差異處
這裏顯示兩個版本的差異處。
Both sides previous revision 前次修改 下次修改 | 前次修改 | ||
java:ldap:openldap [2016/03/25 22:05] tony |
java:ldap:openldap [2023/06/25 09:48] (目前版本) |
||
---|---|---|---|
行 1: | 行 1: | ||
+ | {{tag>ldap}} | ||
====== OpenLDAP ====== | ====== OpenLDAP ====== | ||
===== Articles ===== | ===== Articles ===== | ||
* [[java:ldap:openldap:setup:ubuntu14:04|Setup OpenLDAP on Ubuntu 14.04]] | * [[java:ldap:openldap:setup:ubuntu14:04|Setup OpenLDAP on Ubuntu 14.04]] | ||
- | + | * [[java:ldap:openldap:setup:enableSSL|Setup Certificate and enble SSL/TLS of OpenLDAP on Ubuntu 14.04]] | |
- | + | * [[java:ldap:openldap:setup:disableAnonymousAccess|Disable anonymous to access OpenLDAP]] | |
- | ===== View cn=config ===== | + | ===== Useful Commands ===== |
+ | ==== View cn=config ==== | ||
<code bash> | <code bash> | ||
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config | ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config | ||
</code> | </code> | ||
- | ===== Apply setting ===== | + | ==== Apply setting ==== |
<code bash> | <code bash> | ||
ldapmodify -QY EXTERNAL -H ldapi:/// -f tls-config.ldif | ldapmodify -QY EXTERNAL -H ldapi:/// -f tls-config.ldif | ||
</code> | </code> | ||
- | ===== Enable SSL/TLS ===== | + | ==== supportedSASLMechanisms ==== |
- | 我參考了[[http://wiki.weithenn.org/cgi-bin/wiki.pl?OpenLDAP-SSL_TLS_%E8%A8%AD%E5%AE%9A|此篇]]教學產生certification file與設定,結果一直無法正常連線。於是透過以下command打開debug mode: | + | |
<code bash> | <code bash> | ||
- | /usr/sbin/slapd -d 1 -h "ldap:/// ldapi:/// ldaps:///" -g openldap -u openldap -F /etc/ldap/slapd.d | + | ldapsearch -LLL -x -H ldap:// -s "base" -b "" supportedSASLMechanisms |
</code> | </code> | ||
- | 出現以下錯誤訊息: | + | ==== query admin entry ==== |
- | <code> | + | |
- | 56f10002 slap_listener_activate(10): | + | |
- | 56f10002 >>> slap_listener(ldaps://) | + | |
- | 56f10002 connection_get(19): got connid=1001 | + | |
- | 56f10002 connection_read(19): checking for input on id=1001 | + | |
- | TLS: can't accept: Could not negotiate a supported cipher suite.. | + | |
- | 56f10002 connection_read(19): TLS accept failure error=-1 id=1001, closing | + | |
- | 56f10002 connection_close: conn=1001 sd=19 | + | |
- | </code> | + | |
- | 最後試出在Ubuntu 14.04下的slapd,可以參考[[http://mindref.blogspot.tw/2010/12/debian-openldap-ssl-tls-encryption.html|此篇]]教學做法,將certification file設定給匯進去。 | + | |
<code bash> | <code bash> | ||
- | dn: cn=config | + | ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config olcSuffix |
- | add: olcTLSCACertificateFile | + | |
- | olcTLSCACertificateFile: /etc/ldap/ssl/rootca.crt | + | |
- | - | + | |
- | add: olcTLSCertificateFile | + | |
- | olcTLSCertificateFile: /etc/ldap/ssl/ldap.crt | + | |
- | - | + | |
- | add: olcTLSCertificateKeyFile | + | |
- | olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.key | + | |
</code> | </code> | ||
+ | ==== Reference ==== | ||
+ | * [[https://www.digitalocean.com/community/tutorials/how-to-configure-openldap-and-perform-administrative-ldap-tasks|how-to-configure-openldap-and-perform-administrative-ldap-tasks]] | ||
+ | * [[https://blog.xupeng.me/2009/08/09/change-base-dn-in-openldap/|修改baseDN]] 改完要參考這個[[https://www.openldap.org/lists/openldap-technical/200906/msg00191.html|連結]]調整資料庫資料夾權限 | ||
+ | |||
+ | ===== ===== | ||
+ | ---- | ||
+ | \\ | ||
+ | ~~DISQUS~~ |