[Comm] OpenLDAP и SSL

Igor Muratov =?iso-8859-1?q?migor_=CE=C1_altlinux=2Eru?=
Пн Май 5 20:17:12 MSD 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alexey Borovskoy пишет:
| * 22 Апрель 2003 23:43 Igor Muratov <migor на altlinux.ru>
|
|>-----BEGIN PGP SIGNED MESSAGE-----
|>Hash: SHA1
|>
|>Alexey Borovskoy пишет:
|>| * 21 Апрель 2003 23:22 Igor Muratov <migor на altlinux.ru>
|>|
|>|>Есть еще подозрение что сервер не подхватил сертификат а на
|>|>636 порт законнектился без всякого ssl.
|>|>Попрбуйте зайти туда telnet'ом
|>|
|>| Захожу. Черный экран. Затем сервер сбрасывает соединение.
|>| Он должен что-то сказать?
|
|
| В файле 1.txt результат работы openssl s_client на домашней
| машине.
|
|
|>А не пробовали брать openldap из более ранних дистрибутивов? К
|>примеру в спринге это точно работало. В ALM2.0 кажется тоже.
|
|
| Да. На Мастере 2.0 это точно работало.
|
|
|>| Сегодня вытащил свежий stunnel буду дома собирать. Костыль
|>| конечно, но что делать.
|>
|>Может не стоит тратить на это время?
|
|
| Хотелось бы чтобы заработало без костылей.
|
|
|>| Может общими усилиями локализовать и ликвидировать багу?
|>| Я понимаю, что я один наступил на эти грабли. Но эти грабли
|>| повторяются на трех инсталляциях openldap на трех разных
|>| машинах/конфигурациях.
|>
|>Тогда уж покажите конфииг полностью.
|
|
| Какие именно?
| К письму приложил slapd.conf и сертификат
|
| ----
| Алексей.
| JID:alb на jabber.ru
|
|
| ------------------------------------------------------------------------
|
| [alb на alb 2]$ openssl s_client -connect alb.home:636 -debug
| CONNECTED(00000004)
| write to 0809BEB8 [0809BF00] (130 bytes => 130 (0x82))
| 0000 - 80 80 01 03 01 00 57 00-00 00 20 00 00 16 00 00   ......W... .....
| 0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 07 00 00 05   .........f......
| 0020 - 00 00 04 05 00 80 03 00-80 01 00 80 08 00 80 00   ................
| 0030 - 00 65 00 00 64 00 00 63-00 00 62 00 00 61 00 00   .e..d..c..b..a..
| 0040 - 60 00 00 15 00 00 12 00-00 09 06 00 40 00 00 14   `........... на ...
| 0050 - 00 00 11 00 00 08 00 00-06 00 00 03 04 00 80 02   ................
| 0060 - 00 80 aa dd 8f a3 ad c5-70 56 63 2c 43 16 f6 1c   ........pVc,C...
| 0070 - dd 82 3a 80 cf 8d b0 f4-67 94 e4 cb c0 4f cc 61   ..:.....g....O.a
| 0080 - 27 ad                                             '.
| read from 0809BEB8 [080A1460] (7 bytes => 7 (0x7))
| 0000 - 15 03 01 00 02 02 28                              ......(
| 2140:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:s23_clnt.c:465:
|
|
| ------------------------------------------------------------------------
|
| # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27
20:00:31 kurt Exp $
| #
| # See slapd.conf(5) for details on configuration options.
| # This file should NOT be world readable.
| #
| # Modified by Christian Zoffoli <czoffoli на linux-mandrake.com>
| # Version 0.2
| #
| # Modified by Volkov Serge <vserge на altlinux.ru>
| # Version 0.3
| # Last modification at 26 Jun 2002
| #
|
| # Default schemas
| include	/etc/openldap/schema/core.schema
| include	/etc/openldap/schema/cosine.schema
| include	/etc/openldap/schema/inetorgperson.schema
| include	/etc/openldap/schema/misc.schema
| include	/etc/openldap/schema/nis.schema
| include	/etc/openldap/schema/openldap.schema
| #include	/etc/openldap/schema/krb5-kdc.schema
| #include	/etc/openldap/schema/kerberosobject.schema
| #include	/etc/openldap/schema/corba.schema
| #include	/etc/openldap/schema/java.schema
|
| # Addon schemas
| #include	/etc/openldap/schema/rfc822-MailMember.schema
| #include	/etc/openldap/schema/pilot.schema
| #include	/etc/openldap/schema/autofs.schema
| #include	/etc/openldap/schema/samba.schema
| #include	/etc/openldap/schema/qmail.schema
| #include	/etc/openldap/schema/qmailControl.schema
| #include	/etc/openldap/schema/cron.schema
| #include	/etc/openldap/schema/dns.schema
| #include	/etc/openldap/schema/trust.schema
| #include	/etc/openldap/schema/turbo.schema
|
| # Netscape Roaming
| #include	/etc/openldap/schema/mull.schema
| #include	/etc/openldap/schema/netscape-profile.schema
|
| # Local schema, that you will be constract
| #include	/etc/openldap/schema/local.schema
|
| # Load dynamic backend modules:
| #modulepath	/usr/lib/openldap
| #moduleload	back_bdb.la
| # moduleload	back_ldap.la
| #moduleload	back_ldbm.la
| # moduleload	back_passwd.la
| # moduleload	back_shell.la
|
| # Do not enable referrals until AFTER you have a working directory
| # service AND an understanding of referrals.
| #referral	ldap://root.openldap.org
|
| pidfile		/var/run/slapd.pid
| argsfile	/var/run/slapd.args
|
| # To allow TLS-enabled connections, create /usr/share/ssl/certs/slapd.pem
| # and uncomment the following lines.
|  TLSCipherSuite          HIGH:MEDIUM:LOW:+SSLv2
|  TLSCertificateFile      /etc/openldap/ldap.pem
|  TLSCertificateKeyFile   /etc/openldap/ldap.pem
Проблема похоже вот здесь. Предшествующих пробелов быть не дожно
Вот выдержка из /etc/init.d/ldap
if grep -qs ^TLS "$CONFIG"; then
~   daemon ${SLAPD} -u ldap -h '"ldap:/// ldaps:///"' $OPTIONS
$SLAPD_OPTIONS
~        RETVAL=$?
~    else
~        daemon ${SLAPD} -u ldap -h 'ldap://127.0.0.1/' $OPTIONS
$SLAPD_OPTIONS
~        RETVAL=$?
~    fi



