From: Alexey Borovskoy <alexey_borovskoy@pochtamt.ru> To: community@altlinux.ru Subject: Re: [Comm] OpenLDAP и SSL Date: Wed, 23 Apr 2003 11:18:47 +1300 Message-ID: <200304231118.47715.alexey_borovskoy@pochtamt.ru> (raw) In-Reply-To: <3EA51CB7.1010501@altlinux.ru> [-- Attachment #1: Type: text/plain, Size: 1203 bytes --] * 22 Апрель 2003 23:43 Igor Muratov <migor@altlinux.ru> > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Alexey Borovskoy пишет: > | * 21 Апрель 2003 23:22 Igor Muratov <migor@altlinux.ru> > | > |>Есть еще подозрение что сервер не подхватил сертификат а на > |>636 порт законнектился без всякого ssl. > |>Попрбуйте зайти туда telnet'ом > | > | Захожу. Черный экран. Затем сервер сбрасывает соединение. > | Он должен что-то сказать? В файле 1.txt результат работы openssl s_client на домашней машине. > А не пробовали брать openldap из более ранних дистрибутивов? К > примеру в спринге это точно работало. В ALM2.0 кажется тоже. Да. На Мастере 2.0 это точно работало. > > | Сегодня вытащил свежий stunnel буду дома собирать. Костыль > | конечно, но что делать. > > Может не стоит тратить на это время? Хотелось бы чтобы заработало без костылей. > > | Может общими усилиями локализовать и ликвидировать багу? > | Я понимаю, что я один наступил на эти грабли. Но эти грабли > | повторяются на трех инсталляциях openldap на трех разных > | машинах/конфигурациях. > > Тогда уж покажите конфииг полностью. Какие именно? К письму приложил slapd.conf и сертификат ---- Алексей. JID:alb@jabber.ru [-- Attachment #2: 1.txt --] [-- Type: text/plain, Size: 1004 bytes --] [alb@alb 2]$ openssl s_client -connect alb.home:636 -debug CONNECTED(00000004) write to 0809BEB8 [0809BF00] (130 bytes => 130 (0x82)) 0000 - 80 80 01 03 01 00 57 00-00 00 20 00 00 16 00 00 ......W... ..... 0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 07 00 00 05 .........f...... 0020 - 00 00 04 05 00 80 03 00-80 01 00 80 08 00 80 00 ................ 0030 - 00 65 00 00 64 00 00 63-00 00 62 00 00 61 00 00 .e..d..c..b..a.. 0040 - 60 00 00 15 00 00 12 00-00 09 06 00 40 00 00 14 `...........@... 0050 - 00 00 11 00 00 08 00 00-06 00 00 03 04 00 80 02 ................ 0060 - 00 80 aa dd 8f a3 ad c5-70 56 63 2c 43 16 f6 1c ........pVc,C... 0070 - dd 82 3a 80 cf 8d b0 f4-67 94 e4 cb c0 4f cc 61 ..:.....g....O.a 0080 - 27 ad '. read from 0809BEB8 [080A1460] (7 bytes => 7 (0x7)) 0000 - 15 03 01 00 02 02 28 ......( 2140:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:465: [-- Attachment #3: ldap.pem --] [-- Type: application/x-x509-ca-cert, Size: 2909 bytes --] [-- Attachment #4: slapd.conf --] [-- Type: text/x-csrc, Size: 5458 bytes --] # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 kurt Exp $ # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # # Modified by Christian Zoffoli <czoffoli@linux-mandrake.com> # Version 0.2 # # Modified by Volkov Serge <vserge@altlinux.ru> # Version 0.3 # Last modification at 26 Jun 2002 # # Default schemas include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema #include /etc/openldap/schema/krb5-kdc.schema #include /etc/openldap/schema/kerberosobject.schema #include /etc/openldap/schema/corba.schema #include /etc/openldap/schema/java.schema # Addon schemas #include /etc/openldap/schema/rfc822-MailMember.schema #include /etc/openldap/schema/pilot.schema #include /etc/openldap/schema/autofs.schema #include /etc/openldap/schema/samba.schema #include /etc/openldap/schema/qmail.schema #include /etc/openldap/schema/qmailControl.schema #include /etc/openldap/schema/cron.schema #include /etc/openldap/schema/dns.schema #include /etc/openldap/schema/trust.schema #include /etc/openldap/schema/turbo.schema # Netscape Roaming #include /etc/openldap/schema/mull.schema #include /etc/openldap/schema/netscape-profile.schema # Local schema, that you will be constract #include /etc/openldap/schema/local.schema # Load dynamic backend modules: #modulepath /usr/lib/openldap #moduleload back_bdb.la # moduleload back_ldap.la #moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/slapd.pid argsfile /var/run/slapd.args # To allow TLS-enabled connections, create /usr/share/ssl/certs/slapd.pem # and uncomment the following lines. TLSCipherSuite HIGH:MEDIUM:LOW:+SSLv2 TLSCertificateFile /etc/openldap/ldap.pem TLSCertificateKeyFile /etc/openldap/ldap.pem # TLSCACertificateFile /etc/openldap/ldap.pem # Define global ACLs to disable default read access. #include /etc/openldap/slapd.access.conf # # Sample Access Control # Allow read access of root DSE # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # #access to dn="" by * read #access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default is: # Allow read by all # # rootdn can always write! # The example in development not use if you don't known what are you doing!!! # Basic ACL # access to attr=userPassword # by self write # by anonymous auth # by dn="uid=root,ou=People,dc=example,dc=com" write # by * none # # access to * # by dn="uid=root,ou=People,dc=example,dc=com" write # by * read ####################################################################### # ldbm database definitions ####################################################################### database ldbm suffix "dc=intranet" rootdn "cn=ldapadmin,dc=intranet" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret #rootpw {crypt}ijFYNcSNctBYg # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd/tools. Mode 700 recommended. directory /var/lib/ldap/bases/intranet # LogLevel information # if you want enable debuggin mode # choose one of the next # and check /etc/syslog.conf for line # "LOCAL4.* /var/log/ldap/log" exist # --------------------------------------------------- # | -1 | enable all debugging # | 0 | no debugging # | 1 | trace function calls # | 2 | debug packet handling # | 4 | heavy trace debugging # | 8 | connection management # | 16 | print out packets sent and received # | 32 | search filter processing # | 64 | configuration file processing # | 128 | access control list processing # | 256 | stats log connections/operations/results # | 512 | stats log entries sent # | 1024| print communication with shell backends # | 2048| print entry parsing debugging # --------------------------------------------------- loglevel -1 # Indices to maintain #index objectClass eq index objectClass,uid,uidNumber,gidNumber eq index cn,mail,surname,givenname eq,subinitial # Sample security restrictions # # Disallow clear text exchange of passwords # disallow bind_simple_unprotected # # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy is: # Allow read by all # # rootdn can always write!
next prev parent reply other threads:[~2003-04-22 22:18 UTC|newest] Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top 2003-04-19 1:53 Alexey Borovskoy 2003-04-19 10:37 ` Maxim Tyurin 2003-04-21 3:11 ` Alexey Borovskoy 2003-04-21 10:22 ` Igor Muratov 2003-04-22 6:14 ` Alexey Borovskoy 2003-04-22 10:43 ` Igor Muratov 2003-04-22 22:18 ` Alexey Borovskoy [this message] 2003-05-05 16:17 ` Igor Muratov 2003-04-22 22:30 ` Dmitry Lebkov 2003-04-23 2:06 ` Alexey Borovskoy 2003-04-23 2:17 ` Alexey Borovskoy 2003-04-23 2:33 ` Dmitry Lebkov 2003-04-23 3:28 ` Alexey Borovskoy
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=200304231118.47715.alexey_borovskoy@pochtamt.ru \ --to=alexey_borovskoy@pochtamt.ru \ --cc=community@altlinux.ru \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
ALT Linux Community general discussions This inbox may be cloned and mirrored by anyone: git clone --mirror http://lore.altlinux.org/community/0 community/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 community community/ http://lore.altlinux.org/community \ mandrake-russian@linuxteam.iplabs.ru community@lists.altlinux.org community@lists.altlinux.ru community@lists.altlinux.com public-inbox-index community Example config snippet for mirrors. Newsgroup available over NNTP: nntp://lore.altlinux.org/org.altlinux.lists.community AGPL code for this site: git clone https://public-inbox.org/public-inbox.git