<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<br>
On 26/08/2011 07:28, <a class="moz-txt-link-abbreviated" href="mailto:patrick.gaikowski@kaufland.com">patrick.gaikowski@kaufland.com</a> wrote:
<blockquote
cite="mid:OF238A4F99.D1F6B53C-ONC12578F8.0021F247-C12578F8.00239261@de.int.kaufland"
type="cite">
<p><font face="sans-serif" size="2">Hi,</font><br>
<br>
<font face="sans-serif" size="2">i want to change authentication
from plain ldap to ldaps. I made the following changes but it
didn't work:</font><br>
<br>
<font face="sans-serif" size="2">1.) change in preferences.php
to</font><font color="#FF0000" face="sans-serif" size="2">
'authLDAPUseSSL' => true</font><br>
</p>
</blockquote>
Correct.<br>
<blockquote
cite="mid:OF238A4F99.D1F6B53C-ONC12578F8.0021F247-C12578F8.00239261@de.int.kaufland"
type="cite">
<p>
<font face="sans-serif" size="2">2.) change in </font><font
color="#FF0000" face="sans-serif" size="2">/opt/zendto/lib/NSSLDAPAuthenticator.php</font><font
face="sans-serif" size="2"> </font><br>
<br>
<font face="sans-serif" size="2">enable </font><font
color="#FF0000" face="sans-serif" size="2">
//if($this->_ldapUseSSL){$ldapServer=<a class="moz-txt-link-rfc2396E" href="ldaps://">"ldaps://"</a>.$ldapServer;}</font><font
face="sans-serif" size="2"> in function validUsername</font><br>
<font face="sans-serif" size="2">enable </font><font
color="#FF0000" face="sans-serif" size="2">
//if($this->_ldapUseSSL){$ldapServer=<a class="moz-txt-link-rfc2396E" href="ldaps://">"ldaps://"</a>.$ldapServer;}</font><font
face="sans-serif" size="2"> in function authenticate</font><br>
</p>
</blockquote>
Why? You can just set the LDAP server address to<br>
<a class="moz-txt-link-freetext" href="ldaps://">ldaps://</a><ip-address-or-hostname><br>
instead of just the <ip-address-or-hostname>.<br>
<blockquote
cite="mid:OF238A4F99.D1F6B53C-ONC12578F8.0021F247-C12578F8.00239261@de.int.kaufland"
type="cite">
<p>
<br>
<font face="sans-serif" size="2">3.) add entry to</font><font
color="#FF0000" face="sans-serif" size="2"> /etc/ldap.conf
--> TLS_REQCERT never</font><br>
<br>
<font face="sans-serif" size="2">I need this for testing because
in TCPdump i saw the TLS error "unknown CA"</font><br>
</p>
</blockquote>
Aren't there some options in ldap.conf (it seems to be general
opinion that you should be editing /etc/openldap/ldap.conf and not
/etc/ldap.conf, or else try editing both) that set how much of the
certificate it actually checks? I think you can tell it not to
bother verifying the cert with the CA chain, which sounds like what
you need to do.<br>
<blockquote
cite="mid:OF238A4F99.D1F6B53C-ONC12578F8.0021F247-C12578F8.00239261@de.int.kaufland"
type="cite">
<p>
<br>
<font face="sans-serif" size="2">By the way, we have to
ldap.conf in the zendto-vm (/etc/ldap.conf and
/etc/openldap/ldap.conf) which one is the right one?</font><br>
</p>
</blockquote>
A 5-second Google search produced this:<br>
<a class="moz-txt-link-freetext" href="http://www.linuxquestions.org/questions/linux-server-73/difference-between-etc-ldap-conf-vs-etc-ldap-ldap-conf-819552/">http://www.linuxquestions.org/questions/linux-server-73/difference-between-etc-ldap-conf-vs-etc-ldap-ldap-conf-819552/</a><br>
<blockquote
cite="mid:OF238A4F99.D1F6B53C-ONC12578F8.0021F247-C12578F8.00239261@de.int.kaufland"
type="cite">
<p>
<br>
<font face="sans-serif" size="2">For debuging i installed
openldap-client so that i can do a ldapsearch</font><br>
<br>
<font face="sans-serif" size="2"> ldapsearch -b o=kl -H
<a class="moz-txt-link-freetext" href="ldaps://4.26.1.118">ldaps://4.26.1.118</a> -x "cn=pgai1507" -d1 -Z was working
perfectly.</font><br>
<br>
<font face="sans-serif" size="2">ldap_create</font><br>
<font face="sans-serif" size="2">ldap_url_parse_ext(<a class="moz-txt-link-freetext" href="ldaps://4.26.1.118">ldaps://4.26.1.118</a>)</font><br>
<font face="sans-serif" size="2">ldap_extended_operation_s</font><br>
<font face="sans-serif" size="2">ldap_extended_operation</font><br>
<font face="sans-serif" size="2">ldap_send_initial_request</font><br>
