From: Alexey Borovskoy <alexey_borovskoy@pochtamt.ru>
To: community@altlinux.ru
Subject: Re: [Comm] OpenLDAP и SSL
Date: Wed, 23 Apr 2003 11:18:47 +1300
Message-ID: <200304231118.47715.alexey_borovskoy@pochtamt.ru> (raw)
In-Reply-To: <3EA51CB7.1010501@altlinux.ru>
[-- Attachment #1: Type: text/plain, Size: 1203 bytes --]
* 22 Апрель 2003 23:43 Igor Muratov <migor@altlinux.ru>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Alexey Borovskoy пишет:
> | * 21 Апрель 2003 23:22 Igor Muratov <migor@altlinux.ru>
> |
> |>Есть еще подозрение что сервер не подхватил сертификат а на
> |>636 порт законнектился без всякого ssl.
> |>Попрбуйте зайти туда telnet'ом
> |
> | Захожу. Черный экран. Затем сервер сбрасывает соединение.
> | Он должен что-то сказать?
В файле 1.txt результат работы openssl s_client на домашней
машине.
> А не пробовали брать openldap из более ранних дистрибутивов? К
> примеру в спринге это точно работало. В ALM2.0 кажется тоже.
Да. На Мастере 2.0 это точно работало.
>
> | Сегодня вытащил свежий stunnel буду дома собирать. Костыль
> | конечно, но что делать.
>
> Может не стоит тратить на это время?
Хотелось бы чтобы заработало без костылей.
>
> | Может общими усилиями локализовать и ликвидировать багу?
> | Я понимаю, что я один наступил на эти грабли. Но эти грабли
> | повторяются на трех инсталляциях openldap на трех разных
> | машинах/конфигурациях.
>
> Тогда уж покажите конфииг полностью.
Какие именно?
К письму приложил slapd.conf и сертификат
----
Алексей.
JID:alb@jabber.ru
[-- Attachment #2: 1.txt --]
[-- Type: text/plain, Size: 1004 bytes --]
[alb@alb 2]$ openssl s_client -connect alb.home:636 -debug
CONNECTED(00000004)
write to 0809BEB8 [0809BF00] (130 bytes => 130 (0x82))
0000 - 80 80 01 03 01 00 57 00-00 00 20 00 00 16 00 00 ......W... .....
0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 07 00 00 05 .........f......
0020 - 00 00 04 05 00 80 03 00-80 01 00 80 08 00 80 00 ................
0030 - 00 65 00 00 64 00 00 63-00 00 62 00 00 61 00 00 .e..d..c..b..a..
0040 - 60 00 00 15 00 00 12 00-00 09 06 00 40 00 00 14 `...........@...
0050 - 00 00 11 00 00 08 00 00-06 00 00 03 04 00 80 02 ................
0060 - 00 80 aa dd 8f a3 ad c5-70 56 63 2c 43 16 f6 1c ........pVc,C...
0070 - dd 82 3a 80 cf 8d b0 f4-67 94 e4 cb c0 4f cc 61 ..:.....g....O.a
0080 - 27 ad '.
read from 0809BEB8 [080A1460] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 28 ......(
2140:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:465:
[-- Attachment #3: ldap.pem --]
[-- Type: application/x-x509-ca-cert, Size: 2909 bytes --]
[-- Attachment #4: slapd.conf --]
[-- Type: text/x-csrc, Size: 5458 bytes --]
