Re: SSL based LDAP client verification
On Wed, Oct 07, 2015 at 02:13:38AM +0500, Aneela Saleem wrote: > I have followed this link to generate self-signed certificates. I have > successfully performed server side validation. I assume that means that you have made an SSL or TLS connection to the server and done an LDAP operation, so this operation should succeed: ldapwhoami -x -H ldap://my.server.com/ -ZZ If it does not, you may need to specify the TLS_CACERT location in /etc/openldap/ldap.conf or temporarily provide the cert location in the environment: LDAPTLS_CACERT=/path/to/ca.crt ldapwhoami -x -H ldap://my.server.com/ -ZZ Don't start trying to use any other clients until you have the command-line ones working properly. > What if i want to access LDAPS:/ > / from other client. I have copied servercrt.pem and serverkey.pem file on > client machine, also added servercrt.pem file to client trust store. I'm using NO! Don't ever give clients the secret key. Assuming you followed http://www.openldap.org/faq/data/cache/185.html fully you created two certificates: a master CA cert and a server-specific cert. You can use the CA cert to create as many server certs as you like, and client machines only need a copy of the CA cert to verify trust. Andrew -- --- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/+44 1628 782565 | ---
Re: empty ldapmodify refused with slapo-unique
On Mon, Sep 14, 2015 at 17:14:56 +0200, Geert Hendrickx wrote: > When slapo-unique constraints are in effect, it seems empty updates are > no longer allowed: > > > $ ldapmodify -x -h localhost -D cn=Manager,dc=my-domain,dc=com -w secret > > dn: cn=test1,dc=my-domain,dc=com > > changetype: modify > > > > modifying entry "cn=test1,dc=my-domain,dc=com" > > ldap_modify: Invalid syntax (21) > > additional info: unique_modify() got null op.orm_modlist > > > Why is this considered invalid syntax? Without slapo-unique constraint, > empty updates like these are accepted. Anyone? Geert -- geert.hendrickx.be :: ge...@hendrickx.be :: PGP: 0xC4BB9E9F This e-mail was composed using 100% recycled spam messages!
Re: empty ldapmodify refused with slapo-unique
--On Thursday, October 08, 2015 6:23 PM +0200 Geert Hendrickxwrote: On Mon, Sep 14, 2015 at 17:14:56 +0200, Geert Hendrickx wrote: When slapo-unique constraints are in effect, it seems empty updates are no longer allowed: > $ ldapmodify -x -h localhost -D cn=Manager,dc=my-domain,dc=com -w > secret dn: cn=test1,dc=my-domain,dc=com > changetype: modify > > modifying entry "cn=test1,dc=my-domain,dc=com" > ldap_modify: Invalid syntax (21) > additional info: unique_modify() got null op.orm_modlist Why is this considered invalid syntax? Without slapo-unique constraint, empty updates like these are accepted. Anyone? I'd suggest you file an ITS. --Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration