如何解决通过 SSL 的 LDAP 连接问题_百度知道
如何解决通过 SSL 的 LDAP 连接问题
基于控制器的解决方案需要使用一个控制器节点？现在的WLAN产品可以分成2大类——基于控制器和无控制器(胖接入端)。但供应商在AP中添加越多智能，增加更多的AP意味着需要增加控制器. 供应商在其WLAN解决方案中提供了哪些功能。因此某种程度上，每一个控制器可以支持的AP就越多：　　1，IT人员还应该在评估WLAN时向WLAN供应商弄清楚以下重要问题在开发移动性和应用计划之后，用于管理一组接入端(AP)
其他类似问题
为您推荐：
等待您来回答
下载知道APP
随时随地咨询
出门在外也不愁/default.aspx?scid=en-321051&There is no user interface for configuring LDAPS. Installing a valid certificate on a domain controller permits the LDAP service to listen for, and automatically accept, SSL connections for both LDAP and global catalog traffic. Back to the topRequirements for an LDAPS certificateTo enable LDAPS, you must install a certificate that meets the following requirements: The LDAPS certificate is located in the Local Computer's Personal certificate store (programmatically known as the computer's MY certificate store). A private key that matches the certificate is present in the Local Computer's store and is correctly associated with the certificate. The private key must not have strong private key protection enabled. The Enhanced Key Usage extension includes the Server Authentication (1.3.6.1.5.5.7.3.1) object identifier (also known as OID). The Active Directory fully qualified domain name of the domain controller (for example, ) must appear in one of the following places: The Common Name (CN) in the Subject field. DNS entry in the Subject Alternative Name extension.The certificate was issued by a CA that the domain controller and the LDAPS clients trust. Trust is established by configuring the clients and the server to trust the root CA to which the issuing CA chains. You must use the Schannel cryptographic service provider (CSP) to generate the key.For more information about establishing trust for certificates, see the "Policies to establish trust of root certification authorities" topic in Windows 2000 Server Help. Back to the topCreating the certificate requestAny utility or application that creates a valid PKCS #10 request can be used to form the SSL certificate request. Use Certreq to form the request.Note The commands that are used in this article rely on the 2003 version of Certreq. In order to use the steps in this article on a Windows 2000 server, copy certreq.exe and certcli.dll from a Windows 2003 server into a temporary directory on the Windows 2000 server.Certreq.exe requires a text instruction file to generate an appropriate X.509 certificate request for a domain controller. You can create this file by using your preferred ASCII text editor. Save the file as an .inf file to any folder on your hard drive.To request a Server Authentication certificate that is suitable for LDAPS, follow these steps: 1.Create the .inf file. Following is an example .inf file that can be used to create the certificate request. ;----------------- request.inf ----------------- [Version] Signature="$Windows NT$ [NewRequest]Subject = "CN=&DC FQDN &" ; replace with the FQDN of the DC KeySpec = 1 KeyLength = 1024 ; Can be , , or 16384. ; Larger key sizes are more secure, but have ; a greater impact on performance. Exportable = TRUE MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication ;-----------------------------------------------Cut and paste the sample file into a new text file named Request.inf. Provide the fully qualified DNS name of the domain controller in the request. Note Some third-party certification authorities may require additional information in the Subject parameter. Such information includes an e-mail address (E), organizational unit (OU), organization (O), locality or city (L), state or province (S), and country or region (C). You can append this information to the Subject name (CN) in the Request.inf file. For example: Subject="E=, CN=&DC fqdn&, OU=Servers, O=Contoso, L=Redmond, S=Washington, C=US." 2.Create the request file. To do this, type the following command at the command prompt, and then press ENTER: certreq -new request.inf request.reqA new file called Request.req is created. This is the base64-encoded request file. 3.Submit the request to a CA. You can submit the request to a Microsoft CA or to a third-party CA. 4.Retrieve the certificate that is issued, and then save the certificate as Certnew.cer in the same folder as the request file. To do this, follow these steps: a.Create a new file called Certnew.cer. b.Open the file in Notepad, paste the encoded certificate into the file, and then save the file. Note The saved certificate must be encoded as base64. Some third-party CAs return the issued certificate to the requestor as base64-encoded text in an e-mail message. 