пытался разобраться самостоятельно,но далеко не ушел :(((
привожу измененные slapd.conf и ldap.conf :
slapd.conf
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/corba.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/nis.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
TLSCertificateFile /usr/local/etc/openldap/ssl/user.cert
TLSCertificateKeyFile /usr/local/etc/openldap/ssl/user.key
TLSCACertificateFile /usr/local/etc/openldap/ssl/ca.cert
#TLSCACertificatePath /usr/local/etc/openldap
#TLSCipherSuite HIGH:MEDIUM:+SSLv2:+TLSv1
#TLSRandFile /dev/random
#TLSVerifyClient allow
#disallow tls_authc
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_bdb
# moduleload back_ldap
# moduleload back_ldbm
# moduleload back_passwd
# moduleload back_shell
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
loglevel -1
#######################################################################
# BDB database definitions
#######################################################################
database ldbm
suffix "dc=helper,dc=ru"
rootdn "cn=admin,dc=helper,dc=ru"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/db/openldap
# Indices to maintain
index objectClass,uid,uidNumber,gidNumber eq
index cn,name,surName,givenName eq,subinitial
access to attr=userPassword
by self write
by anonymous auth
by dn="cn=admin,dc=helper,dc=ru" write
by * read
access to *
by dn="cn=admin,dc=helper,dc=ru" write
by * read
ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=helper,dc=ru
URI ldap:/// ldaps:///
#ldap://ldap-master.example.com:666
TLS_CACERTDIR /usr/local/etc/openldap/ssl
TLS_CACERT /usr/local/etc/openldap/ssl/ca.cert
TLS_CERT /usr/local/etc/openldap/ssl/user.cert
TLS_KEY /usr/local/etc/openldap/ssl/user.key
#TLS_RANDFILE /dev/random
TLS_REQCERT never
ssl start_tls
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
Хелпер сквида вызывается так:
auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b "dc=helper,dc=ru" -w secret -f "(uid=%s)" -v 3 -H ldaps://127.0.0.1
Запускаю slapd:
/usr/local/libexec/slapd -d 9 -h ldaps://localhost
в лог попадает следующее:
..........
connection_read(8): unable to get TLS client DN,error=49 id=0
..........
ber_get_next on fd failed errno=35 (Resource temporarly unavailable)
Если ldapsearch -d 8 -ZZ,то в логе:
TLS certificate verification: Error,self signed certificate
При всех этих настройках индентификация юзера проходит,но работает ли TLS?
Я при всех своих скромных познаниях-запутался неслабо :(((