<font face="sans-serif" size="2">ldap_new_connection 1 1 0</font><br>
<font face="sans-serif" size="2">ldap_int_open_connection</font><br>
<font face="sans-serif" size="2">ldap_connect_to_host: TCP
4.26.1.118:636</font><br>
<font face="sans-serif" size="2">ldap_new_socket: 3</font><br>
<font face="sans-serif" size="2">ldap_prepare_socket: 3</font><br>
<font face="sans-serif" size="2">ldap_connect_to_host: Trying
4.26.1.118:636</font><br>
<font face="sans-serif" size="2">ldap_connect_timeout: fd: 3 tm:
-1 async: 0</font><br>
<font face="sans-serif" size="2">TLS trace:
SSL_connect:before/connect initialization</font><br>
<font face="sans-serif" size="2">TLS trace: SSL_connect:SSLv2/v3
write client hello A</font><br>
<font face="sans-serif" size="2">TLS trace: SSL_connect:SSLv3
read server hello A</font><br>
<font face="sans-serif" size="2">TLS certificate verification:
depth: 1, err: 0, subject: /O=KLMETA/OU=Organizational CA,
issuer: /O=KLMETA/OU=Organizational CA</font><br>
<font face="sans-serif" size="2">TLS certificate verification:
depth: 0, err: 0, subject:
/O=KLMETA/CN=dedcoesmdir26.de.int.kaufland, issuer:
/O=KLMETA/OU=Organizational CA</font><br>
<font face="sans-serif" size="2">TLS trace: SSL_connect:SSLv3
read server certificate A</font><br>
<font face="sans-serif" size="2">TLS trace: SSL_connect:SSLv3
read server done A</font><br>
<font face="sans-serif" size="2">TLS trace: SSL_connect:SSLv3
write client key exchange A</font><br>
<font face="sans-serif" size="2">TLS trace: SSL_connect:SSLv3
write change cipher spec A</font><br>
<font face="sans-serif" size="2">TLS trace: SSL_connect:SSLv3
write finished A</font><br>
<font face="sans-serif" size="2">TLS trace: SSL_connect:SSLv3
flush data</font><br>
<font face="sans-serif" size="2">TLS trace: SSL_connect:SSLv3
read finished A</font><br>
<font face="sans-serif" size="2">ldap_open_defconn: successful</font><br>
</p>
</blockquote>
That looks like you are using a self-signed cert, in which case the
CA chain tests will most definitely fail and you need to switch them
off.<br>
<blockquote
cite="mid:OF238A4F99.D1F6B53C-ONC12578F8.0021F247-C12578F8.00239261@de.int.kaufland"
type="cite">
<p>
<br>
<br>
<font face="sans-serif" size="2">Do you have any idea were the
problem is? </font><br>
<br>
<font face="sans-serif" size="2">Mit freundlichen Grüßen / Best
regards<br>
<br>
Patrick Gaikowski<br>
Tel: +49 7132 94 3568<br>
Fax: +49 7132 94 73568<br>
E-Mail: <a class="moz-txt-link-abbreviated" href="mailto:patrick.gaikowski@kaufland.com">patrick.gaikowski@kaufland.com</a><br>
KI 967850: IT International / IT Governance / Netzwerk Design
und IT-Sicherheit<br>
Office:<br>
Lindichstrasse 11<br>
D-74189 Weinsberg</font><br>
<br>
<br>
<font face="sans-serif" size="2"><a moz-do-not-send="true"
href="http://www.kaufland.de">http://www.kaufland.de</a> </font><br>
<font face="sans-serif" size="2"><a moz-do-not-send="true"
href="http://www.spannende-it.de">http://www.spannende-it.de</a></font><br>
<font face="sans-serif" size="2">Wir sind die Nr. 1:</font><br>
<font face="sans-serif" size="2">Kaufland ist "Bester
Lebensmittelmarkt 2011"!</font><br>
<br>
<font face="sans-serif" size="2">Kaufland Informationssysteme
GmbH & Co. KG</font><br>
<font face="sans-serif" size="2">Postfach 12 53 - 74149
Neckarsulm<br>
Kommanditgesellschaft<br>
Sitz: Neckarsulm<br>
Registergericht: Amtsgericht Stuttgart HRA 104163</font><br>
<br>
<br>
<br>
<br>
<br>
<br>
</p>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
ZendTo mailing list
<a class="moz-txt-link-abbreviated" href="mailto:ZendTo@zend.to">ZendTo@zend.to</a>
<a class="moz-txt-link-freetext" href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng CITP CEng
<a class="moz-txt-link-abbreviated" href="http://www.Zend.To">www.Zend.To</a>
Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
'It's okay to live without all the answers' - Charlie Eppes, 2011
'All programs have a desire to be useful' - Tron, 1982
'That is the land of lost content,
I see it shining plain,
The happy highways where I went,
And cannot come again.' - A.E. Houseman
</pre>
</body>
</html>