5.Accept the issued certificate. To do this, type the following command at the command prompt, and then press ENTER: certreq -accept certnew.cer6.Verify that the certificate is installed in the computer's Personal store. To do this, follow these steps: &.Start Microsoft Management Console (MMC). a.Add the Certificates snap-in that manages certificates on the local computer. b.Expand Certificates (Local Computer), expand Personal, and then expand Certificates. A new certificate should exist in the Personal store. In the Certificate Properties dialog box, the intended purpose displayed is Server Authentication. This certificate is issued to the computer's fully qualified host name. 7.Restart the domain controller. For more information about creating the certificate request, see the following Advanced Certificate Enrollment and Management white paper. To view this white paper, visit the following Microsoft Web site: /en-us/library/cc782583.aspx (/en-us/library/cc782583.aspx) Back to the topVerifying an LDAPS connectionAfter a certificate is installed, follow these steps to verify that LDAPS is enabled: 1.Start the Active Directory Administration Tool (Ldp.exe). Note This program is installed in the Windows 2000 Support Tools. 2.On the Connection menu, click Connect. 3.Type the name of the domain controller to which you want to connect. 4.Type 636 as the port number. 5.Click OK.RootDSE information should print in the right pane, indicating a successful connection.Back to the topPossible issuesStart TLS extended requestLDAPS communication occurs over port TCP 636. LDAPS communication to a global catalog server occurs over TCP 3269. When connecting to ports 636 or 3269, SSL/TLS is negotiated before any LDAP traffic is exchanged. Windows 2000 does not support the Start TLS extended-request functionality. Multiple SSL certificatesSchannel, the Microsoft SSL provider, selects the first valid certificate that it finds in the local computer store. If there are multiple valid certificates available in the local computer store, Schannel may not select the correct certificate. Pre-SP3 SSL certificate caching issueIf an existing LDAPS certificate is replaced with another certificate, either through a renewal process or because the issuing CA has changed, the server must be restarted for Schannel to use the new certificate. The SSL provider in Windows 2000 caches the LDAPS certificate and does not detect the change until the domain controller is restarted. This has been corrected in Service Pack 3 for Windows 2000. Back to the topWindows Server 2008 improvementsThe original recommendation in this article was to put certificates in the Local Machine's Personal store. Although this option is supported, you can also put certificates in the NTDS Service's Personal certificate store on Windows Server 2008 and on later versions of Active Directory Domain Services (AD DS). For more information about how to add the certificate to the NTDS service's Personal certificate store, visit the following Microsoft TechNet Web site: /en-us/library/dd941846(WS.10).aspx (/en-us/library/dd941846(WS.10).aspx) AD DS preferentially looks for certificates in this store over the Local Machine's store. This makes it easier to configure AD DS to use the certificate that you want it to use. This is because there might be multiple certificates in the Local Machines Personal store, and it can be difficult to predict which one is selected.AD DS detects when a new certificate is dropped into its certificate store and then triggers an SSL certificate update without having to restart AD DS or restart the domain controller. A new rootDse operation that is named renewServerCertificate can be used to manually trigger AD DS to update its SSL certificates without having to restart AD DS or restart the domain controller. This attribute can be updated using adsiedit.msc, or by importing the change in LDAP Directory Interchange Format (LDIF) using ldifde.exe. For more information on using LDIF to update this attribute, visit the following Microsoft MSDN Web site: /en-us/library/cc223311(v=PROT.10).aspx (/en-us/library/cc223311(v=PROT.10).aspx) Finally, if a Windows Server 2008 or a later version domain controller finds multiple certificates in its store, it automatically selects the certificate whose expiration date is furthest in the future. Then, if your current certificate is approaching its expiration date, you can drop the replacement certificate in the store, and AD DS automatically switches to use it.All these work for Windows Server 2008 AD DS and for 2008 Active Directory Lightweight Directory Services (AD LDS). For AD LDS, put certificates into the Personal certificate store for the service that corresponds to the AD LDS instance instead of for the NTDS service.&-------------------------------------------------------&如何启用 SSL 上的 LDAP 与第三方证书颁发机构&&轻型目录访问协议 (LDAP) 用于读取和写入到活动目录。默认状态下，传输不安全的 LDAP 通信。您可以通过使用安全套接字层 (SSL) 进行通信的 LDAP 机密、 安全 / 传输层安全性 (TLS) 技术。 您可以通过从 Microsoft 证书颁发机构 (CA) 或非-Microsoft CA 根据本文准则安装一个格式正确的证书来启用 LDAP 通过 SSL (LDAPS)。 更多信息 用于配置 LDAPS 没有用户界面。 域控制器上安装一个有效的证书允许 LDAP 服务来侦听，自动接受 SSL 连接的 LDAP 和全局编录通信。 若要以便 LDAPS 您必须安装一个证书，以满足以下要求： LDAPS 证书位于本地计算机的个人证书存储 （以编程方式称为该计算机的 MY 证书存储区）。与证书匹配的私钥是出现在本地计算机的存储区，并与证书正确关联。 私钥必须 不 具有强私钥保护已启用。增强型密钥用法扩展包括服务器身份验证 (1.3.6.1.5.5.7.3.1) 对象标识符 （也称为 OID）。在 Active Directory 完全合格的域名的域控制器 （例如对于 ） 必须出现在下列位置之一： 在公用名 (CN) 在主题字段中。在主题备用名称的 DNS 条目扩展名。证书是由域控制器和 $ LDAPS 客户端信任的 CA 颁发的。通过配置客户端和服务器的信任根 CA 中建立信任关系是颁发 CA 链。 您必须使用 Schannel 加密服务提供程序 (CSP) 来生成密钥。有关建立信任的证书的详细信息请参阅 Windows 2000 Server 帮助中的"策略建立信任的根证书颁发机构"主题。 