Koozali.org: home of the SME Server

Complete LDAP Authentication (again)

Offline janet

  • ****
  • 4,812
  • +0/-0
Complete LDAP Authentication (again)
« on: September 15, 2010, 02:35:20 AM »
This post by Daniel Berteaud on the devinfo mailing list may interest users.
As Daniel says it is still a "work in progress", & should only be deployed on "test" servers.

Hi everyone.

We (at Firewall Services) have recently worked on LDAP authentication
for SME 8.X (I'm talking about full LDAP authentication, where users are
directly managed in the LDAP database)

Most of this work was to re-use e-smith-base+ldap and e-smith-samba+ldap
changes, and push them in the current (CVS) version of e-smith-base,
e-smith-ldap and e-smith-samba.

A lot of fixes, and various enhancements have been made, most notably,
an ldap.init service has been added.

You can have more information on our wiki:
https://wikit.firewall-services.com/doku.php?id=full_ldap_testing

Here, you'll find informations about all the changes needed in which
package, some explanation about the change. Everything is available as
patches, and you'll find instruction on how to install pre-compiled rpms
if you want to try this (see
https://wikit.firewall-services.com/doku.php?id=full_ldap_testing#downloads)

We've made this page so everyone can have a look on the project (I know
that contribs wiki would have been better, but I really prefer dokuwiki
over mediawiki ;)).

I know we'll have to open different bugs on bugzilla for all this stuff,
but with this kind of changes (which require a lot of modifications in
various places), I find it hard to work only with the bugtracker. This
page lets everyone see the project as a whole.

If we get some feedback from the community (positive, or negative, but
of course, we prefer positive ones :D), and if it seems this project is
taking the good direction, we'll open bugs to track individual issues,
and discuss about more technical details of each required change.

Please, if you're interested in this, take a look at this page, and try
the modified rpms (on a test server of course, this is still work in
progress).

Regards, Daniel, on behalf of Firewall Services

--
Daniel Berteaud
Web : http://www.firewall-services.com
_______________________________________________
Server Development Discussion
Searchable archive at http://lists.contribs.org/mailman/public/devinfo/
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline jester

  • *
  • 496
  • +1/-0
Re: Complete LDAP Authentication (again)
« Reply #1 on: September 15, 2010, 04:35:26 PM »
I really applaud this effort 'cause i think this would be a great step forward for SME-Server. So a REALLY BIG THANKS to Firewall Services/Daniel for this excellent effort! I hope this functionality will be included in a next release of SME.

Thanks Mary for posting.

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Complete LDAP Authentication (again)
« Reply #2 on: September 15, 2010, 04:39:09 PM »
I think it's time to finish tests with 8b6 and then, after the release of SME8, start tests with ldap auth for SME8.1

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Complete LDAP Authentication (again)
« Reply #3 on: September 15, 2010, 05:21:07 PM »
jester

Quote
I hope this functionality will be included in a next release of SME.

To add to what Stefano said, IIRC SME8.0 final release (when released) will be a straight OS without LDAP auth, the dev team/contributors are looking at getting SME8.0 released as a relacement for SME7.x and then will concentrate on adding LDAP auth to a later SME8.1 release.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline byte

  • *
  • 2,183
  • +2/-0
Re: Complete LDAP Authentication (again)
« Reply #4 on: September 16, 2010, 02:33:18 PM »
To add to what Stefano said, IIRC SME8.0 final release (when released) will be a straight OS without LDAP auth, the dev team/contributors are looking at getting SME8.0 released as a relacement for SME7.x and then will concentrate on adding LDAP auth to a later SME8.1 release.

Thats exactly right mary.
--[byte]--

Have you filled in a Bug Report over @ http://bugs.contribs.org ? Please don't wait to be told this way you help us to help you/others - Thanks!

