*)' -d 127 in the end I get: ldap_chkResponseList for msgid=2, all=1 ldap_chkResponseList returns NULL wait4msg (infinite timeout), msgid 2 wait4msg continue, msgid 2, all...

Dear Samba friends, I have setup a samba server 3.5 on FreeBSD 8.1-RELEASE-p2 with openldap-sasl-server-2.4. I have specified ``TLSVerifyClient demand'' in slapd.conf and want to enforce the clients to connect and show a valid certificate to the ldap server. As far as I have understood, Samba will act as a client as well and in order to access the ldap server it will need a client certificate as well. I do know how to generate a cl...

...add users, groups and computers to ldap. I've tried with sucess to add computer to the domain. Now to the point. When I do a test like: ldapsearch -x -ZZ -D "cn=admin,dc=dbb,dc=su,dc=se" -W -b '' -s base '(objectClass=*)' namingContexts Everything works only if I have TLSVerifyClient allow or none. If I use TLSVerifyClient try or demand which generate a "ldap_bind: Can't contact LDAP server (81)" I estimate the server choosed not to use TLS at all But when I try to make a lookup error in ldap.conf. I change the the HOST from FQDN to it's ip address. Now if...

...rtificateFile /etc/ssl/ldapcert.pem # selbst-signiertes Zertifikat # equivalent to TLS_KEY TLSCertificateKeyFile /etc/ssl/ldapkey.pem # privater Schluessel # equivalent to TLS_CERT TLSCACertificateFile /etc/ssl/demoCA/cacert.pem # Certificate Authority # this is equivalent to TLS_REQCERT #TLSVerifyClient allow #TLSVerifyClient try #TLSVerifyClient demand #Verfahrensweise TLSCipherSuite HIGH:MEDIUM:+SSLv2 ####################################################################### # BDB database definitions ###################################################################...

Hi all, I've managed to get dovecot running with ldaps (ssl over port 636, not starttls). Btw, it's working right only if i specify "TLSVerifyClient never" in my slapd.conf. With any other parameter (like "TLSVerifyClient demand"), the bind fails with: connection_get(12) connection_get(12): got connid=0 connection_read(12): checking for input on id=0 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3...

...trs=userPassword,sambaLMPassword,sambaNTPassword by self write by anonymous auth by * none access to * by * read by anonymous auth security tls=1 TLSCACertificateFile /etc/openldap/ca.crt TLSCertificateFile /etc/openldap/server.crt TLSCertificateKeyFile /etc/openldap/server.key TLSVerifyClient demand /etc/ldap.conf *********** uri ldap://yyyy.com host yyyy.com port 389 ssl start_tls tls_reqcert demand tls_checkpeer yes tls_cert /etc/openldap/server.crt tls_key /etc/openldap/server.key tls_cacertfile /etc/openldap/ca.crt base dc=xxxx,dc=xxxx,dc=com binddn cn=Manager,dc=xxxx,dc=xxxx,dc=co...

...*** my http.conf --------------------- tlsenable=yes tlsbindport=8089 tlsbindaddr=0.0.0.0 ;tlscertfile=/etc/asterisk/keys/asterisk.crt tlscertfile=/etc/asterisk/keys/asterisk.pem tlscafile=/etc/asterisk/keys/ca.crt tlsprivatekey=/etc/asterisk/keys/asterisk.key tlscipher=ALL tlsclientmethod=tlsv1 ;tlsverifyclient=no ;tlsdontverifyserver=yes -- Rgds astlov

.../openldap/schema/nis.schema include /etc/openldap/schema/samba.schema allow bind_v2 passwd-hash {SSHA] pidfile /var/run/slapd.pid TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /var/ssl/cacert.pem TLSCertificateFile /var/ssl/ldapcrt.pem TLSCertificateKeyFile /var/ssl/ldapkey.pem TLSVerifyClient 0 security ssf=1 update_ssf=112 simple_bind=64 access to dn=".*,dc=soil,dc=ncsu,dc=edu" attr=userPassword by dn="cn=Manager,dc=soil,dc=ncsu,dc=edu" write by self write by * auth access to dn=".*,dc=soil,dc=ncsu,dc=edu" attr=mail by dn=...

...level conns stats filter idletimeout 30 modulepath /usr/lib/ldap moduleload back_hdb moduleload syncprov sizelimit unlimited tool-threads 1 TLSCertificateFile /etc/ssl/certs/srv3cert.pem TLSCertificateKeyFile /etc/ssl/private/srv3key.pem TLSCACertificateFile /etc/ssl/certs/cacert.pem TLSVerifyClient never ####################################################################### # Specific Backend Directives for hdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend hdb database hdb suffix "dc=mydomain,dc=site...