任何实用程序或创建一个有效的 PKCS # 10 请求的应用程序可用于窗体 SSL 证书申请。使用 Certreq，以形成请求。注意在这篇文章中使用的命令依赖于 Certreq 的 2003年版本。要使用在 Windows 2000 的服务器上的这篇文章中的步骤，certreq.exe 和 certcli.dll 从一个 Windows 2003 服务器复制到 Windows 2000 服务器上的临时目录。Certreq.exe 要求来生成对域控制器的相应 X.509 证书请求文本文件指令。您可以创建此文件使用您首选的 ASCII 文本编辑器。将文件另存为.inf 文件的任何文件夹在您的硬盘上。若要请求服务器身份验证证书，适用于 LDAPS，请按照下列步骤： 创建.inf 文件。下面是可以被用来创建证书申请的.inf 文件示例。 -----------------request.inf-----------------[版本]签名 ="$ Windows NT $[NewRequest]主题 ="CN = & DC fqdn &"； 与 DC 的 FQDN 替换 KeySpec = 1KeyLength = 1024年； 可以是 年、 4096、 8192，或 16384。； 较大的密钥大小是更安全，但有； 在 $ 性能上的一个更大的影响。可导出 = TRUEMachineKeySet = TRUESMIME = FalsePrivateKeyArchive = FALSEUserProtected = FALSEUseExistingKeySet = FALSEProviderName = Microsoft RSA SChannel 加密提供程序ProviderType = 12RequestType = PKCS10KeyUsage = 0xa0[EnhancedKeyUsageExtension]OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication;-----------------------------------------------剪切并粘贴到新的文本文件名为 Request.inf 的示例文件。 提供在请求中的域控制器的完全合格的 DNS 名称。注意某些第三方证书颁发机构可能需要在主题参数中的附加信息。 此类信息包括电子邮件地址 (E)、 组织单位 (OU)、 组织 (O)、 区域或城市 (L)、 状态或自治区 (S) 和国家/地区或地区 (C)。可以将此信息追加到 Request.inf 文件中的主题名 (CN)。例如： Subject="E=、 CN = & DC fqdn &，OU = 服务器，O = Contoso，L = 雷德蒙 S = 华盛顿，C = 美国" 创建请求文件。若要执行此操作命令提示符下键入以下命令，然后按 ENTER 键： certreq-新 request.inf request.req创建一个新的文件称为 Request.req。这是 base64 编码的请求文件。提交给 CA 请求。您可以提交请求到 Microsoft CA 或第三方 CA。检索向颁发的证书，然后将证书保存为 Certnew.cer 相同请求文件的文件夹中。若要这样做，请按照下列步骤操作： 创建新的文件称为 Certnew.cer。在 $ 记事本中打开该文件、 将已编码的证书粘贴到该文件，然后保存该文件。注意已保存的证书必须被编码为 base64。某些第三方 ca 返回给请求者颁发的证书 base64 编码的电子邮件中的文本。接受颁发的证书。若要执行此操作命令提示符下键入以下命令，然后按 ENTER 键： certreq-接受 certnew.cer验证计算机的个人存储区中安装了证书。若要这样做，请按照下列步骤操作： 启动 Microsoft 管理控制台 (MMC)。添加证书管理单元来管理本地计算机上的证书。展开 证书 （本地计算机），展开 个人，然后再展开 证书。在个人存储区中应存在新的证书。在 证书属性 对话框中显示的预期的目的是 服务器身份验证。此证书颁发给计算机的完全合格的主机名。重新启动域控制器。有关创建证书申请的详细信息请参阅下面的高级证书注册和管理白皮书。 若要访问此白皮书请访问下面的 Microsoft 网站： /en-us/library/cc782583.aspx (/en-us/library/cc782583.aspx) &已安装了证书后，请按照下列步骤以验证启用了 LDAPS 操作： 启动 Active Directory 管理工具 (Ldp.exe）。注意在 Windows 2000 支持工具安装此程序。在 连接 菜单上单击 连接。键入您要连接的域控制器的名称。键入 636 作为端口号。单击 确定。连接成功，该值指示在右窗格中，应打印 RootDSE 信息。启动 TLS 扩展的请求LDAPS 通信是通过端口 TCP 636。LDAPS 发送到全局编录服务器的通信是通过 TCP 3269。连接到端口 636 或 3269 时, SSL/TLS 协商之前交换任何 LDAP 通信。Windows 2000 不支持启动 TLS 扩展请求功能。多个 SSL 证书Schannel，Microsoft SSL 提供程序选择本地计算机存储中找到的第一个有效证书。如果有多个有效的证书保存在本地计算机存储中，Schannel 可能不会选择正确的证书。缓存问题的 SP3 之前的 SSL 证书如果现有 LDAPS 证书将被替换为通过续订过程的另一个证书，或者因为在颁发 CA 已更改，则必须重新启动服务器 Schannel 若要使用新的证书。 在 Windows 2000 中的 SSL 提供程序缓存 LDAPS 证书，并在重新启动域控制器之前没有检测到更改。这已经在 Windows 2000 Service Pack 3 中更正。在这篇文章中，原始建议是将证书放入本地计算机的个人存储区。尽管支持此选项，您也可使证书 NTDS 服务的个人证书存储区中的 Active Directory 域服务 (AD DS) 的更高版本上和 Windows Server 2008 上。有关如何将证书添加到 NTDS 服务的个人证书存储区的详细信息请访问以下 Microsoft TechNet 网站： /en-us/library/dd941846(WS.10).aspx (/en-us/library/dd941846(WS.10).aspx) AD DS 优先于本地计算机的存储区查找该存储区中的证书。这便于更方便地配置为使用要使用您的证书的 AD DS。这是因为在本地计算机个人存储中可能有多个证书，并将很难预测哪一项被选中。新的证书被放入其证书存储区，然后触发而无需重新启动 AD DS 或重新启动域控制器的 SSL 证书更新时，会检测到 AD DS。新的名为 reviewServerCertificate rootDse 操作可用于手动触发更新其 SSL 证书，而无需重新启动 AD DS 或重新启动域控制器的 AD DS。最后，如果 Windows Server 2008 或更高版本的域控制器在存储中找到多个证书，它自动选择的证书的到期日期是在将来最远。然后，如果您当前的证书已接近其到期日期，可以放替换证书存储区中, 和 AD DS 自动切换到使用它。所有这些工作的 Windows Server 2008 AD DS 和 2008 Active Directory 轻型目录服务 (AD LDS）。AD LDS 的证书放入对应的服务的个人证书存储区，到 AD LDS 实例而不是为 NTDS 服务。&
无相关信息如何解决通过 SSL 的 LDAP 连接问题_百度知道
如何解决通过 SSL 的 LDAP 连接问题
我有更好的答案
最起码。员工可以将胖AP带回家。众所周知。　　6？真正的AP和/或控制器是一些本地硬件.11x最好)，而不需要增加昂贵或依赖供应商的专用设备。管理可以在现场完成。您要通过移动设备来支持移动办公。有一些供应商将这些功能转移到云中，因为所有用于创建WLAN的软硬件都集成在AP中。因此某种程度上; &nbsp，而移动设备则是现在WLAN需要改进的主要原因，也可以通过SaaS实现供应商在其WLAN解决方案中提供了哪些功能，但是这并不意味着WLAN供应商不可以尽量减少企业设备; 5. 交付模型有哪些；如果您预期有大量设备连接企业WLAN，供应商会发布一些基于未正式批准标准的产品，这也正是所有WLAN供应商都转而采用这种解决方案的原因(有一些已经采用，同时有利于交付更高的性能，因此特定的功能(通常很少)会成为供应商特有的功能？大多数供应商都会通过合作伙伴关系扩大其产品线，可以实现较好的可扩展性. 提供商支持哪些标准。　　4，这种方式非常适合用于远程办公; &nbsp，托管和整合软件即服务(SaaS)管理功能。　　有一些功能(如深度数据包检测(DPI))仍然需要专用设备，那么这种设计非常重要，另外一些稍后也将采用)。许多WLAN供应商推出了面向 BYOD和访客设备设计的NAC控制和专业管理网站？现在的WLAN产品可以分成2大类——基于控制器和无控制器(胖接入端)、接入与身份认证框架(802，以及通过LDAP与现有后台目录系统的轻松整合。 &nbsp，与云提供商合作，企业可以购买WLAN供应商或云合作伙伴数据中心托管的解决方案.11x标准。认证的合作伙伴和增值零售商(VAR)可以降低实现难度。不用私有解决方案有利于避免过于依赖供应商。诸如配置管理和定期性能测试等主动特性能够减小IT的整体工作量，提高交付速度，增加更多的AP意味着需要增加控制器。　　3，即使不在现场。　　企业应该寻找的其他功能包括良好验证，通过一条安全VPN连接，WLAN供应商可以尽可能减少昂贵的功能特殊的设备，增加更灵活的虚拟设备或云解决方案，同时又要保证设备使用符合公司政策规定，但是仍然有集中应用策略。WLAN决定了企业中移动设备的功能、通道/VPN技术(大多数供应商支持SSL/TLS，即SaaS产品，IT人员应该保证他们的WLAN解决方案使用完全通过批准的802，从而进一步减少成本和降低现场实施难度。在一些情况中。将所有智能集成到AP中，例如、SSH和IPSec)。这种架构非常理想，通常也能够得到很好的支持、稳定性和安全性。云解决方案可以简化多站点管理。而不需要在增加AP时添加新的控制器. 有哪些功能支持移动策略，WLAN和移动设备不可分开？同样。如果不行就直接联系客服。基于控制器的解决方案需要使用一个控制器节点，每一个控制器可以支持的AP就越多？WLAN 的集中式简单管理是IT部门成功提供安全稳定服务的重要条件，用于管理一组接入端(AP)？供应商可以通过大量的已发布的标准。　　2。虚拟设备允许企业以模块化方式增加防火墙与VPN等功能，甚至还可以简化网络管理. 谁是供应商的主要合作伙伴。　　无控制器的解决方案就是指不使用控制器。但供应商在AP中添加越多智能、未发布的标准和完全私有的技术实现越来越复杂的WLAN解决方案. 有哪些方法可用于管理解决方案。具体来说
其他类似问题
为您推荐：
ldap的相关知识
等待您来回答
下载知道APP
随时随地咨询
出门在外也不愁OpenLDAP Server With Server-Side SSL/TLS and Client Authentication
OpenLDAP Server With Server-Side SSL/TLS and Client Authentication
This independently authored paper is obsolete.
Reviewers of this papers have indicated that they believe the paper suffers
from a number of significant technical errors and offers poor advice in
a number of areas.
