Geoffroy's questions

I'm trying to configure a LDAP server with some basic security parameters, including TLS and required authenticated binding.

I have started the server, and can access it from localhost with the command:

ldapsearch -x -b 'dc=server,dc=com' 'objectclass=*' -W -D 'cn=manager,dc=server,dc=com' -H ldaps://server.com:389

When I try the same command remotely, from my computer, I get the following error message:

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I don't know why this happens, I can ping my server and there is currently no firewall.

slapd is launched with -h ldaps://server.com:389/

DNS server is configured in a basic way on the same server, with only a A record.

Do you have any idea ?

EDIT

I've tested from another workstation, on arch-linux, and it works! On both computer I have TLS_REQCERT allow in /etc/openldap/ldap.conf, so that shouldn't be a certificate problem no?

The workstation on which the ldap query doesn't work is on Mac OS X, if that have any importance.

Some output:

Telnet:

telnet server.com 389

Trying w.x.y.z...
Connected to server.com.
Escape character is '^]'.

Iptables:

sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Netstat:

sudo netstat -lnt | grep 389

tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN     
tcp6       0      0 :::389                  :::*                    LISTEN  

I've tested without any security parameters, and I have the same result.

I'm implementing a new infrastructure which will include a kind of Microsoft's GPO using ldap, dns, dhcp and pam.

I'm creating a new schema to store the information I need, and I have a groupPolicyId attributeType which describe a 32 characters identifiers.

For this I did the following:

attributetype ( 1.3.6.1.4.1.39259.2.1.1 NAME 'groupPoliciId'
    DESC 'Group Policy Identifier'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32}
    )

Using the SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32}, I specify that I want an UTF-8 encoded string which is at most 32 characters.

I now need to set a minimum length, googled for hours and didn't find anything which may helps. Any Idea? Thanks.

I have a git-daemon accessed through ssh. All repositories are in /srv/git.

I have some other projects saved on a exfat disk, so I want to create a symbolic link from that disk to /srv/git.

For example, I have /mnt/Medias/Projects/Defi\ H.git so I simply do:

cd /srv/git
sudo ln -s /mnt/Medias/Projects/Defi\ H.git

But the file is created as root:root, 777.

To restrict access to the repositories, I want to change the posix rights of that file. If first try:

sudo chmod 755 Defi\ H.git
chmod: changing permissions of `Defi H.git': Function not implemented

I've found that this is because the link points to a folder stored on an exfat disk. In the same way, this fails:

sudo chown git:defih Defi\ H.git
chown: changing ownership of `Defi H.git': Function not implemented

So I want to create the link as the right user directly:

sudo -u git -g defih ln -s /mnt/Medias/Projects/Defi\ H.git
Sorry, user geoffroy is not allowed to execute '/bin/ln -s /mnt/Medias/Projects/Defi H.git' as git:defih on Aethelflaed.

I'm part of group wheel and sudo's configuration shows:

%wheel ALL=(ALL) ALL

I don't understand why this last command fail? Any advice?

Or am I supposed to make a copy of the file on another filesystem? /srv/git is btrfs, if this have any importance.