That looks like OK syntax. Get ldapwhoami(1) and similar working at the command line directly. e.g.
server$ ldapwhoami -H ldaps://directory.company.com/ [...]
I suspect this will fail. (Often CA validation fails, for example.) Once you have ldap.conf such that this works, the slapd.conf syntax you mentioned should be OK. If you can get the command line to work as the same user you're running slapd as, but slapd still fails, try turning up slapd debugging.
You can also try "tls propagate" or "tls start". See slapd-meta man page for details.
On Tue, 23 Jan 2007, Stephen Agar wrote:
one more followup question. i want the "meta" database on the external server contacted via tls/ssl. if I set:
uri "ldap://directory.company.com/ou=People,o=company,c=US"
things work perfectly, however if i set:
uri "ldaps://directory.company.com/ou=People,o=company,c=US"
i get "server is unavailable" when i do things like ldapwhoami. is there something i can configure in my ldap.conf to allow ldaps authentication to the server defined in my "meta" stanza?
--stephen
On 1/22/07, Stephen Agar seagar@gmail.com wrote:
wow....thanks a bunch, that worked perfectly.
--stephen
On 1/22/07, Aaron Richton <richton@nbcs.rutgers.edu > wrote:
Try something more like:
database meta suffix "ou=people,o=company,c=US" subordinate
database bdb suffix "o=company,c=US"
see if that does what you want...
On Mon, 22 Jan 2007, Stephen Agar wrote:
I have an LDAP server with a base "o=company, c=us". There is another
server which controls "ou=people,o=company,c=us", so in slapd.conf i
have
the following:
database bdb suffix "o=company,c=US" rootdn "cn=Manager,o=company,c=US" rootpw ******* directory /usr/var/openldap-data # Indices to maintain index objectClass eq index ou,cn,uid eq,pres,sub
#meta test database meta suffix "ou=people,o=company,c=US" uri
"ldap://directory.company.com/ou=People,o=company,c=US"
When I try to start slapd, I get: /etc/openldap/slapd.conf: line 84: <suffix> namingContext "o=company,c=US" already served by a preceding
bdb
database serving namingContext "o=company,c=US". Am I misusing meta?
Can I
not proxy binds/lookups to specific OUs to a secondary LDAP? I
understand
what the message is saying, but don't think I understand the proper
use of
meta.
For example, I have an ou=groups that contains "groupofnames" and the members of those groups are like
"uid=123456,ou=people,o=company,c=us". So I
want ou = groups owned on my server, then the when specific members
try to
bind, they are proxied to this external LDAP server that serves ou=people,o=company,c=us and contains their uids and passwords. Am I
going
about this the wrong way? Is there a way to accomplish what im trying
to do?
Thanks in advance... --stephen