From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: From: Alexey Borovskoy To: community@altlinux.ru Subject: Re: [Comm] OpenLDAP =?koi8-r?q?=C9?= SSL Date: Wed, 23 Apr 2003 11:18:47 +1300 User-Agent: KMail/1.5 References: <200304191453.48391.alexey_borovskoy@pochtamt.ru> <200304221914.40531.alexey_borovskoy@pochtamt.ru> <3EA51CB7.1010501@altlinux.ru> In-Reply-To: <3EA51CB7.1010501@altlinux.ru> MIME-Version: 1.0 Content-Type: Multipart/Mixed; boundary="Boundary-00=_H/bp+F85qZj0+1L" Message-Id: <200304231118.47715.alexey_borovskoy@pochtamt.ru> Sender: community-admin@altlinux.ru Errors-To: community-admin@altlinux.ru X-BeenThere: community@altlinux.ru X-Mailman-Version: 2.0.9 Precedence: bulk Reply-To: community@altlinux.ru List-Unsubscribe: , List-Id: List-Post: List-Help: List-Subscribe: , List-Archive: Archived-At: List-Archive: List-Post: --Boundary-00=_H/bp+F85qZj0+1L Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 8bit Content-Disposition: inline * 22 Апрель 2003 23:43 Igor Muratov > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Alexey Borovskoy пишет: > | * 21 Апрель 2003 23:22 Igor Muratov > | > |>Есть еще подозрение что сервер не подхватил сертификат а на > |>636 порт законнектился без всякого ssl. > |>Попрбуйте зайти туда telnet'ом > | > | Захожу. Черный экран. Затем сервер сбрасывает соединение. > | Он должен что-то сказать? В файле 1.txt результат работы openssl s_client на домашней машине. > А не пробовали брать openldap из более ранних дистрибутивов? К > примеру в спринге это точно работало. В ALM2.0 кажется тоже. Да. На Мастере 2.0 это точно работало. > > | Сегодня вытащил свежий stunnel буду дома собирать. Костыль > | конечно, но что делать. > > Может не стоит тратить на это время? Хотелось бы чтобы заработало без костылей. > > | Может общими усилиями локализовать и ликвидировать багу? > | Я понимаю, что я один наступил на эти грабли. Но эти грабли > | повторяются на трех инсталляциях openldap на трех разных > | машинах/конфигурациях. > > Тогда уж покажите конфииг полностью. Какие именно? К письму приложил slapd.conf и сертификат ---- Алексей. JID:alb@jabber.ru --Boundary-00=_H/bp+F85qZj0+1L Content-Type: text/plain; charset="koi8-r"; name="1.txt" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="1.txt" [alb@alb 2]$ openssl s_client -connect alb.home:636 -debug CONNECTED(00000004) write to 0809BEB8 [0809BF00] (130 bytes => 130 (0x82)) 0000 - 80 80 01 03 01 00 57 00-00 00 20 00 00 16 00 00 ......W... ..... 0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 07 00 00 05 .........f...... 0020 - 00 00 04 05 00 80 03 00-80 01 00 80 08 00 80 00 ................ 0030 - 00 65 00 00 64 00 00 63-00 00 62 00 00 61 00 00 .e..d..c..b..a.. 0040 - 60 00 00 15 00 00 12 00-00 09 06 00 40 00 00 14 `...........@... 0050 - 00 00 11 00 00 08 00 00-06 00 00 03 04 00 80 02 ................ 0060 - 00 80 aa dd 8f a3 ad c5-70 56 63 2c 43 16 f6 1c ........pVc,C... 0070 - dd 82 3a 80 cf 8d b0 f4-67 94 e4 cb c0 4f cc 61 ..:.....g....O.a 0080 - 27 ad '. read from 0809BEB8 [080A1460] (7 bytes => 7 (0x7)) 0000 - 15 03 01 00 02 02 28 ......