[ZendTo] Re: ldaps not working

Jules Jules at Zend.To
Fri Aug 26 09:34:12 BST 2011 


On 26/08/2011 07:28, patrick.gaikowski at kaufland.com wrote:
>
> Hi,
>
> i want to change authentication from plain ldap to ldaps. I made the 
> following changes but it didn't work:
>
> 1.) change in preferences.php to'authLDAPUseSSL' => true
>
Correct.
>
> 2.) change in /opt/zendto/lib/NSSLDAPAuthenticator.php
>
> enable //if($this->_ldapUseSSL){$ldapServer="ldaps://".$ldapServer;}in 
> function validUsername
> enable //if($this->_ldapUseSSL){$ldapServer="ldaps://".$ldapServer;}in 
> function authenticate
>
Why? You can just set the LDAP server address to
     ldaps://<ip-address-or-hostname>
instead of just the <ip-address-or-hostname>.
>
>
> 3.) add entry to/etc/ldap.conf --> TLS_REQCERT never
>
> I need this for testing because in TCPdump i saw the TLS error 
> "unknown CA"
>
Aren't there some options in ldap.conf (it seems to be general opinion 
that you should be editing /etc/openldap/ldap.conf and not 
/etc/ldap.conf, or else try editing both) that set how much of the 
certificate it actually checks? I think you can tell it not to bother 
verifying the cert with the CA chain, which sounds like what you need to do.
>
>
> By the way, we have to ldap.conf in the zendto-vm (/etc/ldap.conf and 
> /etc/openldap/ldap.conf) which one is the right one?
>
A 5-second Google search produced this:
http://www.linuxquestions.org/questions/linux-server-73/difference-between-etc-ldap-conf-vs-etc-ldap-ldap-conf-819552/
>
>
> For debuging i installed openldap-client so that i can do a ldapsearch
>
> ldapsearch -b o=kl -H ldaps://4.26.1.118 -x "cn=pgai1507" -d1 -Z was 
> working perfectly.
>
> ldap_create
> ldap_url_parse_ext(ldaps://4.26.1.118)
> ldap_extended_operation_s
> ldap_extended_operation
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP 4.26.1.118:636
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 4.26.1.118:636
> ldap_connect_timeout: fd: 3 tm: -1 async: 0
> TLS trace: SSL_connect:before/connect initialization
> TLS trace: SSL_connect:SSLv2/v3 write client hello A
> TLS trace: SSL_connect:SSLv3 read server hello A
> TLS certificate verification: depth: 1, err: 0, subject: 
> /O=KLMETA/OU=Organizational CA, issuer: /O=KLMETA/OU=Organizational CA
> TLS certificate verification: depth: 0, err: 0, subject: 
> /O=KLMETA/CN=dedcoesmdir26.de.int.kaufland, issuer: 
> /O=KLMETA/OU=Organizational CA
> TLS trace: SSL_connect:SSLv3 read server certificate A
> TLS trace: SSL_connect:SSLv3 read server done A
> TLS trace: SSL_connect:SSLv3 write client key exchange A
> TLS trace: SSL_connect:SSLv3 write change cipher spec A
> TLS trace: SSL_connect:SSLv3 write finished A
> TLS trace: SSL_connect:SSLv3 flush data
> TLS trace: SSL_connect:SSLv3 read finished A
> ldap_open_defconn: successful
>
That looks like you are using a self-signed cert, in which case the CA 
chain tests will most definitely fail and you need to switch them off.
>
>
>
> Do you have any idea were the problem is?
>
> Mit freundlichen Grüßen / Best regards
>
> Patrick Gaikowski
> Tel:     +49 7132 94 3568
> Fax:    +49 7132 94 73568
> E-Mail: patrick.gaikowski at kaufland.com
> KI 967850: IT International / IT Governance / Netzwerk Design und 
> IT-Sicherheit
> Office:
> Lindichstrasse 11
> D-74189 Weinsberg
>
>
> http://www.kaufland.de
> http://www.spannende-it.de
> Wir sind die Nr. 1:
> Kaufland ist "Bester Lebensmittelmarkt 2011"!
>
> Kaufland Informationssysteme GmbH & Co. KG
> Postfach 12 53 - 74149 Neckarsulm
> Kommanditgesellschaft
> Sitz: Neckarsulm
> Registergericht: Amtsgericht Stuttgart HRA 104163
>
>
>
>
>
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

Jules

-- 
Julian Field MEng CITP CEng
www.Zend.To

Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

'It's okay to live without all the answers' - Charlie Eppes, 2011
'All programs have a desire to be useful' - Tron, 1982
'That is the land of lost content,
  I see it shining plain,
  The happy highways where I went,
  And cannot come again.' - A.E. Houseman

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110826/f6d70488/attachment-0001.html

More information about the ZendTo mailing list