![]() ![]() Since this certificate is self-signed, certificate verification must be disabled on LDAP clients: Update TLSCertificateKeyFile and TLSCertificateFile options with your key/certificate locations in /etc/ldap/nfĬomment out TLSCACertificateFile and change TLSVerif圜lient to never. Generate a new CA key, and a self-signed certificate into the current working directory:Ĭerttool -generate-privkey -outfile ca.keyĬerttool -generate-self-signed -load-privkey ca.key -outfile ca.crt.Use the gnutls certificate generator certtool, available in gnutls-bin. or Could not negotiate a supported cipher suite.: Debian uses GnuTLS, and it doesn't play nice with OpenSSL certificates. Slapd TLS: can't connect: A TLS packet with unexpected length was received. That will show you cryptographic suits your LDAP server supports. # ldapmodify -Q -Y EXTERNAL -H ldapi:///. Or by deleting the olcRootDN and olcRootPW attributes (in which case appropriate ACLs are necessary to give cn=admin,dc=example,dc=com sufficient rights): # ldapdelete -x -D "cn=admin,dc=example,dc=com" -W -H ldapi:/// cn=admin,dc=example,dc=com This duplicate administrator definition can be addressed either by deleting the cn=admin,dc=example,dc=com entry (which would match the behavior of later Debian packages): Also, the user defined in olcRootDN is not subject to any access control list, ACL, checks or other checks, such as password policies defined by using the ppolicy overlay, which may be a positive or a negative, depending on your preferences. Note that the olcRootDN does not have to refer to an actual entry in the database. There is, however, still a lot of online documentation which refers to the old configuration scheme and which therefore needs to be adapted to the new configuration scheme.Īfter the initial installation, the config tree will typically look something like this: # ldapsearch -LLLQ -Y EXTERNAL -H ldapi:/// -b cn=config dnĭn: cn=37s466RsEERQnkgsaj5IL6MfW8JwRhdq The old configuration scheme, using a plain nf(5) file is still supported, but its use is deprecated and support for it will be withdrawn in a future release. This configuration system is known as OpenLDAP online configuration, or OLC (and further described in slapd-config(5)). Since version 2.3 (released in 2005), the actual configuration for OpenLDAP servers is managed within a special database ( DIT), typically rooted at the cn=config entry. ![]() The generic tools can be used on servers as well as clients. The OpenLDAP specific tools are low-level, and meant to be executed directly on the systems where slapd has been installed (they can generally be executed while slapd isn't running as they access the underlying database(s) directly). # ldapsearch -x -LLL -s base -b "" namingContextsĪfter the above installation, two groups of tools will be available on your system: To check the database suffix, once the server is running, use ldapsearch(1) to read the namingContexts attribute of the root DSE: The domain name and other low-level details can be changed by running dpkg-reconfigure -plow slapd If your system is in the domain, the database suffix ( BaseDN) will be dc=example,dc=com. Ldap-utils - tools for interacting with, querying and modifying entries in local or remote LDAP serversĭebconf will prompt you for a password for the database administrator (or, in case of a noninteractive installation, a random password will be set).īy default, an initial database is created using the system's DNS domain name.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |