Home.... | log in.... | Pub my question! | Sign-up....
Java-index >> Web & Directory Servers >> Directory Servers

Directory Server EE 6.0 TLS setup

Hello:

I don't know if this has been answered before; I could not find it if it was. I am a complete newbie to LDAP. I am looking for some rather complete, rather verbose instructions to get the DS 6 and client communicating using TLS. A little more on my system setup is below:

I have installed DS 6 on Red Hat Enterprise Linux (kernel 2.6.9-34...I think). The server is using port 589 for non-secure communication and port 836 for secure communication (OpenLDAP which was installed with the OS is using the default LDAP ports). I have the following data loaded in the directory (this is just dummy data, I just needed to create something to seed the directory):

dn: dc=bns-example, dc=com

dc: bns-example

description: Organization Root

objectClass: dcObject

objectClass: top

objectClass: organization

o: BNS

dn: ou=Staff, dc=bns-example, dc=com

ou: Staff

description: These are privileged users that can interact with Organization products

objectClass: top

objectClass: organizationalUnit

dn: ou=Accounts, dc=bns-example, dc=com

ou: Accounts

objectClass: top

objectClass: organizationalUnit

dn: ou=AcctInfo, dc=bns-example, dc=com

ou: AcctInfo

objectClass: top

objectClass: organizationalUnit

dn: uid=admin, ou=Staff, dc=bns-example, dc=com

uid: admin

cn: LDAP Adminstrator

sn: admin

userPassword: testpw1

objectClass: Top

objectClass: Person

objectClass: Organizationalperson

objectClass: Inetorgperson

dn: uid=jfisher,ou=Accounts,dc=bns-example,dc=com

objectClass: top

objectClass: account

uid: jfisher

host: 192.168.11.104

ou: PreferredUser

seeAlso: cn=Jason Fisher,ou=AcctInfo,dc=bns-example,dc=com

dn: uid=asachs,ou=Accounts,dc=bns-example,dc=com

objectClass: top

objectClass: account

uid: asachs

host: 10.20.200.1

ou: BasicUser

seeAlso: cn=Andy Sachs,ou=AcctInfo,dc=bns-example,dc=com

dn: uid=tberg,ou=Accounts,dc=bns-example,dc=com

objectClass: top

objectClass: account

uid: tberg

host: 192.129.40.1

ou: BasicUser

seeAlso: cn=Tim Berg,ou=AcctInfo,dc=bns-example,dc=com

dn: cn=Jason Fisher,ou=AcctInfo,dc=bns-example,dc=com

objectClass: top

objectClass: person

cn: Jason Fisher

sn: Fisher

telephoneNumber: 508-555-1234

dn: cn=Andy Sachs,ou=AcctInfo,dc=bns-example,dc=com

objectClass: top

objectClass: person

cn: Andy Sachs

sn: Sachs

telephoneNumber: (978) 212-0123

dn: cn=Tim Berg,ou=AcctInfo,dc=bns-example,dc=com

objectClass: top

objectClass: person

cn: Tim Berg

sn: Berg

telephoneNumber: 212.848.2098

I can access the directory using ldapsearch (the OpenLDAP tool) on port 589 using -x (simple authentication). Now I want to access the data using secure communication. I have tried adding a self-signed-certificate in the server (this is completely a test system, so there will be no certificates from a trusted CA, just self-signed), then edit the /etc/openldap/ldap.conf so the TLS_CACERTDIR is set the alias dir of the DS6 instance I created. Still no luck when trying to run ldapsearch using TLS.

I can't seem to find any good tutorial or setup instructions just to get a simple setup using TLS going. Can somebody please help here with some clear and verbose instructions since I very new to LDAP and am still trying to understand how it all works and the terminology.

Thanks,

Jason

[3651 byte] By [jfishera] at [2007-11-27 6:23:01]
«« Sun One App Server 8.2 - error on deploy
»» probe-scsi message Error
# 1

Directory Server EE 6.0 has TLS enabled by default and a self signed certificate.

The certificate database and key management is based on NSS and different from OpenLDAP (which makes use of OpenSSL).

It is thus rather difficult to make use of the Linux ldaptools (ldapsearch) with the DSEE certs and vice-versa, unless you extract them with one product's tools and import with the other's tools.

Anyway, refer to the Administration Guide, Directory Server Security Chapter for example on how to do secure connections between the ldaptools and Sun DS.

Regards,

Ludovic.

ludovicpa at 2007-7-12 17:40:29 > top of Java-index,Web & Directory Servers,Directory Servers...
# 2

Thanks for the reply.

I had already looked through the Administration Guide, Directory Server Security chapter. It provided me almost no help. The Administration Guide does not really have a step-by-step process to get a sample server running and communication just using TLS. It goes into all of this detail about SASL and Kerberos....and I don't want to get into/configure any of that right now. I just want to use a self-signed certificate and be able to do an ldapsearch.

I have also tried using the ldapsearch found in dsrk6/bin and have had marginal success with that. For example, if I run the following command:

/dsee_local/dsrk6/bin/ldapsearch -p 836 -Z -D "cn=Directory Manager" -w - -P /dsee_local/ds/alias/slapd-cert8.db -v -b "ou=Staff, dc=bns-example, dc=com" "(objectclass=*)"

I am asked for the Directory Manager password. I enter the password and I get the results I would expect to get (as if I had run the same search using the non-secure port). I assume that this would be an example of SSL with simple authentication.

When I try removing the '-D "cn=Directory Manager" -w -" from the above command and add '-N bns-test-cert -W -', the system prompts me for an SSL password (bns-test-cert is the name I gave the self-signed certificate when I ran dsadm add-selfsign-cert...). I did not have to provide a password when I created the self-signed certificate, so I do not know what to enter here. No matter what I enter at the prompt I get a response that says "0 matches" when I would expect to see the same response I got from the SSL with simpe authentication.

Can somebody please explain what is going on and how I set up a simple test system that just uses a self-signed-certificate.

Thanks,

Jason

jfishera at 2007-7-12 17:40:29 > top of Java-index,Web & Directory Servers,Directory Servers...
Web & Directory Servers
Directory Servers

Web & Directory Servers Hot Topic

Web & Directory Servers

All Classified