From: Igor Muratov <migor@altlinux.ru> To: community@altlinux.ru Subject: Re: [Comm] OpenLDAP и SSL Date: Mon, 05 May 2003 20:17:12 +0400 Message-ID: <3EB68E88.5050507@altlinux.ru> (raw) In-Reply-To: <200304231118.47715.alexey_borovskoy@pochtamt.ru> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alexey Borovskoy пишет: | * 22 Апрель 2003 23:43 Igor Muratov <migor@altlinux.ru> | |>-----BEGIN PGP SIGNED MESSAGE----- |>Hash: SHA1 |> |>Alexey Borovskoy пишет: |>| * 21 Апрель 2003 23:22 Igor Muratov <migor@altlinux.ru> |>| |>|>Есть еще подозрение что сервер не подхватил сертификат а на |>|>636 порт законнектился без всякого ssl. |>|>Попрбуйте зайти туда telnet'ом |>| |>| Захожу. Черный экран. Затем сервер сбрасывает соединение. |>| Он должен что-то сказать? | | | В файле 1.txt результат работы openssl s_client на домашней | машине. | | |>А не пробовали брать openldap из более ранних дистрибутивов? К |>примеру в спринге это точно работало. В ALM2.0 кажется тоже. | | | Да. На Мастере 2.0 это точно работало. | | |>| Сегодня вытащил свежий stunnel буду дома собирать. Костыль |>| конечно, но что делать. |> |>Может не стоит тратить на это время? | | | Хотелось бы чтобы заработало без костылей. | | |>| Может общими усилиями локализовать и ликвидировать багу? |>| Я понимаю, что я один наступил на эти грабли. Но эти грабли |>| повторяются на трех инсталляциях openldap на трех разных |>| машинах/конфигурациях. |> |>Тогда уж покажите конфииг полностью. | | | Какие именно? | К письму приложил slapd.conf и сертификат | | ---- | Алексей. | JID:alb@jabber.ru | | | ------------------------------------------------------------------------ | | [alb@alb 2]$ openssl s_client -connect alb.home:636 -debug | CONNECTED(00000004) | write to 0809BEB8 [0809BF00] (130 bytes => 130 (0x82)) | 0000 - 80 80 01 03 01 00 57 00-00 00 20 00 00 16 00 00 ......W... ..... | 0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 07 00 00 05 .........f...... | 0020 - 00 00 04 05 00 80 03 00-80 01 00 80 08 00 80 00 ................ | 0030 - 00 65 00 00 64 00 00 63-00 00 62 00 00 61 00 00 .e..d..c..b..a.. | 0040 - 60 00 00 15 00 00 12 00-00 09 06 00 40 00 00 14 `...........@... | 0050 - 00 00 11 00 00 08 00 00-06 00 00 03 04 00 80 02 ................ | 0060 - 00 80 aa dd 8f a3 ad c5-70 56 63 2c 43 16 f6 1c ........pVc,C... | 0070 - dd 82 3a 80 cf 8d b0 f4-67 94 e4 cb c0 4f cc 61 ..:.....g....O.a | 0080 - 27 ad '. | read from 0809BEB8 [080A1460] (7 bytes => 7 (0x7)) | 0000 - 15 03 01 00 02 02 28 ......( | 2140:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:465: | | | ------------------------------------------------------------------------ | | # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 kurt Exp $ | # | # See slapd.conf(5) for details on configuration options. | # This file should NOT be world readable. | # | # Modified by Christian Zoffoli <czoffoli@linux-mandrake.com> | # Version 0.2 | # | # Modified by Volkov Serge <vserge@altlinux.ru> | # Version 0.3 | # Last modification at 26 Jun 2002 | # | | # Default schemas | include /etc/openldap/schema/core.schema | include /etc/openldap/schema/cosine.schema | include /etc/openldap/schema/inetorgperson.schema | include /etc/openldap/schema/misc.schema | include /etc/openldap/schema/nis.schema | include /etc/openldap/schema/openldap.schema | #include /etc/openldap/schema/krb5-kdc.schema | #include /etc/openldap/schema/kerberosobject.schema | #include /etc/openldap/schema/corba.schema | #include /etc/openldap/schema/java.schema | | # Addon schemas | #include /etc/openldap/schema/rfc822-MailMember.schema | #include /etc/openldap/schema/pilot.schema | #include /etc/openldap/schema/autofs.schema | #include /etc/openldap/schema/samba.schema | #include /etc/openldap/schema/qmail.schema | #include /etc/openldap/schema/qmailControl.schema | #include /etc/openldap/schema/cron.schema | #include /etc/openldap/schema/dns.schema | #include /etc/openldap/schema/trust.schema | #include /etc/openldap/schema/turbo.schema | | # Netscape Roaming | #include /etc/openldap/schema/mull.schema | #include /etc/openldap/schema/netscape-profile.schema | | # Local schema, that you will be constract | #include /etc/openldap/schema/local.schema | | # Load dynamic backend modules: | #modulepath /usr/lib/openldap | #moduleload back_bdb.la | # moduleload back_ldap.la | #moduleload back_ldbm.la | # moduleload back_passwd.la | # moduleload back_shell.la | | # Do not enable referrals until AFTER you have a working directory | # service AND an understanding of referrals. | #referral ldap://root.openldap.org | | pidfile /var/run/slapd.pid | argsfile /var/run/slapd.args | | # To allow TLS-enabled connections, create /usr/share/ssl/certs/slapd.pem | # and uncomment the following lines. | TLSCipherSuite HIGH:MEDIUM:LOW:+SSLv2 | TLSCertificateFile /etc/openldap/ldap.pem | TLSCertificateKeyFile /etc/openldap/ldap.pem Проблема похоже вот здесь. Предшествующих пробелов быть не дожно Вот выдержка из /etc/init.d/ldap if grep -qs ^TLS "$CONFIG"; then ~ daemon ${SLAPD} -u ldap -h '"ldap:/// ldaps:///"' $OPTIONS $SLAPD_OPTIONS ~ RETVAL=$? ~ else ~ daemon ${SLAPD} -u