| # TLSCACertificateFile    /etc/openldap/ldap.pem
|
|
| # Define global ACLs to disable default read access.
| #include 	/etc/openldap/slapd.access.conf
|
| #
| # Sample Access Control
| #	Allow read access of root DSE
| #	Allow self write access
| #	Allow authenticated users read access
| #	Allow anonymous users to authenticate
| #
| #access to dn="" by * read
| #access to *
| #	by self write
| #	by users read
| #	by anonymous auth
| #
| # if no access controls are present, the default is:
| #	Allow read by all
| #
| # rootdn can always write!
|
| # The example in development not use if you don't known what are you
doing!!!
| # Basic ACL
| # access to attr=userPassword
| #         by self write
| #         by anonymous auth
| #         by dn="uid=root,ou=People,dc=example,dc=com" write
| #         by * none
| #
| # access to *
| #         by dn="uid=root,ou=People,dc=example,dc=com" write
| #         by * read
|
|
|
| #######################################################################
| # ldbm database definitions
| #######################################################################
|
| database	ldbm
| suffix          "dc=intranet"
| rootdn          "cn=ldapadmin,dc=intranet"
|
| # Cleartext passwords, especially for the rootdn, should
| # be avoid.  See slappasswd(8) and slapd.conf(5) for details.
| # Use of strong authentication encouraged.
| rootpw	secret
| #rootpw	{crypt}ijFYNcSNctBYg
|
| # The database directory MUST exist prior to running slapd AND
| # should only be accessible by the slapd/tools. Mode 700 recommended.
| directory	/var/lib/ldap/bases/intranet
|
| # LogLevel information
| # if you want enable debuggin mode
| # choose one of the next
| # and check /etc/syslog.conf for line
| # "LOCAL4.*	/var/log/ldap/log" exist
| # ---------------------------------------------------
| # |	-1	|	enable all debugging
| # |	0	|	no debugging
| # |	1	|	trace function calls
| # |	2	|	debug packet handling
| # |	4	|	heavy trace debugging
| # |	8	|	connection management
| # |	16	|	print out packets sent and received
| # |	32	|	search filter processing
| # |	64	|	configuration file processing
| # |	128	|	access control list processing
| # | 256	|	stats log connections/operations/results
| # |	512	|	stats log entries sent
| # | 1024|	print communication with shell backends
| # | 2048|	print entry parsing debugging
| # ---------------------------------------------------
| loglevel -1
|
| # Indices to maintain
| #index	objectClass	eq
| index objectClass,uid,uidNumber,gidNumber     eq
| index cn,mail,surname,givenname               eq,subinitial
|
|
| # Sample security restrictions
| #
| #   Disallow clear text exchange of passwords
| # disallow bind_simple_unprotected
| #
| #	Require integrity protection (prevent hijacking)
| #	Require 112-bit (3DES or better) encryption for updates
| #	Require 63-bit encryption for simple bind
| # security ssf=1 update_ssf=112 simple_bind=64
|
| # Sample access control policy:
| #	Root DSE: allow anyone to read it
| #	Subschema (sub)entry DSE: allow anyone to read it
| #	Other DSEs:
| #		Allow self write access
| #		Allow authenticated users read access
| #		Allow anonymous users to authenticate
| #	Directives needed to implement policy:
| # access to dn.base="" by * read
| # access to dn.base="cn=Subschema" by * read
| # access to *
| #	by self write
| #	by users read
| #	by anonymous auth
| #
| # if no access controls are present, the default policy is:
| #	Allow read by all
| #
| # rootdn can always write!
|


- --
With best regards                    System administrator
Igor Muratov                         mailto:migor at altlinux.ru
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+to6HqjgjB/MK76QRAoqkAJ90cpsx3b4kSWGA19YEFbH1vFGQMgCdGmbV
HeJevYGof1M1EjXZBM5ETus=
=bIKe
-----END PGP SIGNATURE-----

Подробная информация о списке рассылки community