Offline jester

  • *
  • 496
  • +1/-0
Re: Complete LDAP Authentication (again)
« Reply #5 on: September 16, 2010, 04:27:21 PM »
Basic LDAP authentication is already there in SME8 (see: Bug#5720). Firewall Services/Daniels work goes much further. Great to hear the dev-team is on the same track!!

Offline wellsi

  • *
  • 475
  • +0/-0
    • http://www.wellsi.com
Re: Complete LDAP Authentication (again)
« Reply #6 on: November 13, 2010, 07:53:58 PM »
For those interested in this please help out with the verification, there are a very large number of LDAP bugs just waiting verification in SME 8. Please look here:
............

Offline fpausp

  • *
  • 728
  • +0/-0
Re: Complete LDAP Authentication (again)
« Reply #7 on: December 26, 2010, 08:24:09 PM »
Hi all,

I would like to use TLS for LDAP Authentication and Authorisation for KnowledgeTree, is TLS supported in "How to test full LDAP authentication support on SME Server 8" located on: https://wikit.firewall-services.com/doku.php?id=full_ldap_testing#downloads ?

KnowledgeTree gives me that error:
Net_LDAP_Error: TLS not started. Error:Connect error


Viribus unitis

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: Complete LDAP Authentication (again)
« Reply #8 on: December 29, 2010, 05:18:11 PM »
TLS is supported, and required (TLS or SSL) to authenticate against LDAP (except from localhost). These kinds of errors usually comes from a bad certificate verification, and the solution depends on the application. But usually, you can follow those steps:

Copy your certificate (/home/e-smith/ssl.crt/<hostname>.<domainname>.crt) in /etc/pki/tls/certs
Install openssl-perl
Code: [Select]
yum install openssl-perlCreate hash symlinks like this:
Code: [Select]
c_rehash /etc/pki/tls/certs
C'est la fin du monde !!! :lol:

Offline fpausp

  • *
  • 728
  • +0/-0
Re: Complete LDAP Authentication (again)
« Reply #9 on: December 29, 2010, 07:51:14 PM »
Hi VIP-ire,

Thanks for your answer, I followed your steps:
Code: [Select]
[root@sme8 certs]# pwd
/etc/pki/tls/certs
[root@sme8 certs]# ls -alih
insgesamt 464K
2294034 drwxr-xr-x 2 root root 4,0K 29. Dez 19:19 .
2294032 drwxr-xr-x 5 root root 4,0K 24. Dez 08:54 ..
2302670 lrwxrwxrwx 1 root root    9 29. Dez 19:19 72d31154.0 -> slapd.pem
2294035 -rw-r--r-- 1 root root 431K 15. Dez 16:31 ca-bundle.crt
2296108 -rw------- 1 root root 1,5K 24. Dez 08:29 localhost.crt
2294036 -rwxr-xr-x 1 root root  610 15. Dez 16:30 make-dummy-cert
2294033 -rw-r--r-- 1 root root 2,2K 15. Dez 16:30 Makefile
2294365 -rw-r----- 1 root ldap 2,4K 24. Dez 08:28 slapd.pem
2302669 -rw-r--r-- 1 root root 1,6K 29. Dez 19:19 sme8.test.lan.crt
but still cant connect.

After a reboot the Error looks like:
Code: [Select]
Net_LDAP_Error: TLS not started. Error:Can't contact LDAP server

KnowledgeTree Configuration:
Code: [Select]
Server-Name: localhost
Server-Port: 636
Use Transaction Layer Security (TLS): activ
Base DN: ou=Users,dc=test,dc=lan
Search User: uid=admin,ou=Users,dc=test,dc=lan
Search Password: sme-admin-password
Search Attributes: cn mail sAMAccountName
Object Classes: user inetOrgPerson posixAccount

Service is running:
Code: [Select]
[root@sme8 certs]# netstat -tupan | grep 636
tcp        0      0 0.0.0.0:636                 0.0.0.0:*                   LISTEN      2498/slapd