As the author is unreachable and this paper is quite
old, the paper has has been classified as obsolete.
It is strongly recommended that users of OpenLDAP Software consult the
for a detailed and up-to-date discussion of TLS/SSL use in
OpenLDAP Software.
Note added by Kurt Zeilenga (7 March 2006, updated 27 March 2013)
D. Kent Soper
June 5, 2003
Table of Contents
OpenLDAP has the ability to enable SSLv3 capabilities.
Similar to
SSL is Transport Layer Security (TLSv1).
While SSL operates on a secure
connection (ldaps://:636) and is a Netscape-defined protocol, TLS offers the
same encryption on regular LDAP connections (ldap://:389) and is an industry
standard (RFC 2830).
Both types of secure connections are set up identically.
It is only the URL that is different.
This document explains the steps necessary
to set up an OpenLDAP server and make an SSL connection to it.
It should be noted that the steps taken in this document ensure an LDAP
version 3 level of compliance.
None of the details here would be possible without the information taken from
or the help received from Kurt Zeilenga, one of the main OpenLDAP
contributors.
OpenLDAP is a large set of software tools and I could not have
set up the SSL portion without advice and tips from Kurt.
Thank you very
much, Kurt!
Of course OpenLDAP is required, but in what form?
RPM or tarball from the
OpenLDAP web site?
The latter is preferred because it guarantees the most
current software.
More importantly, building the sources from tarball allows
one to create a customized server by selecting desired options out of the nearly
one hundred available (see
offers two download sources:
release and stable.
For this document, the release version was used on advice from Kurt.
Frequently, release versions make it to stable status quickly as was the case for me.
Advanced users may also want to check out the test release if available.
Also, older
releases may have an update available for users who haven't upgraded to the current
development level.
If OpenLDAP is installed already and you are downloading the tarball, you
should locate current OpenLDAP objects and avoid using them altogether.
It would be undesirable if an older LDAP standalone daemon (slapd) is started
instead of the newly created one, since the daemon would not refer to the recently
created server and configuration files!
Before installing the tarball, use "find" or "locate" and take note of the locations
and dates of the following (which may not exist on your machine):
(LDAP server daemon)
slapd.conf (server configuration file)
ldap.conf (client configuration file)
ldapsearch (one of many client commands)
It is not recommended that you uninstall an old version of
Doing so may break dependencies.
The best thing to do is to avoid
using the slapd daemon and client commands associated with the old OpenLDAP
By doing this, you'll be able to bypass the older configuration files
(slapd.conf and ldap.conf).
Actually, older version OpenLDAP client commands may be used to access the
directory.
The real issue on the client side is configuring the correct
associated with the client.
This issue is left for the user to decide.
Besides OpenLDAP, other development software may be required as dictated by the
selected OpenLDAP configuration options.
The best practice for installing missing software is:
Run the configure script (see ) with your options.
Look for error messages involving missing header files or libraries.
Consult the Linux distro CDs and install the necessary rpm.
Almost all missing rpms are the development
releases of the form package-devel-release.arch.rpm.
To ensure compatibility, it is a good idea to
verify client and development software have similar release values.
They should be equal if they come
from the same distribution.
For example:
openssl-0.9.6g-18.i586.rpm
openssl-devel-0.9.6g-18.i586.rpm
One of the OpenLDAP options you should set during the OpenLDAP build is your
desired database backend.
Slapd comes with a variety of different database
backends you can choose from. The two most commonly used are BDB, a
high-performance transactional database backend and LDBM, a lightweight DBM
based backend.
The default backend is BDB which means Sleepycat Software Berkley DB 4.1
will be utilized (--enable-bdb configure option).
If that is not the
desired database, then disable it (--disable-bdb configure option) and
select another type.
It may be easier to use one of the many LDBM backends (GDBM, Berkley DB,
MDBM, or BCompact).
Although many of the database clients are installed already,
you will still need to install the development rpms, as discussed in
I chose the LDBM route (--enable-ldbm)
and installed both the GDBM and Berkely DB rpms.
Both were installed because I
wanted to see which database OpenLDAP selects when more than one is available.
However, only one database needs to be present.
Indeterminate of the database backend employed, the OpenLDAP software
handles all of the database transactions transparently once OpenLDAP is installed
and running.
Therefore, the database does not need to be configured or initiated.
You do not need to use the software levels in this example but you should use at a
minimum OpenLDAP 2.1.
More important is the use of a current version of Linux
and its distributed rpms than searching for the software levels listed.
The levels are listed only for reference.
Current Linux levels may be determined from
the distributor's website.
Your list could be shorter or longer depending upon the options selected during
configuration and the software already installed on your Linux machine.
In addition,
SuSE and RedHat have differing dependencies, i.e., a RedHat box would not have a
SASL dependence on the installation of Heimdal.
Operating system: SuSE 8.1
Additional rpms
openssl-devel-0.9.6g-18
gdbm-devel-1.8.0-671
Berkley DB
db-devel-4.0.14-182
Cyrus SASL
cyrus-sasl-devel-1.5.27-256
des-4.04b-501
heimdal-devel-0.4e-186
pam-devel-0.76-36
* required by Cyrus SASL
At a minimum, the document
should be reviewed before attempting to install
If problems persist, the comprehensive
can be helpful.
Hopefully, this document will provide enough detail to
perform the task at hand.
It is assumed the OpenLDAP source has been unpacked and the user has
changed to the top level OpenLDAP directory at this stage of the document:
% tar zxf openldap-VERSION.tgz
% cd openldap-VERSION
At the top level of the OpenLDAP distribution are two files worth skimming:
README lists required software levels for OpenLDAP 2.1
and documentation sites.
INSTALL lists installation steps and suggests files to
configure.
a simple default install of OpenLDAP is not an option if
SSL is to be
A little extra work will be required.
As mentioned already, there are over one hundred options that can be configured.
To view a complete list, type:
% ./configure --help
Here is a short list of some common options [default value]:
--no-create
do not create output files
--prefix=PREFIX
install architecture independent files in PREFIX [/usr/local]
--enable-debug
enable debugging [yes]
--with-tls
with TLS-SSL support [auto]
--with-cyrus-sasl with Cyrus SASL support [auto]
--with-kerberos
with Kerberos support [auto]
--enable-slapd
enable building slapd [yes]
--enable-cleartext enable cleartext passwords [yes]
--enable-crypt
enable crypt passwords [no]
--enable-kpasswd enable Kerberos password verification [no]
--enable-spasswd enable (Cyrus) SASL password verification [no]
--enable-wrappers enable TCP wrapper support [no]
--enable-bdb
enable Berkley DB (4.1) backend [yes]
--enable-ldbm
enable ldbm backend [no]
--with-ldbm-api
with LDBM API auto|berkley|bcompact|mdbm|gdbm [auto]
'--disable-FEATURE' is equivalent to '--enable-FEATURE=no'.
'--without-FEATURE' is equivalent to '--with-FEATURE=no'.