( 2140:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:465: --Boundary-00=_H/bp+F85qZj0+1L Content-Type: application/x-x509-ca-cert; name="ldap.pem" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="ldap.pem" -----BEGIN CERTIFICATE----- MIICtjCCAh+gAwIBAgIBATANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJSVTES MBAGA1UECBMJS2FtY2hhdGthMSEwHwYDVQQHExhQZXRyb3BhdmxvdnNrLUthbWNo YXRza3kxDTALBgNVBAoTBEtUQ1MxDDAKBgNVBAsTA05PQzEZMBcGA1UEAxMQQWxl eGV5IEJvcm92c2tveTAeFw0wMzA0MjIwMzU1MzVaFw0wMzA1MDYwMzU1MzVaMHsx CzAJBgNVBAYTAlJVMRIwEAYDVQQIEwlLYW1jaGF0a2ExITAfBgNVBAcTGFBldHJv cGF2bG92c2stS2FtY2hhdHNreTENMAsGA1UEChMES1RDUzEMMAoGA1UECxMDTk9D MRgwFgYDVQQDEw9zZXJ2ZXIuaW50cmFuZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAJrM58FfFWrKli8inR7jDcYDJW36PNEXZ+02fXEwf4wHWaOaJNgNEtnn /yDUTwo+bFuP+Ve2hI91Qf1wZoGxkwhcDD67WgZ5xTCNhiduBSiGt/o8K4XjUNX7 8C/PvgrcLVr2i6xQuCldXy4wr1xLcO5vBXakhzWy0m0cN3gw6KxdAgMBAAGjSTBH MAkGA1UdEQQCMAAwJwYJYIZIAYb4QgENBBoWGER1bW15IHNlcnZlciBjZXJ0aWZp Y2F0ZTARBglghkgBhvhCAQEEBAMCBkAwDQYJKoZIhvcNAQEEBQADgYEAVOkk1WAG KOh30WnoYuAK7JGMv8VvRAZnHo8go2iIi7C5TAOVgopsZAhFu7Hh53ifhcepG1da hzFP88HzVAYV7UF7rPv/twlxXrPnhUXHkDNnAVn1Bq5KMoA6iGGpVmZrFHYrtpTv P5qwMa7tR7YvSLvUAzZY+oJKq7QsI9eyvrk= -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- MIICWwIBAAKBgQCazOfBXxVqypYvIp0e4w3GAyVt+jzRF2ftNn1xMH+MB1mjmiTY DRLZ5/8g1E8KPmxbj/lXtoSPdUH9cGaBsZMIXAw+u1oGecUwjYYnbgUohrf6PCuF 41DV+/Avz74K3C1a9ousULgpXV8uMK9cS3DubwV2pIc1stJtHDd4MOisXQIDAQAB AoGAcUt4bvlFNoSQyGyf7AQnh32z/jrAGhP0VxOjWZ0yLG0QuQFO5+Uhn+QAwKlC M/Ad5CGKTxzhBhG+u1txWoh5X+hwQQoasz0b+xPzF3Pg6NGXIseAbB1Z5WgcBVoh LtCnW4dG0LgBvWt3LKpHrUCDRmzfjljePjE0nV52HIDnRIECQQDLaYwwMk97/OxA /5asT1oxbbSOtyU7mlj0qGoz4AYaPAOp9U/EKCDj9hZrZ8UqEuKHz2OTNWMBoxS+ 7n8/XWBhAkEAwtISzGuMknRx1iUkl7cHouNmiRMzDLxcUmekst+I3uxGZ0mjkTAD nyLdbU9HSNE8HRBdpdSBMLgOHM2wJMm9fQJADfRfua655TekvZDLNWb8OQfdqyzF USF1mNM09foYcRRM7Av4POzD1N+9CgFEdW52O/ruSdsPv70AX1jdQeuWAQJAMcG5 b2AgfN8km87Ms7rZRm7RpzyyExSgd6Nk2xJgQJ8TtBmInvImWqRq7RoMWLqnobym Tk4h2LGJWS3nSN4FeQJAOfACPicQWeTWvto8xx953s2Mk2aWjryOC+EDKD+sKmhL 6sNHjEticYm4kRGQwMEeVFIcRp+5Azlf9IsGt7E/UQ== -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIICxDCCAi2gAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJSVTES MBAGA1UECBMJS2FtY2hhdGthMSEwHwYDVQQHExhQZXRyb3BhdmxvdnNrLUthbWNo YXRza3kxDTALBgNVBAoTBEtUQ1MxDDAKBgNVBAsTA05PQzEZMBcGA1UEAxMQQWxl eGV5IEJvcm92c2tveTAeFw0wMzA0MjIwMzU0NDFaFw0wMzA1MDYwMzU0NDFaMHwx CzAJBgNVBAYTAlJVMRIwEAYDVQQIEwlLYW1jaGF0a2ExITAfBgNVBAcTGFBldHJv cGF2bG92c2stS2FtY2hhdHNreTENMAsGA1UEChMES1RDUzEMMAoGA1UECxMDTk9D MRkwFwYDVQQDExBBbGV4ZXkgQm9yb3Zza295MIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQDYw/nnXEsMZKWIbSLGCTWoLa7u3cAk/S+SYjZkhEWqjO4/g5+rXyIs 5U7Y4sL42VdWIvWTCiJXFBTWMXCnVgGEYkKHlgtQ388w0HVDQ95NEqoCkytsktZY TvjgZLWj4zq/U+A/ZLjdMtQp7mrJpCJKXV1B/P7RDgeSpfKSxj2CswIDAQABo1Yw VDAJBgNVHREEAjAAMA8GA1UdEwQIMAYBAf8CAQAwIwYJYIZIAYb4QgENBBYWFER1 bW15IENBIGNlcnRpZmljYXRlMBEGCWCGSAGG+EIBAQQEAwICBDANBgkqhkiG9w0B AQQFAAOBgQB1MxiQVLbor6RP2TMb+y4UWY0oC6VibBWDSStmLd2Xc3iIxqHBLQNw t0tRJ69df+VQm7BfFYg9ZkesRGf0Hg/HZk0mBkwIiZBYtoe+bjukZ+dbAoer6vKh aPs2XQ5y4m+B7DEzY1XwtNyZkzl92/PrT7qTFB6085U0Kdrt2K4SGw== -----END CERTIFICATE----- --Boundary-00=_H/bp+F85qZj0+1L Content-Type: text/x-csrc; charset="koi8-r"; name="slapd.conf" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="slapd.conf" # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 kurt Exp $ # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # # Modified by Christian Zoffoli # Version 0.2 # # Modified by Volkov Serge # Version 0.3 # Last modification at 26 Jun 2002 # # Default schemas include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema #include /etc/openldap/schema/krb5-kdc.schema #include /etc/openldap/schema/kerberosobject.schema #include /etc/openldap/schema/corba.schema #include /etc/openldap/schema/java.schema # Addon schemas #include /etc/openldap/schema/rfc822-MailMember.schema #include /etc/openldap/schema/pilot.schema #include /etc/openldap/schema/autofs.schema #include /etc/openldap/schema/samba.schema #include /etc/openldap/schema/qmail.schema #include /etc/openldap/schema/qmailControl.schema #include /etc/openldap/schema/cron.schema #include /etc/openldap/schema/dns.schema #include /etc/openldap/schema/trust.schema #include /etc/openldap/schema/turbo.schema # Netscape Roaming #include /etc/openldap/schema/mull.schema #include /etc/openldap/schema/netscape-profile.schema # Local schema, that you will be constract #include /etc/openldap/schema/local.schema # Load dynamic backend modules: #modulepath /usr/lib/openldap #moduleload back_bdb.la # moduleload back_ldap.la #moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/slapd.pid argsfile /var/run/slapd.args # To allow TLS-enabled connections, create /usr/share/ssl/certs/slapd.pem # and uncomment the following lines. TLSCipherSuite HIGH:MEDIUM:LOW:+SSLv2 TLSCertificateFile /etc/openldap/ldap.pem TLSCertificateKeyFile /etc/openldap/ldap.pem # TLSCACertificateFile /etc/openldap/ldap.pem # Define global ACLs to disable default read access. #include /etc/openldap/slapd.access.conf # # Sample Access Control # Allow read access of root DSE # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # #access to dn="" by * read #access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default is: # Allow read by all # # rootdn can always write! # The example in development not use if you don't known what are you doing!!! # Basic ACL # access to attr=userPassword # by self write # by anonymous auth # by dn="uid=root,ou=People,dc=example,dc=com" write # by * none # # access to * # by dn="uid=root,ou=People,dc=example,dc=com" write # by * read ####################################################################### # ldbm database definitions ####################################################################### database ldbm suffix "dc=intranet" rootdn "cn=ldapadmin,dc=intranet" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret #rootpw {crypt}ijFYNcSNctBYg # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd/tools. Mode 700 recommended. directory /var/lib/ldap/bases/intranet # LogLevel information # if you want enable debuggin mode # choose one of the next # and check /etc/syslog.conf for line # "LOCAL4.* /var/log/ldap/log" exist # --------------------------------------------------- # | -1 | enable all debugging # | 0 | no debugging # | 1 | trace function calls # | 2 | debug packet handling # | 4 | heavy trace debugging # | 8 | connection management # | 16 | print out packets sent and received # | 32 | search filter processing # | 64 | configuration file processing # | 128 | access control list processing # | 256 | stats log connections/operations/results # | 512 | stats log entries sent # | 1024| print communication with shell backends # | 2048| print entry parsing debugging # --------------------------------------------------- loglevel -1 # Indices to maintain #index objectClass eq index objectClass,uid,uidNumber,gidNumber eq index cn,mail,surname,givenname eq,subinitial # Sample security restrictions # # Disallow clear text exchange of passwords # disallow bind_simple_unprotected # # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy is: # Allow read by all # # rootdn can always write! --Boundary-00=_H/bp+F85qZj0+1L--