差異處
這裏顯示兩個版本的差異處。
| Both sides previous revision 前次修改 下次修改 | 前次修改 | ||
|
java:ldap:openldap [2016/03/25 23:28] tony [Enable SSL/TLS] |
java:ldap:openldap [2023/06/25 09:48] (目前版本) |
||
|---|---|---|---|
| 行 1: | 行 1: | ||
| + | {{tag>ldap}} | ||
| ====== OpenLDAP ====== | ====== OpenLDAP ====== | ||
| ===== Articles ===== | ===== Articles ===== | ||
| * [[java:ldap:openldap:setup:ubuntu14:04|Setup OpenLDAP on Ubuntu 14.04]] | * [[java:ldap:openldap:setup:ubuntu14:04|Setup OpenLDAP on Ubuntu 14.04]] | ||
| - | + | * [[java:ldap:openldap:setup:enableSSL|Setup Certificate and enble SSL/TLS of OpenLDAP on Ubuntu 14.04]] | |
| - | + | * [[java:ldap:openldap:setup:disableAnonymousAccess|Disable anonymous to access OpenLDAP]] | |
| - | ===== View cn=config ===== | + | ===== Useful Commands ===== |
| + | ==== View cn=config ==== | ||
| <code bash> | <code bash> | ||
| ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config | ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config | ||
| </code> | </code> | ||
| - | ===== Apply setting ===== | + | ==== Apply setting ==== |
| <code bash> | <code bash> | ||
| ldapmodify -QY EXTERNAL -H ldapi:/// -f tls-config.ldif | ldapmodify -QY EXTERNAL -H ldapi:/// -f tls-config.ldif | ||
| </code> | </code> | ||
| - | ===== Enable SSL/TLS ===== | + | ==== supportedSASLMechanisms ==== |
| - | 我參考了[[http://wiki.weithenn.org/cgi-bin/wiki.pl?OpenLDAP-SSL_TLS_%E8%A8%AD%E5%AE%9A|此篇]]教學產生certification file與設定,結果一直無法正常連線。於是透過以下command打開debug mode: | + | |
| <code bash> | <code bash> | ||
| - | /usr/sbin/slapd -d 1 -h "ldap:/// ldapi:/// ldaps:///" -g openldap -u openldap -F /etc/ldap/slapd.d | + | ldapsearch -LLL -x -H ldap:// -s "base" -b "" supportedSASLMechanisms |
| - | </code> | + | |
| - | 出現以下錯誤訊息: | + | |
| - | <code> | + | |
| - | 56f10002 slap_listener_activate(10): | + | |
| - | 56f10002 >>> slap_listener(ldaps://) | + | |
| - | 56f10002 connection_get(19): got connid=1001 | + | |
| - | 56f10002 connection_read(19): checking for input on id=1001 | + | |
| - | TLS: can't accept: Could not negotiate a supported cipher suite.. | + | |
| - | 56f10002 connection_read(19): TLS accept failure error=-1 id=1001, closing | + | |
| - | 56f10002 connection_close: conn=1001 sd=19 | + | |
| </code> | </code> | ||
| - | 最後試出在Ubuntu 14.04下的slapd,可以參考[[http://mindref.blogspot.tw/2010/12/debian-openldap-ssl-tls-encryption.html|此篇]]教學做法,將certification file設定給匯進去。 | + | ==== query admin entry ==== |
| <code bash> | <code bash> | ||
| - | dn: cn=config | + | ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config olcSuffix |
| - | add: olcTLSCACertificateFile | + | |
| - | olcTLSCACertificateFile: /etc/ldap/ssl/rootca.crt | + | |
| - | - | + | |
| - | add: olcTLSCertificateFile | + | |
| - | olcTLSCertificateFile: /etc/ldap/ssl/ldap.crt | + | |
| - | - | + | |
| - | add: olcTLSCertificateKeyFile | + | |
| - | olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.key | + | |
| </code> | </code> | ||
| + | ==== Reference ==== | ||
| + | * [[https://www.digitalocean.com/community/tutorials/how-to-configure-openldap-and-perform-administrative-ldap-tasks|how-to-configure-openldap-and-perform-administrative-ldap-tasks]] | ||
| + | * [[https://blog.xupeng.me/2009/08/09/change-base-dn-in-openldap/|修改baseDN]] 改完要參考這個[[https://www.openldap.org/lists/openldap-technical/200906/msg00191.html|連結]]調整資料庫資料夾權限 | ||
| - | 產生certificate file batch [[java:web:ssl:issuepersonalcertificate|script]]。 | + | ===== ===== |
| + | ---- | ||
| + | \\ | ||
| + | ~~DISQUS~~ | ||
