[opensuse] Is ldap TLS working?

29 Oct 2011

      Hi

I'm trying to tighten up my ldap server using TLS.

My (certainly wrong) method was this:

Server:
I made a CA certificate and rootca giving the FQDN of the server as the common 
name for both certs.using yast. I copied YaST-CA.pem from /etc/ssl/certs to 
/etc/srv/htdocs. Back in Yast->LDAP Server I added TLS and restarted.

Client:
 Yast->LDAP Client, and changed' Addresses of LDAP Servers' from 127.0.0.1 to 
my FQDN and downloaded YaST-CA.pem, checking the 'LDAP TLS/SSL' box in the 
'Secure Connection' section. 

1. What is the correct way of doing this?
2. Does this confirm that TLS is working? (all this just for one login?)

Thanks. L x

Oct 29 15:14:02 hh1 slapd[1798]: conn=1083 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Oct 29 15:14:02 hh1 slapd[1798]: conn=1083 op=0 STARTTLS
Oct 29 15:14:02 hh1 slapd[1798]: conn=1083 op=0 RESULT oid= err=0 text=
Oct 29 15:14:02 hh1 slapd[1798]: conn=1083 fd=33 ACCEPT from 
IP=192.168.1.3:47402 (IP=0.0.0.0:389)
Oct 29 15:14:02 hh1 slapd[1798]: conn=1083 fd=33 TLS established tls_ssf=256 
ssf=256
Oct 29 15:14:02 hh1 slapd[1798]: conn=1083 op=1 BIND dn="" method=128
Oct 29 15:14:02 hh1 slapd[1798]: conn=1083 op=1 RESULT tag=97 err=0 text=
Oct 29 15:14:02 hh1 slapd[1798]: conn=1083 op=2 SRCH base="dc=com" scope=2 
deref=0 filter="(&(objectClass=shadowAccount)(uid=lynn2))"
Oct 29 15:14:02 hh1 slapd[1798]: conn=1083 op=2 SRCH attr=uid userPassword 
shadowLastChange shadowMax shadowMin shadowWarning shadowInactive shadowExpire 
shadowFlag
Oct 29 15:14:02 hh1 slapd[1798]: conn=1083 op=2 SEARCH RESULT tag=101 err=0 
nentries=0 text=
Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 fd=34 ACCEPT from 
IP=192.168.1.3:47403 (IP=0.0.0.0:389)
Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 op=0 STARTTLS
Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 op=0 RESULT oid= err=0 text=
Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 fd=34 TLS established tls_ssf=256 
ssf=256
Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 op=1 BIND dn="" method=128
Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 op=1 RESULT tag=97 err=0 text=
Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 op=2 SRCH base="dc=com" scope=2 
deref=0 filter="(&(objectClass=posixAccount)(objectClass=posixAccount)
(uid=lynn2))"
Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 op=2 SRCH attr=host 
authorizedService shadowExpire shadowFlag shadowInactive shadowLastChange 
shadowMax shadowMin shadowWarning uidNumber
Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 op=2 SEARCH RESULT tag=101 err=0 
nentries=1 text=
Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 op=3 BIND 
dn="uid=lynn2,ou=people,dc=com" method=128
Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 op=3 BIND 
dn="uid=lynn2,ou=people,dc=com" mech=SIMPLE ssf=0
Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 op=3 RESULT tag=97 err=0 text=
Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 op=4 BIND anonymous mech=implicit 
ssf=0
Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 op=4 BIND dn="" method=128
Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 op=4 RESULT tag=97 err=0 text=