This example uses these features:
--prefix=/usr
A preference to avoid installing everything into /usr/local.
Also, LDAP
client commands are installed to usr/bin/ (overwrite and void old LDAP client
commands).
--with-tls and --enable-slapd
The whole purpose of this exercise.
--with-cyrus-sasl
At first this option was not selected, but the
states that the system "will not be fully LDAPv3
compliant unless it detects a usable Cyrus SASL installation."
--enable-crypt
Cryptic passwords are always good.
--enable-ldbm and --disable-bdb
Turn off BDB and turn on LDBM style database backend.
Default options turned on:
--enable-debug and --enable-cleartext
Options avoided:
--enable-kerberos (not part of this exercise)
After selecting the configure options, follow these steps to build and install the
OpenLDAP system.
Do not proceed until each step is completed error-free.
The form of this command is:
[ [ env ] settings ] ./configure options
([ ] represents optional segments of the command)
(Some shells do not require the use of 'env')
(Usually 'options' are optional but not for this example)
Settings may be any of these (from Admin Guide):
Configuration Flags
DESCRIPTION
Specify alternative C Compiler
Specify additional compiler flags
Specify C preprocessor flags
Specify linker flags
Specify additional entries
Example command using environment settings:
% env CPPFLAGS="-I/usr/local/incude" LDFLAGS="-L/usr/local/lib" \
./configure --with-tls
Here is the actual command used to configure the test system:
% ./configure --prefix=/usr --with-tls --enable-slapd --with-cyrus-sasl \
--enable-crypt --enable-ldbm --disable-bdb
The OpenLDAP Foundation,
All Rights Reserved.
Restrictions apply, see COPYRIGHT and LICENSE files.
Configuring OpenLDAP 2.1.17-Release ...
checking host system type... i686-pc-linux-gnu
( ... A few hundred lines of output ... )
Please run &make depend& to build dependencies
Successful configuration will end with "Please run 'make depend' to build
dependencies".
If this message is not displayed, examine the output for missing
headers or libraries.
software is missing.
Enter the following command to build dependencies and look for errors:
% make depend
Enter the following command to build the system and look for errors:
Missing libraries will be discovered during 'make'.
Also, this part should take a
long time to execute (more than five minutes).
This command is optional but testing the standalone system is recommended.
command also has a long execution time.
% make test
If all goes well, the system has been built as configured!
Otherwise return to the
configure, make depend, and make steps to find the problem.
Enter the following command to install the binaries and man pages.
Most installs
require 'root' privileges.
% su root -c 'make install'
Tip: the installed man pages can be the best source of OpenLDAP answers in
some instances.
To enable an SSL/TLS connection to the server, a server certificate is needed by the
SSL/TLS protocols.
Also, in an SSL handshake the server certificate only provides a
secure, encrypted connection to the server.
If client authentication is desired, then a
client certificate and key pair must be presented to the LDAP server.
There are two ways to create and install a server certificate.
Both methods involve
creating the server certificate, sending it to OpenLDAP clients, and making
appropriate changes to the OpenLDAP configuration files.
Also, both methods
involve OpenSSL commands that query the user for information used to create the
certificate.
When asked for a 'Common Name', you must enter the fully-qualified
distinguished name of the server, e.g. , and not 'your name' as is
suggested by the OpenSSL prompt.
This common mistake is the cause of
over 90% of server certificate errors!
The first way to create a server certificate is to use OpenSSL and create a self signed
server certificate. From a command line:
% openssl req -newkey rsa:1024 -x509 -nodes -out server.pem
-keyout server.pem -days 365
OpenLDAP only works with unencrypted keys and the '-nodes' argument
prevents encryption of the private key.
The next step would involve configuring OpenLDAP with the location of
server.pem.
Self-signed certificate usage is discouraged and their configuration is
not discussed in detail in this document because of these two downsides:
The private key is included in the certificate which will be transported to all
OpenLDAP client machines.
Interpreting error messages from OpenSSL commands (see )
The following output from an "openssl s_client ..." command is not an actual error
(output edited for clarity):
Self Signed Certificate Output
% openssl s_client -connect localhost:636 -showcerts
CONNECTED()
depth=0 /O=Example Org/OU=Example Unit//Email=
verify error:num=18:self signed certificate
verify return:1
( deleted output )
Start Time:
: 300 (sec)
Verify return code: 18 (self signed certificate)
For these reasons it is strongly recommended to use CA signed certificates!
However, to configure a self-signed certificate, only three entries in
slapd.conf need to be set (see ):
TLSCACertificateFile server.pem
TLSCertificateFile server.pem
TLSCertificateKeyFile server.pem
If you have access to a trusted Certificate Authority (CA), then step through the CA
process to get a CA certificate, server certificate and server private key.
for info on how to configure your server with these
However, if a trusted CA is not available, OpenSSL makes the same process
quick and easy.
The steps:
Create any directory for creating and signing your certificates.
For example, /var/myca.
% mkdir /var/myca
Change to /var/myca and run the OpenSSL CA script (in /usr/share/ssl/misc/ on
% cd /var/myca/
% /usr/share/ssl/misc/CA.sh -newca
CA certificate filename (or enter to create) &enter&
Making CA certificate ...
Using configuration from /etc/f
Generating a 1024 bit RSA private key
..........................++++++
.........................++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase: &ca pass&
Verifying password - Enter PEM pass phrase: &ca pass again&
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Texas
Locality Name (eg, city) []:Austin
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Org
Organizational Unit Name (eg, section) []:Example Unit
Common Name (eg, YOUR name) []:<
Email Address []:.
This creates demoCA/cacert.pem and demoCA/private/cakey.pem (CA cert and
private key).
Make your server certificate signing request (CSR):
% openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
Using configuration from /etc/f
Generating a 1024 bit RSA private key
..............++++++
..........................++++++
writing new private key to 'newreq.pem'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Texas
Locality Name (eg, city) []:Austin
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Org
Organizational Unit Name (eg, section) []:Example Org Unit
Common Name (eg, YOUR name) []:<
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: &pass&
An optional company name []:.
The result is newreq.pem.
Have the CA sign the CSR:
% /usr/share/ssl/misc/CA.sh -sign
Using configuration from /etc/f
Enter PEM pass phrase: &ca pass&
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName
:PRINTABLE:'US'
stateOrProvinceName
:PRINTABLE:'Texas'
localityName
:PRINTABLE:'Austin'
organizationName
:PRINTABLE:'Example Org'
organizationalUnitName:PRINTABLE:'Example Org Unit'
commonName
:PRINTABLE:''
emailAddress
:IA5STRING:''
Certificate is to be certified until Apr 10 18:58:58 2004 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=Texas, L=Austin, O=Example Org, OU=Example Unit,
Not Before: Apr 11 18:58:58 2003 GMT
Not After : Apr 10 18:58:58 2004 GMT
Subject: C=US, ST=Texas, L=Austin, O=Example Org, OU=Example Org Unit,
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
Exponent: 601)
X509v3 extensions:
X509v3 Basic Constraints:
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D0:C0:9D:46:30:65:2A:9C:63:63:6A:E6:FE:E4:AC:F7:21:F8:33:61
X509v3 Authority Key Identifier:
keyid:31:2E:0D:FB:A0:74:5A:0B:4B:C5:C4:E0:69:7F:32:6D:AF:46:82:F1
DirName:/C=US/ST=Texas/L=Austin/O=Example Org/OU=Example Unit/
Signature Algorithm: md5WithRSAEncryption
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
This creates newcert.pem (server certificate signed by CA) with private key,
newreq.pem.