Openssl gives me:
Code: [Select]
[root@sme8 certs]# openssl s_client -connect localhost:636
CONNECTED(00000003)
depth=0 /C=--/ST=----/L=Ottawa/O=XYZ Corporation/OU=Main/CN=sme8.test.lan/emailAddress=admin@test.lan
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=--/ST=----/L=Ottawa/O=XYZ Corporation/OU=Main/CN=sme8.test.lan/emailAddress=admin@test.lan
verify return:1
---
Certificate chain
 0 s:/C=--/ST=----/L=Ottawa/O=XYZ Corporation/OU=Main/CN=sme8.test.lan/emailAddress=admin@test.lan
   i:/C=--/ST=----/L=Ottawa/O=XYZ Corporation/OU=Main/CN=sme8.test.lan/emailAddress=admin@test.lan
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEizCCA3OgAwIBAgIETRRM4jANBgkqhkiG9w0BAQUFADCBjTELMAkGA1UEBhMC
LS0xDTALBgNVBAgTBC0tLS0xDzANBgNVBAcTBk90dGF3YTEYMBYGA1UEChMPWFla
IENvcnBvcmF0aW9uMQ0wCwYDVQQLEwRNYWluMRYwFAYDVQQDEw1zbWU4LnRlc3Qu
bGFuMR0wGwYJKoZIhvcNAQkBFg5hZG1pbkB0ZXN0LmxhbjAeFw0xMDEyMjQwNzMz
NTRaFw0xMTEyMjQwNzMzNTRaMIGNMQswCQYDVQQGEwItLTENMAsGA1UECBMELS0t
LTEPMA0GA1UEBxMGT3R0YXdhMRgwFgYDVQQKEw9YWVogQ29ycG9yYXRpb24xDTAL
BgNVBAsTBE1haW4xFjAUBgNVBAMTDXNtZTgudGVzdC5sYW4xHTAbBgkqhkiG9w0B
CQEWDmFkbWluQHRlc3QubGFuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAsPb8SwrrXHiDfLO3HW4yV4aiq7GsKEyMFtwzJl0P8Xtc2apXUM7NPDhl1KAj
rVQq5HoD/FPv4xm7CMiF1RQie0BcAJA14UljaSA4qgCt4La06IhtcQg7XNHB5M6W
E/Zp9z+i/UmIxdhVYfnKrG0YrBnhtKzNlKpiEa8em5QFyc8Efp0em5nsMikPHYiD
4RdwVsQLazO9H/fbmFukJbO5bNqCLZK0U1dCEYw8KLhjdBG1abuOG71y0RwXttqq
TPip/X4xSX4jVJfGwHisfLdq+X8oI87lWG3zPCjtFQQhrcUFU6aQzVFYT4QIHDD9
U5in6TyRJmtiHJnRNGhCbT5g+wIDAQABo4HwMIHtMB0GA1UdDgQWBBR+CcXvmu2R
hbtPxHb7MHNp73PPyjCBvQYDVR0jBIG1MIGygBR+CcXvmu2RhbtPxHb7MHNp73PP
yqGBk6SBkDCBjTELMAkGA1UEBhMCLS0xDTALBgNVBAgTBC0tLS0xDzANBgNVBAcT
Bk90dGF3YTEYMBYGA1UEChMPWFlaIENvcnBvcmF0aW9uMQ0wCwYDVQQLEwRNYWlu
MRYwFAYDVQQDEw1zbWU4LnRlc3QubGFuMR0wGwYJKoZIhvcNAQkBFg5hZG1pbkB0
ZXN0LmxhboIETRRM4jAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQAf
31j1AbfOiP75W2kJogQ8tzTk1hqtiLd57cPptJUdPgJ0G2SFQWi7x1dBc4+koxfM
bOrNfgJHNDtma9CQHzZ9GYsjOp4YcbXNA7AKrprMb25zPL25k45xLCAJn7KwG1CQ
OYVWdcxJxZlyHjyuxDtlw9PWcumlehnAXC4EzHzRtFx82BiLofBW3wmOHatYIleH
vG/mImhma9GoyBPxfQYGcYxnFnZkUyX5SKIxXB8uJBQYE2AHsq0rwxZJOQXuh77x
Y0AsRg+ybL0qxVwW4NmncgqouaGtIYkTFk0iNUrLboh5etUp/1dHlaPoe/ndaiLa
2KrrAQ/vrz10zJvtrYCP
-----END CERTIFICATE-----
subject=/C=--/ST=----/L=Ottawa/O=XYZ Corporation/OU=Main/CN=sme8.test.lan/emailAddress=admin@test.lan
issuer=/C=--/ST=----/L=Ottawa/O=XYZ Corporation/OU=Main/CN=sme8.test.lan/emailAddress=admin@test.lan
---
No client certificate CA names sent
---
SSL handshake has read 1336 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 8DF19FFB129E954E793073AD4B69BAE280B0D13728C4533C3E03E8A5A7712406
    Session-ID-ctx:
    Master-Key: 7A179C0E60E354DDF765F81E2087306C48F51A2936EC86CAD6CB46C0EB16FB82B261F6F122DDBA5F799399A97ED93980
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1293648448
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
Viribus unitis