Oct 29 15:14:02 hh1 slapd[1798]: conn=1083 op=3 SRCH base="dc=com" scope=2 
deref=0 filter="(&(objectClass=shadowAccount)(uid=lynn2))"
Oct 29 15:14:02 hh1 slapd[1798]: conn=1083 op=3 SRCH attr=uid userPassword 
shadowLastChange shadowMax shadowMin shadowWarning shadowInactive shadowExpire 
shadowFlag
Oct 29 15:14:02 hh1 slapd[1798]: conn=1083 op=3 SEARCH RESULT tag=101 err=0 
nentries=0 text=
Oct 29 15:14:02 hh1 slapd[1798]: conn=1085 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Oct 29 15:14:02 hh1 slapd[1798]: conn=1085 op=0 STARTTLS
Oct 29 15:14:02 hh1 slapd[1798]: conn=1085 op=0 RESULT oid= err=0 text=
Oct 29 15:14:02 hh1 slapd[1798]: conn=1085 fd=35 ACCEPT from 
IP=192.168.1.3:47404 (IP=0.0.0.0:389)
Oct 29 15:14:02 hh1 slapd[1798]: conn=1085 fd=35 TLS established tls_ssf=256 
ssf=256
Oct 29 15:14:02 hh1 slapd[1798]: conn=1085 op=1 BIND dn="" method=128
Oct 29 15:14:02 hh1 slapd[1798]: conn=1085 op=1 RESULT tag=97 err=0 text=
Oct 29 15:14:02 hh1 slapd[1798]: conn=1085 op=2 SRCH base="dc=com" scope=2 
deref=0 filter="(&(objectClass=posixAccount)(uid=lynn2))"
Oct 29 15:14:02 hh1 slapd[1798]: conn=1085 op=2 SRCH attr=uid userPassword 
uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Oct 29 15:14:02 hh1 slapd[1798]: conn=1085 op=2 SEARCH RESULT tag=101 err=0 
nentries=1 text=
Oct 29 15:14:02 hh1 slapd[1798]: conn=1085 op=3 SRCH base="dc=com" scope=2 
deref=0 filter="(&(objectClass=posixAccount)(uid=lynn2))"
Oct 29 15:14:02 hh1 slapd[1798]: conn=1085 op=3 SEARCH RESULT tag=101 err=0 
nentries=1 text=
Oct 29 15:14:02 hh1 slapd[1798]: conn=1085 op=4 SRCH base="dc=com" scope=2 
deref=0 filter="(&(objectClass=posixGroup)(|(memberUid=lynn2)
(member=uid=lynn2,ou=people,dc=com)))"
Oct 29 15:14:02 hh1 slapd[1798]: conn=1085 op=4 SRCH attr=gidNumber
Oct 29 15:14:02 hh1 slapd[1798]: conn=1085 op=4 SEARCH RESULT tag=101 err=0 
nentries=0 text=
Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 op=5 UNBIND
Oct 29 15:14:02 hh1 slapd[1798]: conn=1084 fd=34 closed
Oct 29 15:14:02 hh1 slapd[1798]: conn=1085 fd=35 closed (connection lost)
Oct 29 15:14:02 hh1 slapd[1798]: conn=1086 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Oct 29 15:14:02 hh1 slapd[1798]: conn=1086 op=0 STARTTLS
Oct 29 15:14:02 hh1 slapd[1798]: conn=1086 op=0 RESULT oid= err=0 text=
Oct 29 15:14:02 hh1 slapd[1798]: conn=1086 fd=34 ACCEPT from 
IP=192.168.1.3:47405 (IP=0.0.0.0:389)
Oct 29 15:14:02 hh1 slapd[1798]: conn=1086 fd=34 TLS established tls_ssf=256 
ssf=256
Oct 29 15:14:02 hh1 slapd[1798]: conn=1086 op=1 BIND dn="" method=128
Oct 29 15:14:02 hh1 slapd[1798]: conn=1086 op=1 RESULT tag=97 err=0 text=
Oct 29 15:14:02 hh1 slapd[1798]: conn=1086 op=2 SRCH base="dc=com" scope=2 
deref=0 filter="(&(objectClass=posixAccount)(uidNumber=1002))"
Oct 29 15:14:02 hh1 slapd[1798]: conn=1086 op=2 SRCH attr=uid userPassword 
uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Oct 29 15:14:02 hh1 slapd[1798]: conn=1086 op=2 SEARCH RESULT tag=101 err=0 
nentries=1 text=
Oct 29 15:14:02 hh1 slapd[1798]: conn=1086 fd=34 closed (connection lost)
-- 
To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse+owner@opensuse.org