I prefer /usr/var/openldap-data as my certificate directory.
% cp demoCA/cacert.pem /usr/var/openldap-data/cacert.pem
% mv newcert.pem /usr/var/openldap-data/servercrt.pem
% mv newreq.pem
/usr/var/openldap-data/serverkey.pem
% chmod 400
/usr/var/openldap-data/serverkey.pem
The last command makes the private key read-only by the user who runs slapd.
A 'chown' command will be necessary if the owner of the server key is not the same
as the user who runs slapd.
The certificates should be publicly readable.
Make the CA certificate available to your LDAP clients.
If the client is on the same machine, copy cacert.pem to a location accessible by
the client.
If clients are on other machines, then cacert.pem will have to be copied to
those machines and also made accessible.
This process requires a few more steps than creating a self signed certificate, but
the benefits gained outweigh any extra time spent creating the CA.
Client certificates are created similarly to server certificates.
Using the steps outlined
in , the only changes are as
Step 1 and 2:
Do nothing ... the CA does not need to be created again.
is to use the same CA certificate to sign the client certificate.
Same command but actually enter the client's name instead of the server
name when prompted for the Common Name.
Of course, all of the other responses
should be descriptive of the client as well as defining the client's subject DN.
Same command with the same resulting files for the cert and private key.
Good thing the last certificate was renamed in !
Step 5: Now the certificates can be moved to the user's desired certificate
repository and renamed.
(For example, /home/user/certs.)
% mv newcert.pem
/home/user/certs/ldap.client.pem
% mv newreq.pem
/home/user/certs/keys/ldap.client.key.pem
% chmod 400
/home/user/certs/keys/ldap.client.key.pem
The last command makes the private key read-only by the user who runs the
LDAP client.
A 'chown' command will be necessary if the owner of the server key is
not the same as the user who runs the client.
The certificate should be publicly
Step 6: Shouldn't have to do anything here after the previous 'mv'
commands were executed.
With the certificates created, only one more step remains before the server can
be started:
LDAP configuration.
To configure your OpenLDAP system, there are three areas to consider:
(slapd.conf), client(ldap.conf), and directory (schema).
Please note that this section
will discuss the requirements for server side SSL and client authentication although
a system may be configured without client authentication.
A table summarizing all
of the pertinent SSL configuration variations will be presented in .
Most of the configuration occurs in the slapd daemon configuration file, slapd.conf.
Verify that the file corresponding to your new slapd daemon is the one that is being
edited before proceeding.
Also, the Admin Guide chapter,
, goes into more detail than this
section and should be reviewed.
The slapd.conf file contains many comments that are very helpful.
One of the first
states that the file should not be world readable.
If it doesn't already have 600
protection mode, make it so.
Here is the example slapd.conf with important comments and entries in bold.
displayed in its entirety due to the importance of the file.
#######################################################################
# $OpenLDAP$
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
/usr/etc/openldap/schema/core.schema
/usr/etc/openldap/schema/cosine.schema
/usr/etc/openldap/schema/inetorgperson.schema
/usr/etc/openldap/schema/misc.schema
/usr/etc/openldap/schema/openldap.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
/usr/var/slapd.pid
argsfile /usr/var/slapd.args
# Load dynamic backend modules:
# modulepath /usr/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# Sample security restrictions
Disallow clear text exchange of passwords
# disallow bind_simple_unprotected
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
Allow self write access
Allow authenticated users read access
Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base=&& by * read
# access to dn.base=&cn=Subschema& by * read
access to *
by self write
by users read
by anonymous auth
# if no access controls are present, the default policy is:
# Allow read by all
# rootdn can always write!
# CA signed certificate and server cert entries:
TLSCipherSuite
HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /usr/var/openldap-data/cacert.pem
TLSCertificateFile /usr/var/openldap-data/servercrt.pem
TLSCertificateKeyFile /usr/var/openldap-data/serverkey.pem
# Use the following if client authentication is required
TLSVerifyClient demand
# ... or not desired at all
#TLSVerifyClient never
#######################################################################
# ldbm database definitions
#######################################################################
&dc=my-domain,dc=com&
&cn=Manager,dc=my-domain,dc=com&
&dc=myserver,dc=com&
&cn=Manager,dc=myserver,dc=com&
# Cleartext passwords, especially for the rootdn, should
# be avoided.
See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
{SSHA}/nM76XvHqgByMF/mplwZ4EuP6EjSPCFc
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/var/openldap-data
# Indices to maintain
index objectClass eq
#######################################################################
The important directives in slapd.conf are described in Table 2.
LDAP Server Directives
DESCRIPTION
additional configuration files or schema
TLSCipherSuite
cipher suite spec
describes what ciphers will be accepted
TLSCACertificateFile
file that contains the certificates of all trusted CA certs
TLSCACertificatePath
directory containing CA certificates.
Usually this or TLSCACertificateFile is used.
TLSCertificateFile
server certificate filename
TLSCertificateKeyFile
server private key filename
TLSVerifyClient
Client Authentication:
level of checks to perform on incoming
client certs ( never | allow | try | demand,hard )
database definition ( bdb | ldap | ldbm | shell | null | sql and others )
DN suffix of queries passed to database backend
DN that is not subject to access control for the database
password or hash of password for rootdn
database directory which must exist prior to starting slapd
There are other variables that may be used.
Table 2 summarizes a basic set of
server configuration directives.
Depending on the OpenLDAP system installed, "man ldap.conf" may
or may not return all of the information available.
If 'TLS OPTIONS' is not displayed,
go to the newly installed OpenLDAP system and run the command again.
OpenLDAP clients on other machines may not have updated man pages.
The ldap.conf file sets system-wide defaults for LDAP clients.
If user-specific values are required, then the same ldap.conf
directives should be applied to ldaprc or .ldaprc
files in the user home or current working directories.
User-specific entries
override global LDAP settings.
If implementing client authentication, it is required to add the client certificate and
key pair to an ldaprc or .ldaprc file.
In the following table, user-only refers to ldaprc or .ldaprc file directives and
are not global LDAP directives.
LDAP Client Directives
DESCRIPTION
default base (DN form) to use when performing ldap operations
default bind DN to use when performing ldap operations user-only
name[:port]
name of LDAP servers to connect to (separate by spaces)
default port used when connecting to LDAP servers.