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: Complete LDAP Authentication (again)
« Reply #10 on: December 29, 2010, 08:01:54 PM »
SSL is not TLS. If you want SSL, then, set TLS to off, and use port 636. If you want TLS, set TLS to on, and use standard port 389.
For your certificate in /etc/pki/tls/certs/, you have to be sure the file only contains the public part (not the concatenation of the certificate and the private key), and set permission on it to be word readable (644). Also, I forgot to say that files here needs to end with .pem, so you probably want to rename sme8.test.lan.crt to sme8.test.lan.pem, and re-run c_rehash on the directory.

Anyway, it looks like your configuring KnowledgeTree on the same server. It really makes no sense to enable TLS or SSL in this case, as it just make the setup harder, and consume useless resources, without providing any additional security. SSL/TLS is only needed for remote access to the LDP server.

Regards, Daniel
C'est la fin du monde !!! :lol:

Offline fpausp

  • *
  • 728
  • +0/-0
Re: Complete LDAP Authentication (again)
« Reply #11 on: December 29, 2010, 08:18:26 PM »
Please take a look:

Code: [Select]
[root@sme8 certs]# ls -alih
insgesamt 464K
2294034 drwxr-xr-x 2 root root 4,0K 29. Dez 20:10 .
2294032 drwxr-xr-x 5 root root 4,0K 24. Dez 08:54 ..
2294514 lrwxrwxrwx 1 root root    9 29. Dez 20:10 72d31154.0 -> slapd.pem
2294035 -rw-r--r-- 1 root root 431K 15. Dez 16:31 ca-bundle.crt
2302019 lrwxrwxrwx 1 root root   17 29. Dez 20:10 ef323bd4.0 -> sme8.test.lan.pem
2296108 -rw-r--r-- 1 root root 1,5K 24. Dez 08:29 localhost.crt
2294036 -rw-r--r-- 1 root root  610 15. Dez 16:30 make-dummy-cert
2294033 -rw-r--r-- 1 root root 2,2K 15. Dez 16:30 Makefile
