2:08 p.m.
Dear All,
Should we merge the TLS cert generation seciton of the FAQ into TLS.sdf?
Could you all think of some simple questions to ask when troubleshooting
an OpenLDAP "problem" as our users call it ;-)
See the the "Checklist" in the Troubleshooting section I've started.
Gavin.
--
Kind Regards,
Gavin Henry.
Managing Director.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry(a)suretecsystems.com
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
8:23 a.m.
----- "Gavin Henry" <ghenry(a)suretecsystems.com> wrote:
Dear All,
Should we merge the TLS cert generation seciton of the FAQ into
TLS.sdf?
Sounds good to me.
Could you all think of some simple questions to ask when
troubleshooting
an OpenLDAP "problem" as our users call it ;-)
See the the "Checklist" in the Troubleshooting section I've started.
(a) use the slaptest tool to verify configurations before starting slapd
(b) Verify that slapd is listening to the specified port(s) (389 and 636, generally)
before trying the ldapsearch
(c) Under the debugging slapd section, I'd note the following:
(i) Loglevel 256 is generally a good first loglevel to try for getting information
useful to list members on issues
(ii) Running slapd -d -1 can often track down fairly simple issues, such as missing
schema and incorrect file permissions for the slapd user to things like certs
--Quanah
1:42 p.m.
Quanah Gibson-Mount wrote:
----- "Gavin Henry" <ghenry(a)suretecsystems.com>
wrote:
> Dear All,
>
> Should we merge the TLS cert generation seciton of the FAQ into
> TLS.sdf?
Sounds good to me.
That really falls outside the purpose of the OpenLDAP Admin Guide, i.e., a
guide to administering *OpenLDAP* software. We can reference the FAQ article,
or a separately packaged HOWTO document, but IMO it does not belong in the
Guide itself. Just as we talk about how Kerberos or SASL may be used, but don't
discuss how to initialize and populate a KDC or SASL authentication DB.
At some point we'll have our own certificate-generating overlay, in which case
it will be an actual piece of OpenLDAP software, and then it will be a
legitimate topic for the Guide. I.e., I do feel that the lack of integral X.509
support is something we need to address, and that the overall topic properly
belongs under the OpenLDAP umbrella since it is a core element of the X.500
spec. We just aren't there yet.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
3:40 p.m.
<quote who="Howard Chu">
Quanah Gibson-Mount wrote:
> ----- "Gavin Henry" <ghenry(a)suretecsystems.com> wrote:
>> Dear All,
>>
>> Should we merge the TLS cert generation seciton of the FAQ into
>> TLS.sdf?
>
>
> Sounds good to me.
That really falls outside the purpose of the OpenLDAP Admin Guide, i.e., a
guide to administering *OpenLDAP* software. We can reference the FAQ
article,
or a separately packaged HOWTO document, but IMO it does not belong in the
Guide itself. Just as we talk about how Kerberos or SASL may be used, but
don't
discuss how to initialize and populate a KDC or SASL authentication DB.
This is why I asked, as I had a feeling it shouldn't, but it comes up so
many times. A link to the FAQ entry will be fine.
At some point we'll have our own certificate-generating overlay, in which
case
it will be an actual piece of OpenLDAP software, and then it will be a
legitimate topic for the Guide. I.e., I do feel that the lack of integral
X.509
support is something we need to address, and that the overall topic
properly
belongs under the OpenLDAP umbrella since it is a core element of the
X.500
spec. We just aren't there yet.
Would be very cool.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
5876
days inactive
5884
days old
3 comments
3 participants
participants (3)
-
Gavin Henry -
Howard Chu -
Quanah Gibson-Mount