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
# Modified by Christian Zoffoli <czoffoli@linux-mandrake.com>
# Version 0.2
#
# Modified by Volkov Serge <vserge@altlinux.ru>
# Version 0.3
# Last modification at 26 Jun 2002
#
# Default schemas
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
#include /etc/openldap/schema/krb5-kdc.schema
#include /etc/openldap/schema/kerberosobject.schema
#include /etc/openldap/schema/corba.schema
#include /etc/openldap/schema/java.schema
# Addon schemas
#include /etc/openldap/schema/rfc822-MailMember.schema
#include /etc/openldap/schema/pilot.schema
#include /etc/openldap/schema/autofs.schema
#include /etc/openldap/schema/samba.schema
#include /etc/openldap/schema/qmail.schema
#include /etc/openldap/schema/qmailControl.schema
#include /etc/openldap/schema/cron.schema
#include /etc/openldap/schema/dns.schema
#include /etc/openldap/schema/trust.schema
#include /etc/openldap/schema/turbo.schema
# Netscape Roaming
#include /etc/openldap/schema/mull.schema
#include /etc/openldap/schema/netscape-profile.schema
# Local schema, that you will be constract
#include /etc/openldap/schema/local.schema
# Load dynamic backend modules:
#modulepath /usr/lib/openldap
#moduleload back_bdb.la
# moduleload back_ldap.la
#moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
# To allow TLS-enabled connections, create /usr/share/ssl/certs/slapd.pem
# and uncomment the following lines.
TLSCipherSuite HIGH:MEDIUM:LOW:+SSLv2
TLSCertificateFile /etc/openldap/ldap.pem
TLSCertificateKeyFile /etc/openldap/ldap.pem
# TLSCACertificateFile /etc/openldap/ldap.pem
# Define global ACLs to disable default read access.
#include /etc/openldap/slapd.access.conf
#
# Sample Access Control
# Allow read access of root DSE
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#
#access to dn="" by * read
#access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default is:
# Allow read by all
#
# rootdn can always write!
# The example in development not use if you don't known what are you doing!!!
# Basic ACL
# access to attr=userPassword
# by self write
# by anonymous auth
# by dn="uid=root,ou=People,dc=example,dc=com" write
# by * none
#
# access to *
# by dn="uid=root,ou=People,dc=example,dc=com" write
# by * read
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
suffix "dc=intranet"
rootdn "cn=ldapadmin,dc=intranet"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
#rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /var/lib/ldap/bases/intranet
# LogLevel information
# if you want enable debuggin mode
# choose one of the next
# and check /etc/syslog.conf for line
# "LOCAL4.* /var/log/ldap/log" exist
# ---------------------------------------------------
# | -1 | enable all debugging
# | 0 | no debugging
# | 1 | trace function calls
# | 2 | debug packet handling
# | 4 | heavy trace debugging
# | 8 | connection management
# | 16 | print out packets sent and received
# | 32 | search filter processing
# | 64 | configuration file processing
# | 128 | access control list processing
# | 256 | stats log connections/operations/results
# | 512 | stats log entries sent
# | 1024| print communication with shell backends
# | 2048| print entry parsing debugging
# ---------------------------------------------------
loglevel -1
# Indices to maintain
#index objectClass eq
index objectClass,uid,uidNumber,gidNumber eq
index cn,mail,surname,givenname eq,subinitial
# Sample security restrictions
#
# Disallow clear text exchange of passwords
# disallow bind_simple_unprotected
#
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy is:
# Allow read by all
#
# rootdn can always write!
next prev parent reply other threads:[~2003-04-22 22:18 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-04-19 1:53 Alexey Borovskoy
2003-04-19 10:37 ` Maxim Tyurin
2003-04-21 3:11 ` Alexey Borovskoy
2003-04-21 10:22 ` Igor Muratov
2003-04-22 6:14 ` Alexey Borovskoy
2003-04-22 10:43 ` Igor Muratov
2003-04-22 22:18 ` Alexey Borovskoy [this message]
2003-05-05 16:17 ` Igor Muratov
2003-04-22 22:30 ` Dmitry Lebkov
2003-04-23 2:06 ` Alexey Borovskoy
2003-04-23 2:17 ` Alexey Borovskoy
2003-04-23 2:33 ` Dmitry Lebkov
2003-04-23 3:28 ` Alexey Borovskoy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200304231118.47715.alexey_borovskoy@pochtamt.ru \
--to=alexey_borovskoy@pochtamt.ru \
--cc=community@altlinux.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux Community general discussions
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/community/0 community/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 community community/ http://lore.altlinux.org/community \
mandrake-russian@linuxteam.iplabs.ru community@lists.altlinux.org community@lists.altlinux.ru community@lists.altlinux.com
public-inbox-index community
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.community
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git