2294365 -rw-r--r-- 1 root ldap 2,4K 24. Dez 08:28 slapd.pem
2302669 -rw-r--r-- 1 root root 1,6K 29. Dez 19:19 sme8.test.lan.pem
[root@sme8 certs]#
[root@sme8 certs]#
[root@sme8 certs]#
[root@sme8 certs]# cat 72d31154.0
-----BEGIN RSA PRIVATE KEY-----
XXX
-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
MIIEDDCCA3WgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBuzELMAkGA1UEBhMCLS0x
EjAQBgNVBAgTCVNvbWVTdGF0ZTERMA8GA1UEBxMIU29tZUNpdHkxGTAXBgNVBAoT
EFNvbWVPcmdhbml6YXRpb24xHzAdBgNVBAsTFlNvbWVPcmdhbml6YXRpb25hbFVu
aXQxHjAcBgNVBAMTFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjEpMCcGCSqGSIb3DQEJ
ARYacm9vdEBsb2NhbGhvc3QubG9jYWxkb21haW4wHhcNMTAxMjI0MDcyODEzWhcN
MTExMjI0MDcyODEzWjCBuzELMAkGA1UEBhMCLS0xEjAQBgNVBAgTCVNvbWVTdGF0
ZTERMA8GA1UEBxMIU29tZUNpdHkxGTAXBgNVBAoTEFNvbWVPcmdhbml6YXRpb24x
HzAdBgNVBAsTFlNvbWVPcmdhbml6YXRpb25hbFVuaXQxHjAcBgNVBAMTFWxvY2Fs
aG9zdC5sb2NhbGRvbWFpbjEpMCcGCSqGSIb3DQEJARYacm9vdEBsb2NhbGhvc3Qu
bG9jYWxkb21haW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPTll3ZtHXed
j9RETOlpJbqIAVWGD34TIybBXVv1+xmV54xRyUlvqub5/nn6k+4X0WVPpiJRtth1
G7XnZMlCV9PXdJ3FCqrfH4bEJOxL72R/20ZglFdP9BEomCczDCYjhSDcDzb2APW3
s8TXQIlGkOp4zCHRnXcuAPqgzHarw1epAgMBAAGjggEcMIIBGDAdBgNVHQ4EFgQU
50V+rNCTkxZTnr8nmpS18OhOpp0wgegGA1UdIwSB4DCB3YAU50V+rNCTkxZTnr8n
mpS18OhOpp2hgcGkgb4wgbsxCzAJBgNVBAYTAi0tMRIwEAYDVQQIEwlTb21lU3Rh
dGUxETAPBgNVBAcTCFNvbWVDaXR5MRkwFwYDVQQKExBTb21lT3JnYW5pemF0aW9u
MR8wHQYDVQQLExZTb21lT3JnYW5pemF0aW9uYWxVbml0MR4wHAYDVQQDExVsb2Nh
bGhvc3QubG9jYWxkb21haW4xKTAnBgkqhkiG9w0BCQEWGnJvb3RAbG9jYWxob3N0
LmxvY2FsZG9tYWluggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA
5ri9PZcw34dc1FCwH9ddWxsV2bbnlHO+qHJDMWTJX7xiedHl779pdKkcA+eSrr+t
yWNUVDfaz6BTzuhQ3Z4VWNahwcNfWioqeVHjU0m23TM5sNIQeVEuMdAW4mD2SDzf
P/wzlDRppUgo1b6aQMTx6a7V3jX0mkkq1KVG9QSe+nM=
