Re: SSL based LDAP client verification

2015-10-08 Thread Andrew Findlay 
On Wed, Oct 07, 2015 at 02:13:38AM +0500, Aneela Saleem wrote:

> I have followed this link to generate self-signed certificates. I have
> successfully performed server side validation.

I assume that means that you have made an SSL or TLS connection to the server
and done an LDAP operation, so this operation should succeed:

ldapwhoami -x -H ldap://my.server.com/ -ZZ

If it does not, you may need to specify the TLS_CACERT location in
/etc/openldap/ldap.conf or temporarily provide the cert location in the
environment:

LDAPTLS_CACERT=/path/to/ca.crt ldapwhoami -x -H ldap://my.server.com/ -ZZ

Don't start trying to use any other clients until you have the command-line
ones working properly.

> What if i want to access LDAPS:/
> / from other client. I have copied servercrt.pem and serverkey.pem file on
> client machine, also added servercrt.pem file to client trust store. I'm using

NO! Don't ever give clients the secret key.

Assuming you followed http://www.openldap.org/faq/data/cache/185.html fully you
created two certificates: a master CA cert and a server-specific cert. You can
use the CA cert to create as many server certs as you like, and client machines
only need a copy of the CA cert to verify trust.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: empty ldapmodify refused with slapo-unique

2015-10-08 Thread Geert Hendrickx 
On Mon, Sep 14, 2015 at 17:14:56 +0200, Geert Hendrickx wrote:
> When slapo-unique constraints are in effect, it seems empty updates are
> no longer allowed:
> 
> > $ ldapmodify -x -h localhost -D cn=Manager,dc=my-domain,dc=com -w secret
> > dn: cn=test1,dc=my-domain,dc=com
> > changetype: modify
> > 
> > modifying entry "cn=test1,dc=my-domain,dc=com"
> > ldap_modify: Invalid syntax (21)
> > additional info: unique_modify() got null op.orm_modlist
> 
> 
> Why is this considered invalid syntax?  Without slapo-unique constraint,
> empty updates like these are accepted.



Anyone?


Geert


-- 
geert.hendrickx.be :: ge...@hendrickx.be :: PGP: 0xC4BB9E9F
This e-mail was composed using 100% recycled spam messages!

Re: empty ldapmodify refused with slapo-unique

2015-10-08 Thread Quanah Gibson-Mount 
--On Thursday, October 08, 2015 6:23 PM +0200 Geert Hendrickx 
 wrote:



On Mon, Sep 14, 2015 at 17:14:56 +0200, Geert Hendrickx wrote:

When slapo-unique constraints are in effect, it seems empty updates are
no longer allowed:

> $ ldapmodify -x -h localhost -D cn=Manager,dc=my-domain,dc=com -w
> secret dn: cn=test1,dc=my-domain,dc=com
> changetype: modify
>
> modifying entry "cn=test1,dc=my-domain,dc=com"
> ldap_modify: Invalid syntax (21)
> additional info: unique_modify() got null op.orm_modlist


Why is this considered invalid syntax?  Without slapo-unique constraint,
empty updates like these are accepted.




Anyone?


I'd suggest you file an ITS.

--Quanah


--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.

Zimbra ::  the leader in open source messaging and collaboration