ldap -h 'ldap://127.0.0.1/' $OPTIONS $SLAPD_OPTIONS ~ RETVAL=$? ~ fi | # TLSCACertificateFile /etc/openldap/ldap.pem | | | # Define global ACLs to disable default read access. | #include /etc/openldap/slapd.access.conf | | # | # Sample Access Control | # Allow read access of root DSE | # Allow self write access | # Allow authenticated users read access | # Allow anonymous users to authenticate | # | #access to dn="" by * read | #access to * | # by self write | # by users read | # by anonymous auth | # | # if no access controls are present, the default is: | # Allow read by all | # | # rootdn can always write! | | # The example in development not use if you don't known what are you doing!!! | # Basic ACL | # access to attr=userPassword | # by self write | # by anonymous auth | # by dn="uid=root,ou=People,dc=example,dc=com" write | # by * none | # | # access to * | # by dn="uid=root,ou=People,dc=example,dc=com" write | # by * read | | | | ####################################################################### | # ldbm database definitions | ####################################################################### | | database ldbm | suffix "dc=intranet" | rootdn "cn=ldapadmin,dc=intranet" | | # Cleartext passwords, especially for the rootdn, should | # be avoid. See slappasswd(8) and slapd.conf(5) for details. | # Use of strong authentication encouraged. | rootpw secret | #rootpw {crypt}ijFYNcSNctBYg | | # The database directory MUST exist prior to running slapd AND | # should only be accessible by the slapd/tools. Mode 700 recommended. | directory /var/lib/ldap/bases/intranet | | # LogLevel information | # if you want enable debuggin mode | # choose one of the next | # and check /etc/syslog.conf for line | # "LOCAL4.* /var/log/ldap/log" exist | # --------------------------------------------------- | # | -1 | enable all debugging | # | 0 | no debugging | # | 1 | trace function calls | # | 2 | debug packet handling | # | 4 | heavy trace debugging | # | 8 | connection management | # | 16 | print out packets sent and received | # | 32 | search filter processing | # | 64 | configuration file processing | # | 128 | access control list processing | # | 256 | stats log connections/operations/results | # | 512 | stats log entries sent | # | 1024| print communication with shell backends | # | 2048| print entry parsing debugging | # --------------------------------------------------- | loglevel -1 | | # Indices to maintain | #index objectClass eq | index objectClass,uid,uidNumber,gidNumber eq | index cn,mail,surname,givenname eq,subinitial | | | # Sample security restrictions | # | # Disallow clear text exchange of passwords | # disallow bind_simple_unprotected | # | # Require integrity protection (prevent hijacking) | # Require 112-bit (3DES or better) encryption for updates | # Require 63-bit encryption for simple bind | # security ssf=1 update_ssf=112 simple_bind=64 | | # Sample access control policy: | # Root DSE: allow anyone to read it | # Subschema (sub)entry DSE: allow anyone to read it | # Other DSEs: | # Allow self write access | # Allow authenticated users read access | # Allow anonymous users to authenticate | # Directives needed to implement policy: | # access to dn.base="" by * read | # access to dn.base="cn=Subschema" by * read | # access to * | # by self write | # by users read | # by anonymous auth | # | # if no access controls are present, the default policy is: | # Allow read by all | # | # rootdn can always write! | - -- With best regards System administrator Igor Muratov mailto:migor at altlinux.ru -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+to6HqjgjB/MK76QRAoqkAJ90cpsx3b4kSWGA19YEFbH1vFGQMgCdGmbV HeJevYGof1M1EjXZBM5ETus= =bIKe -----END PGP SIGNATURE-----
next prev parent reply other threads:[~2003-05-05 16:17 UTC|newest] Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top 2003-04-19 1:53 Alexey Borovskoy 2003-04-19 10:37 ` Maxim Tyurin 2003-04-21 3:11 ` Alexey Borovskoy 2003-04-21 10:22 ` Igor Muratov 2003-04-22 6:14 ` Alexey Borovskoy 2003-04-22 10:43 ` Igor Muratov 2003-04-22 22:18 ` Alexey Borovskoy 2003-05-05 16:17 ` Igor Muratov [this message] 2003-04-22 22:30 ` Dmitry Lebkov 2003-04-23 2:06 ` Alexey Borovskoy 2003-04-23 2:17 ` Alexey Borovskoy 2003-04-23 2:33 ` Dmitry Lebkov 2003-04-23 3:28 ` Alexey Borovskoy
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=3EB68E88.5050507@altlinux.ru \ --to=migor@altlinux.ru \ --cc=community@altlinux.ru \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
ALT Linux Community general discussions This inbox may be cloned and mirrored by anyone: git clone --mirror http://lore.altlinux.org/community/0 community/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 community community/ http://lore.altlinux.org/community \ mandrake-russian@linuxteam.iplabs.ru community@lists.altlinux.org community@lists.altlinux.ru community@lists.altlinux.com public-inbox-index community Example config snippet for mirrors. Newsgroup available over NNTP: nntp://lore.altlinux.org/org.altlinux.lists.community AGPL code for this site: git clone https://public-inbox.org/public-inbox.git