差異處
這裏顯示兩個版本的差異處。
|
java:ldap:openldap [2016/03/25 21:49] tony |
java:ldap:openldap [2023/06/25 09:48] |
||
|---|---|---|---|
| 行 1: | 行 1: | ||
| - | ====== OpenLDAP ====== | ||
| - | ===== Setup ===== | ||
| - | * [[java:ldap:openldap:setup:ubuntu14:04|Setup OpenLDAP on Ubuntu 14.04]] | ||
| - | |||
| - | ===== View cn=config ===== | ||
| - | <code bash> | ||
| - | ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config | ||
| - | </code> | ||
| - | ===== Apply setting ===== | ||
| - | <code bash> | ||
| - | ldapmodify -QY EXTERNAL -H ldapi:/// -f tls-config.ldif | ||
| - | </code> | ||
| - | ===== Enable SSL/TLS ===== | ||
| - | 我參考了[[http://wiki.weithenn.org/cgi-bin/wiki.pl?OpenLDAP-SSL_TLS_%E8%A8%AD%E5%AE%9A|此篇]]教學產生certification file與設定,結果一直無法正常連線。於是透過以下command打開debug mode: | ||
| - | <code bash> | ||
| - | /usr/sbin/slapd -d 1 -h "ldap:/// ldapi:/// ldaps:///" -g openldap -u openldap -F /etc/ldap/slapd.d | ||
| - | </code> | ||
| - | 出現以下錯誤訊息: | ||
| - | <code> | ||
| - | 56f10002 slap_listener_activate(10): | ||
| - | 56f10002 >>> slap_listener(ldaps://) | ||
| - | 56f10002 connection_get(19): got connid=1001 | ||
| - | 56f10002 connection_read(19): checking for input on id=1001 | ||
| - | TLS: can't accept: Could not negotiate a supported cipher suite.. | ||
| - | 56f10002 connection_read(19): TLS accept failure error=-1 id=1001, closing | ||
| - | 56f10002 connection_close: conn=1001 sd=19 | ||
| - | </code> | ||
| - | 最後試出在Ubuntu 14.04下的slapd,可以參考[[http://mindref.blogspot.tw/2010/12/debian-openldap-ssl-tls-encryption.html|此篇]]教學做法,將certification file設定給匯進去。 | ||
| - | <code bash> | ||
| - | dn: cn=config | ||
| - | add: olcTLSCACertificateFile | ||
| - | olcTLSCACertificateFile: /etc/ldap/ssl/rootca.crt | ||
| - | - | ||
| - | add: olcTLSCertificateFile | ||
| - | olcTLSCertificateFile: /etc/ldap/ssl/ldap.crt | ||
| - | - | ||
| - | add: olcTLSCertificateKeyFile | ||
| - | olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.key | ||
| - | </code> | ||