636 = SSL!
search return limit (0 = unlimited search)
search time limit (0 = unlimited time)
whether clients should use TLS by default (never | hard)
use of this dire
incompatible with LDAPv3 StartTLS request
TLS_CACERT
specifies the file that contains all of the CA certificates the client recognizes
TLS_CACERTDIR
used if TLS_CACERT fails
TLS_REQCERT
specifies what checks to perform on a server certificate ( never | allow | try | demand,hard )
Client Authentication: specifies the client certificate user-only
Client Authentication:
specifies the private key for TLS_CERT entry user-only
Example ldap.conf:
# Global LDAP settings
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
TLS_CACERT /etc/ssl/certs/cacert.pem
TLS_REQCERT demand
This configuration will connect to ldaps://:636
without the need to specify the host and port in client commands.
The ldaprc file is used to override global LDAP values and to set
the certificate and private key used to establish client authentication.
Example ldaprc (in user's home or current directory):
# User specific LDAP settings
# Override global directive (if set)
TLS_REQCERT demand
# client authentication
/home/ldap-user/certs/client.cert.pem
/home/ldap-user/certs/keys/client.key.pem
This minimal configuration is all that is required for client authentication.
In slapd.conf, schema are listed near the top of the file.
slapd.conf files may contain one schema with several commented
The example slapd.conf file added a few other schemas found in the
schema directory.
Example slapd.conf schema entries:
/usr/etc/openldap/schema/core.schema
/usr/etc/openldap/schema/cosine.schema
/usr/etc/openldap/schema/inetorgperson.schema
/usr/etc/openldap/schema/misc.schema
/usr/etc/openldap/schema/openldap.schema
No additional configuration is necessary to get the server up and running.
There are varying degrees of SSL configuration one may institute.
Table 3 summarizes
the various directives and values that can be used to set up basic server side SSL
("basic") up to strict server side and client side SSL ("best").
SSL/TLS Directives
slapd.conf
TLSCACertificateFileorTLSCACertificatePath
TLSCertificateFile
TLSCertificateKeyFile
TLSCipherSuite
TLSVerifyClient
<TD ROWSPAN=3ldap.conf
TLS_CACERT
TLS_CACERTDIR (optional)
TLS_REQCERT
ldaprc or .ldaprc
- : no entry
x : use directive and enter filename or directory
Note: TLSVerifyClient default is 'never' and TLS_REQCERT default is 'demand'
The server is now ready to be started!
% /usr/libexec/slapd -d127 -h "ldap:/// ldaps:///"
This starts the server running on the two default ports of 389 (ldap://) and 636
(ldaps://). On my box, the slapd daemon resides in the /usr/libexec/ directory.
"-d127" is a debug level and a value of '-1' will produce max debug output.
There is another way to start the server.
A script called "ldap" exists (usually in
/etc/rc.d/init.d) that can be edited to start your LDAP server.
Initially, it probably
won't reflect any of the newly created slapd values such as the path to the
slapd executable nor will it have the flexibility to start LDAP on specific
I find it much easier to use the above command in a separate window and then
be able to view debug output.
If alternate ports are desired, you can also start the server like this:
% /usr/libexec/slapd -d9 -h "ldaps:/// ldaps://:12345"
This command only starts the server on SSL ports 636 and 12345.
It also uses a
debug level of
'9' which will display SSL connect information (and less of the other
gorp associated with '-d -1').
How do you know if the server is really doing anything?
OpenSSL has a utility
that verifies the SSL connection and you can also add some entries and then search
for them via an OpenLDAP client.
To check the SSL connection, try this command:
% openssl s_client -connect localhost:636 -showcerts -state -CAfile &ca cert&
If the LDAP server is not executing on your client machine, "localhost" must be
substituted with the server name, e.g. "".
Also, to verify the server certificate, you must provide the client CA certificate to
the CAfile argument.
Why does the CA certificate have to be specified if it already is
in ldap.conf?
Because the command is an OpenSSL client command and not an
LDAP client command.
The command can also be used to verify a TLS connection on non-ldaps ports,
e.g. port 389.
Good output looks like this (edited):
OpenSSL Output Using Server Side SSL
% openssl s_client -:636 -showcerts -state
-CAfile /var/cacert/cacert.pem
CONNECTED()
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=US/ST=Texas/L=Austin/O=Example Org/OU=Example Unit/
verify return:1
depth=0 /C=US/ST=Texas/L=Austin/O=Example Org/OU=Example Org Unit//Email=
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
( ... Certificate chain output deleted ... )
No client certificate CA names sent
SSL handshake has read 1804 bytes and written 314 bytes
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
: DES-CBC3-SHA
Session-ID: E7E1D275B86A9695BEB1B15E4C0E681FAC9F4E55B88FD...
Session-ID-ctx:
Master-Key: 2DCBEF82B7FCCE6FA3E72C55C3D6A915AD7B7FC8E0F...
Start Time:
: 300 (sec)
Verify return code: 0 (ok)
The command will hang after the final return code output.
This is normal.
"Control-c" will end the command.
The line "No client certificate CA names sent" is indicative of a
server side SSL set up.
If client authentication had been configured, the OpenSSL
command and output would resemble this:
OpenSSL Output Using Client Authentication
% openssl s_client -:636 -state \
-CAfile /var/cacert/cacert.pem \
-cert /home/ldap-user/certs/client.cert.pem \
-key /home/ldap-user/certs/keys/client.key.pem
CONNECTED()
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=US/ST=Texas/L=Austin/O=Example Org/OU=Example Unit/
verify return:1
depth=0 /C=US/ST=Texas/L=Austin/O=Example Org/OU=Example Org Unit//Email=
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
( ... Certificate chain output deleted ... )
subject=/C=US/ST=Texas/L=Austin/O=Example Org/OU=Example Org Unit//Email=
issuer=/C=US/ST=Texas/L=Austin/O=Example Org/OU=Example Unit/
Acceptable client certificate CA names
/C=US/ST=Texas/L=Austin/O=Example Org/OU=Example Unit/
SSL handshake has read 1916 bytes and written 2102 bytes
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
: DES-CBC3-SHA
Session-ID: 96B9C18DAC585050EDC30C1BBC44F2DDB98EBAEBEC68B270...
Session-ID-ctx:
Master-Key: 540C7F9FAD1CBE503C9A3BA5D47A76A005BDEEEBD32...
Start Time:
: 300 (sec)
Verify return code: 0 (ok)
Note the extra SSL handshake output in bold.
OpenLDAP has several client commands.
Most common:
ldapsearch,
ldapadd, ldapmodify, and ldapdelete.
This document will
show example commands but will not explain the details of their operation.
Please consult the man pages for more details.
The sections that follow show examples that add entries to the LDAP directory
and then search the directory for various entries.
Using any editor, copy and paste the following LDIF file to "init.ldif".
Any leading
and trailing white space should be eliminated.
