差異處
這裏顯示兩個版本的差異處。
java:ldap:openldap [2016/03/25 23:28] tony [Enable SSL/TLS] |
java:ldap:openldap [2023/06/25 09:48] |
||
---|---|---|---|
行 1: | 行 1: | ||
- | ====== OpenLDAP ====== | ||
- | ===== Articles ===== | ||
- | * [[java:ldap:openldap:setup:ubuntu14:04|Setup OpenLDAP on Ubuntu 14.04]] | ||
- | |||
- | ===== View cn=config ===== | ||
- | <code bash> | ||
- | ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config | ||
- | </code> | ||
- | ===== Apply setting ===== | ||
- | <code bash> | ||
- | ldapmodify -QY EXTERNAL -H ldapi:/// -f tls-config.ldif | ||
- | </code> | ||
- | ===== Enable SSL/TLS ===== | ||
- | 我參考了[[http://wiki.weithenn.org/cgi-bin/wiki.pl?OpenLDAP-SSL_TLS_%E8%A8%AD%E5%AE%9A|此篇]]教學產生certification file與設定,結果一直無法正常連線。於是透過以下command打開debug mode: | ||
- | <code bash> | ||
- | /usr/sbin/slapd -d 1 -h "ldap:/// ldapi:/// ldaps:///" -g openldap -u openldap -F /etc/ldap/slapd.d | ||
- | </code> | ||
- | 出現以下錯誤訊息: | ||
- | <code> | ||
- | 56f10002 slap_listener_activate(10): | ||
- | 56f10002 >>> slap_listener(ldaps://) | ||
- | 56f10002 connection_get(19): got connid=1001 | ||
- | 56f10002 connection_read(19): checking for input on id=1001 | ||
- | TLS: can't accept: Could not negotiate a supported cipher suite.. | ||
- | 56f10002 connection_read(19): TLS accept failure error=-1 id=1001, closing | ||
- | 56f10002 connection_close: conn=1001 sd=19 | ||
- | </code> | ||
- | 最後試出在Ubuntu 14.04下的slapd,可以參考[[http://mindref.blogspot.tw/2010/12/debian-openldap-ssl-tls-encryption.html|此篇]]教學做法,將certification file設定給匯進去。 | ||
- | <code bash> | ||
- | dn: cn=config | ||
- | add: olcTLSCACertificateFile | ||
- | olcTLSCACertificateFile: /etc/ldap/ssl/rootca.crt | ||
- | - | ||
- | add: olcTLSCertificateFile | ||
- | olcTLSCertificateFile: /etc/ldap/ssl/ldap.crt | ||
- | - | ||
- | add: olcTLSCertificateKeyFile | ||
- | olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.key | ||
- | </code> | ||
- | |||
- | 產生certificate file batch [[java:web:ssl:issuepersonalcertificate|script]]。 |