-----END CERTIFICATE-----
[root@sme8 certs]#
[root@sme8 certs]#
[root@sme8 certs]#
[root@sme8 certs]# cat ef323bd4.0
-----BEGIN CERTIFICATE-----
MIIEizCCA3OgAwIBAgIETRRM4jANBgkqhkiG9w0BAQUFADCBjTELMAkGA1UEBhMC
LS0xDTALBgNVBAgTBC0tLS0xDzANBgNVBAcTBk90dGF3YTEYMBYGA1UEChMPWFla
IENvcnBvcmF0aW9uMQ0wCwYDVQQLEwRNYWluMRYwFAYDVQQDEw1zbWU4LnRlc3Qu
bGFuMR0wGwYJKoZIhvcNAQkBFg5hZG1pbkB0ZXN0LmxhbjAeFw0xMDEyMjQwNzMz
NTRaFw0xMTEyMjQwNzMzNTRaMIGNMQswCQYDVQQGEwItLTENMAsGA1UECBMELS0t
LTEPMA0GA1UEBxMGT3R0YXdhMRgwFgYDVQQKEw9YWVogQ29ycG9yYXRpb24xDTAL
BgNVBAsTBE1haW4xFjAUBgNVBAMTDXNtZTgudGVzdC5sYW4xHTAbBgkqhkiG9w0B
CQEWDmFkbWluQHRlc3QubGFuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAsPb8SwrrXHiDfLO3HW4yV4aiq7GsKEyMFtwzJl0P8Xtc2apXUM7NPDhl1KAj
rVQq5HoD/FPv4xm7CMiF1RQie0BcAJA14UljaSA4qgCt4La06IhtcQg7XNHB5M6W
E/Zp9z+i/UmIxdhVYfnKrG0YrBnhtKzNlKpiEa8em5QFyc8Efp0em5nsMikPHYiD
4RdwVsQLazO9H/fbmFukJbO5bNqCLZK0U1dCEYw8KLhjdBG1abuOG71y0RwXttqq
TPip/X4xSX4jVJfGwHisfLdq+X8oI87lWG3zPCjtFQQhrcUFU6aQzVFYT4QIHDD9
U5in6TyRJmtiHJnRNGhCbT5g+wIDAQABo4HwMIHtMB0GA1UdDgQWBBR+CcXvmu2R
hbtPxHb7MHNp73PPyjCBvQYDVR0jBIG1MIGygBR+CcXvmu2RhbtPxHb7MHNp73PP
yqGBk6SBkDCBjTELMAkGA1UEBhMCLS0xDTALBgNVBAgTBC0tLS0xDzANBgNVBAcT
Bk90dGF3YTEYMBYGA1UEChMPWFlaIENvcnBvcmF0aW9uMQ0wCwYDVQQLEwRNYWlu
MRYwFAYDVQQDEw1zbWU4LnRlc3QubGFuMR0wGwYJKoZIhvcNAQkBFg5hZG1pbkB0
ZXN0LmxhboIETRRM4jAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQAf
31j1AbfOiP75W2kJogQ8tzTk1hqtiLd57cPptJUdPgJ0G2SFQWi7x1dBc4+koxfM
bOrNfgJHNDtma9CQHzZ9GYsjOp4YcbXNA7AKrprMb25zPL25k45xLCAJn7KwG1CQ
OYVWdcxJxZlyHjyuxDtlw9PWcumlehnAXC4EzHzRtFx82BiLofBW3wmOHatYIleH
vG/mImhma9GoyBPxfQYGcYxnFnZkUyX5SKIxXB8uJBQYE2AHsq0rwxZJOQXuh77x
Y0AsRg+ybL0qxVwW4NmncgqouaGtIYkTFk0iNUrLboh5etUp/1dHlaPoe/ndaiLa
2KrrAQ/vrz10zJvtrYCP
-----END CERTIFICATE-----

The private key part came from slapd.pem, should/must I edit them ?
« Last Edit: December 29, 2010, 08:49:07 PM by fpausp »
Viribus unitis

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: Complete LDAP Authentication (again)
« Reply #12 on: December 29, 2010, 08:24:58 PM »
Please, for the security of your own server, edit your previous post, and remove your private key. As the name suggests, the private key must be kept....secret  :lol:

You should remove the file slapd.pem, as it's the same certificate than sme8.test.lan.pem, but with the private key concatenated.

Also, you have not answered, why do you want to use TLS or SSL to connect to localhost ? If you really want to, you also have to change the LDAP server hostname in KnowledgeTree from localhost to sme8.test.lan (the name used to connect to the server must match the common name in the certificate).

I think you should open another thread for your questions as they are more about general TLS questions, and KnowledgeTree configuration than LDAP authentication related.
C'est la fin du monde !!! :lol:

Offline fpausp

  • *
  • 728
  • +0/-0
Re: Complete LDAP Authentication (again)
« Reply #13 on: December 29, 2010, 08:54:49 PM »
Quote
Please, for the security of your own server, edit your previous post, and remove your private key. As the name suggests, the private key must be kept....secret  :lol:
Thats just a virtual testbox but thanks anyhow.

Quote
You should remove the file slapd.pem, as it's the same certificate than sme8.test.lan.pem, but with the private key concatenated.
OK.

Quote
Also, you have not answered, why do you want to use TLS or SSL to connect to localhost ?
Thats just for the test. I like to use more than one server.

Quote
I think you should open another thread for your questions as they are more about general TLS questions, and KnowledgeTree configuration than LDAP authentication related.
OK.
Viribus unitis

Offline sradrian

  • 1
  • +0/-0
Re: Complete LDAP Authentication (again)
« Reply #14 on: January 06, 2011, 01:23:08 PM »
Does anyone know what would happen if someone could create a server that out of the box (so to speak) could run general server functionality that SME and other SMBS already can do, but included a dynamic easy configurable security management interface to a tool like LDAP and combined that with a group-ware product like say eGroupware (that includes the ability to manage documents). Fully configured, running and functional after a basic install? (all of which I would metaphorically kill for).

A baseline enterprise information management platform. The Killer App for businesses today...

I have little capability or skills in using Linux and its tools, using Mandriva for several years and its extensive GUIs to do everything but a few basic installs for things such as Graphics Drivers. I have no interest in using or learning the infinite intricacies of the command line, that went out of fashion for end users when windows 95 came out. Hence I have not been able to find or create a server with my desired functionality.

However?

If SME included LDAP and eGroupware as a baseline install I would be thrilled, is anyone working on this?

Offline erroneus

  • **
  • 62
  • +0/-0
Re: Complete LDAP Authentication (again)
« Reply #15 on: January 06, 2011, 10:47:25 PM »
Well, as I am sure you know and can see from other threads here, there are contribs and howto guides on how to add things to SME7 which most often also work just fine on SME8. 

eGroupware is just such a contrib.  Also, there has been discussion and success in getting KnowledgeTree installed and working on SME8 (see another thread in this forum).

I get what you are saying that "all of this in one box would be awesome" but the moment you start adding too much beyond basic and common functionalities, you run into an escalation situation where SME server stops being what it is -- easy to install, easy to manage and easy to recover.  As it stands, SME has this amazing ability to "Install Fresh"+"Restore from Backup"="Back online and working."  If you start adding options during the installation process, this functionality is immediately broken as the next time a Fresh Install occurs, an option may be changed or forgotten that completely breaks the ability to restore from backup.  So one must be VERY careful and aware about what things are changed and added that makes an SME server no longer a "stock" SME server.

So, while SME8 will probably never see the addition of larger, specific additions such as eGroupware, all hope of this awesome dream from becoming reality is not lost.

If you were to go through the process of getting your specific set of contribs and changes packaged into a one-step installation that works against a stock SME8 install, then you will have something that could even be rolled into an "SME8 spin."  (I know... I know... "SME8 spin" is probably an upsetting prospect to SME8 devs as it would render SME8 less supportable, but then again, every time someone adds a contrib or a customization this happens too.)

In any case, if I were you and seeking to have this done, I would seek to have a single large contrib that sets up everything from a single, comprehensive package that requires a clean SME8 installation and then offers the "restore from backup?" option to clean it all up.  So what you would end up with is two steps instead of one.  It would still be neat and clean while also allowing the SME8 team to issue critical updates to the installer if they are needed.

P.S. Don't dis the command-line.  I still live and breathe by the command line and I am quite certain the developers of SME8 do as well.  I understand your wanting to point and click at everything, but to get to that point, people had to write code to make it happen.  That code is the underlying the CLI (command line interface) and the CLI is what supports the creation of all of this.  And in most cases, the CLI also supports the creation of contribs and all that.  So if you would like to see your dream become reality, it's time to roll up your sleeves and type a few command lines.  When you are done, you may end up with something that doesn't need any or perhaps only one command line entry to make it all work.  But remember, as much as we would like the world to be point and click, that is for "end users only."  Cars don't build themselves and software doesn't write itself.