Change the DN values to mirror
your slapd.conf suffix values.
For example if your suffix is
"dc=ldap,dc=com", then the DN entries below would be
"dn: dc=ldap,dc=com".
#init.ldif
dn: dc=myserver,dc=com
objectclass: dcObject
objectclass: organization
o: Example Org
dc: myserver
dn: cn=my-name,dc=myserver,dc=com
objectclass: organizationalRole
cn: my-name
dn: ou=my system,dc=myserver,dc=com
objectclass: organizationalUnit
ou: my system
description: Test organizational unit to hold admin user
dn: cn=mr admin,ou=my system,dc=myserver,dc=com
objectclass: person
userPassword: testpass
description: mr admin test user
cn: mr admin
Now add the LDIF entries to the LDAP database (using your rootdn):
% ldapadd -x -D "cn=Manager,dc=myserver,dc=com" -W -f init.ldif
You will be prompted for the rootpw because of the "-W" argument.
successful, you will see four "adding new entry &entry&" lines.
To ensure an SSL connection, you can specify a host with:
"-H ldaps://".
This argument is needed if the host is not set on a stand alone client.
Use the following commands to search the directory.
To understand the different
command flags, consult the man pages for ldapsearch.
In all of the
commands that follow, the argument
' -D "cn=Manager,dc=myserver,dc=com" ' is necessary because of this
access block in slapd.conf:
access to *
by self write
by users read
by anonymous auth
If this block had been commented out as in a default slapd.conf
, then none of the "-D" arguments would be needed in the ldapsearch
commands here and in the following sections.
Return all entries
Client on same machine:
% ldapsearch -x -b 'dc=myserver,dc=com' -D "cn=Manager,dc=myserver,dc=com" '(objectclass=*)' -W
Stand alone LDAP client:
% ldapsearch -x -b 'dc=myserver,dc=com'
-D "cn=Manager,dc=myserver,dc=com" '(objectclass=*)'
-H ldaps:// -W
The output should look like:
version: 2
# filter: (objectclass=*)
# requesting: ALL
# myserver, com
dn: dc=myserver,dc=com
objectClass: dcObject
objectClass: organization
o: Example Org
dc: myserver
# my-name, myserver, com
dn: cn=my-name,dc=myserver,dc=com
objectClass: organizationalRole
cn: my-name
# my system, myserver, com
dn: ou=my system,dc=myserver,dc=com
objectClass: organizationalUnit
ou: my system
description: Test organizational unit to hold admin user
# mr admin, my system, myserver, com
dn: cn=mr admin,ou=my system,dc=myserver,dc=com
objectClass: person
userPassword:: dGVzdHBhc3M=
description: mr admin test user
cn: mr admin
# search result
result: 0 Success
# numResponses: 5
# numEntries: 4
Return some entries (part one)
Command with output:
% ldapsearch -x -b 'cn=my-name,dc=myserver,dc=com'
-D&cn=Manager,dc=myserver,dc=com&
-H ldaps:// '(objectclass=*)' -w secret
version: 2
# filter: (objectclass=*)
# requesting: ALL
# my-name, myserver, com
dn: cn=my-name,dc=myserver,dc=com
objectClass: organizationalRole
cn: my-name
# search result
result: 0 Success
# numResponses: 2
# numEntries: 1
Return some entries (part two)
Command with output:
% ldapsearch -x -b 'ou=my system,dc=myserver,dc=com'
-D&cn=Manager,dc=myserver,dc=com&
-H ldaps:// '(objectclass=*)' -w secret
version: 2
# filter: (objectclass=*)
# requesting: ALL
# my system, myserver, com
dn: ou=my system,dc=myserver,dc=com
objectClass: organizationalUnit
ou: my system
description: Test organizational unit to hold admin user
# mr admin, my system, myserver, com
dn: cn=mr admin,ou=my system,dc=myserver,dc=com
objectClass: person
userPassword:: dGVzdHBhc3M=
description: mr admin test user
cn: mr admin
# search result
result: 0 Success
# numResponses: 3
# numEntries: 2
Up to this point, most of the document has dealt with SSL and not TLS.
connections are always encrypted while TLS connections give the client the option
to upgrade to an encrypted connection.
TLS requires the same configuration settings as SSL.
Upon examination, all of
the important SSL directives start with "TLS" in
which should have tipped you off to the
dual relationship.
However, simply accessing ldap://:389 does not ensure a TLS encrypted
connection.
Accessing ldaps:// is not a TLS connection either.
In order to use TLS
over an ldap:// connection, add a ldap_start_tls_s() call to your
client code:
int rc, port=389;
int ldap_version=LDAP_VERSION3;
ld=ldap_init("", port);
ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &ldap_version);
rc = ldap_start_tls_s(ld, NULL, NULL);
Another difference between SSL and TLS in the above code is that SSL doesn't
use ldap_init().
Instead it uses ldap_initialize(**LDAP,
string) where the string is a URI, e.g. "ldaps://:636".
Attempting to use ldap_init() over SSL will cause a broken pipe error.
Also, attempting to call ldap_start_tls_s() when an SSL connection
is already utilized will also be in error.
Another TLS method that can be used is to add a "-Z" or "-ZZ" flag to client
% ldapsearch -x -b 'dc=myserver,dc=com'
-D "cn=Manager,dc=myserver,dc=com" '(objectclass=*)'
-H ldaps:// -W -ZZ
The "-ZZ" flag forces TLS handshake to be successful.
The single "-Z" flag tries
to enable TLS and will proceed without using encrypted connections if the TLS
handshake fails.
It would be nice to set a TLS configuration directive in either
slapd.conf or ldap.conf but my attempts to do so
have not resulted in a successful TLS handshake in the server output.
OpenLDAP documentation does suggest using a "Start TLS"
call in a configuration file which has not been successful for me.
As can be seen, enabling SSL/TLS on an OpenLDAP server and client can be
achieved quickly.
If client authentication is desired, then only a few more steps
and changes are required.
OpenLDAP manages the SSL connection once it knows
where the server and CA certificates (client side) reside.
Although enabling an SSL connection to a server is straight forward if the
steps outlined in this document are followed, problems can arise when trying to
execute the LDAP client.
OpenLDAP is sophisticated software with several nuances
that take experience to understand and use correctly.
Execution errors can arise
when the following occurs:
Incorrect slapd.conf and ldap.conf entries.
Punctuation errors between slapd.conf entries (suffix, rootdn, rootpw)
and the OpenLDAP client commands.
Accessing OpenLDAP server ports that have not been started.
Calling a "start tls" command on an SSL port.
Calling this command
on any SSL/TLS port is an error.
Making changes to the wrong slapd.conf and ldap.conf configuration
Incorrect password.
Not using a fully qualified domain name in the server certificate
(very common!).
... just to name a few.
However most problems with OpenLDAP are the result of
human error and they will appear less frequently as OpenLDAP is more often utilized.