.../openldap/schema/nis.schema include /etc/openldap/schema/samba.schema allow bind_v2 passwd-hash {SSHA] pidfile /var/run/slapd.pid TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /var/ssl/cacert.pem TLSCertificateFile /var/ssl/ldapcrt.pem TLSCertificateKeyFile /var/ssl/ldapkey.pem TLSVerifyClient 0 security ssf=1 update_ssf=112 simple_bind=64 access to dn=".*,dc=soil,dc=ncsu,dc=edu" attr=userPassword by dn="cn=Manager,dc=soil,dc=ncsu,dc=edu" write by self write by * auth access to dn=".*,dc=soil,dc=ncsu,dc=edu" attr=mail by dn=...

Being a responsible sort of guy, I want to check and make sure I have some decent encryption settings for my authentication systems. Namely Samba PDC (2.2.7a) with an LDAP backend that also authenticates Linux clients (which I've finally gotten running the way I want :-)). According to some documentation I've found, the samba ports are 137/udp,138/udp and 139/tcp. Samba changes

...c # TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html) <IfDefine TLS> TLSEngine on TLSRequired on TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem TLSCipherSuite ALL:!ADH:!DES TLSOptions NoCertRequest TLSVerifyClient off #TLSRenegotiate ctrl 3600 data 512000 required off timeout 300 TLSLog /var/log/proftpd/tls.log <IfModule mod_tls_shmcache.c> TLSSessionCache shm:/file=/var/run/proftpd/sesscache </IfModule> </IfDefine> # Dynamic ban lists (http://www.proftpd.org/docs/contrib/...

...enldap # moduleload back_shell.so # moduleload back_relay.so # moduleload back_perl.so # moduleload back_passwd.so # moduleload back_null.so # moduleload back_monitor.so # moduleload back_meta.so moduleload back_hdb.so # moduleload back_dnssrv.so #TLS_REQCERT allow TLSVerifyClient allow TLSCertificateFile /etc/ssl/subdomainlvl1-cert.pem TLSCertificateKeyFile /etc/ssl/private/subdomainlvl1-key.pem TLSCACertificateFile /etc/ssl/cbs_cacert.pem # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryp...

...s.html #TLSEngine on #TLSRequired on #TLSRSACertificateFile /usr/share/ssl/certs/proftpd.pem #TLSRSACertificateKeyFile /usr/share/ssl/certs/proftpd.pem #TLSCipherSuite ALL:!ADH:!DES #TLSOptions NoCertRequest #TLSVerifyClient off ##TLSRenegotiate ctrl 3600 data 512000 required off timeout 300 #TLSLog /var/log/proftpd/tls.log ##Anonymous Coop CORS Access## <Anonymous /var/ftp/gps/cors/rinex/> <Limit LOGIN> AllowAll </Limit> User...

...nt the following lines. #TLSRandFile /dev/random #TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /etc/ssl/openldap/ldap.pem TLSCertificateKeyFile /etc/ssl/openldap/ldap.pem #TLSCACertificatePath /etc/ssl/openldap/ TLSCACertificateFile /etc/ssl/openldap/ldap.pem #TLSVerifyClient 0 ####################################################################### # ldbm database definitions ####################################################################### database ldbm suffix "dc=hill,dc=co.uk" #suffix "o=My Organization Name,c=US" r...

....c # TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html) <IfDefine TLS> TLSEngine on TLSRequired on TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem TLSCipherSuite ALL:!ADH:!DES TLSOptions NoCertRequest TLSVerifyClient off #TLSRenegotiate ctrl 3600 data 512000 required off timeout 300 TLSLog /var/log/proftpd/tls.log <IfModule mod_tls_shmcache.c> TLSSessionCache shm:/file=/var/run/proftpd/sesscache </IfModule> </IfDefine> # Dynamic ban lists (http://www.proftpd.org/docs/contrib/...

....c # TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html) <IfDefine TLS> TLSEngine on TLSRequired on TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem TLSCipherSuite ALL:!ADH:!DES TLSOptions NoCertRequest TLSVerifyClient off #TLSRenegotiate ctrl 3600 data 512000 required off timeout 300 TLSLog /var/log/proftpd/tls.log <IfModule mod_tls_shmcache.c> TLSSessionCache shm:/file=/var/run/proftpd/sesscache </IfModule> </IfDefine> # Dynamic ban lists (http://www.proftpd.org/docs/contrib/...

...on TLSRequired on TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem TLSCipherSuite ALL:!ADH:!DES TLSOptions NoCertRequest TLSVerifyClient off #TLSRenegotiate ctrl 3600 data 512000 required off timeout 300 TLSLog /var/log/proftpd/tls.log <IfModule mod_tls_shmcache.c> TLSSessionCache shm:/file=/var/run/proftpd/sesscache </IfModule> </IfDefine...

....c # TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html) <IfDefine TLS> TLSEngine on TLSRequired on TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem TLSCipherSuite ALL:!ADH:!DES TLSOptions NoCertRequest TLSVerifyClient off #TLSRenegotiate ctrl 3600 data 512000 required off timeout 300 TLSLog /var/log/proftpd/tls.log <IfModule mod_tls_shmcache.c> TLSSessionCache shm:/file=/var/run/proftpd/sesscache </IfModule> </IfDefine> # Dynamic ban lists (http://www.proftpd.org/docs/contrib/...