Hii List,
We have installed and configured our openLDAP-2.4.7 on RedHat LINUX machine using simple configure( . /configure) without any options. It has been working fine.Now we want to use SSL with that we are using openssl-0.9.7g package.We got all the required certificates. Now the problem is that,when I run the following command:
/usr/local/etc/openldap/slapd.conf -d127 -h "ldap:/// ldaps:///"
It is giving the following error message:
ldap_pvt_gethostbyname_a: host=as3, r=0 daemon_init: ldap:/// ldaps:/// daemon_init: listen on ldap:/// daemon_init: listen on ldaps:/// daemon_init: 2 listeners to open... ldap_url_parse_ext(ldap:///) daemon: listener initialized ldap:/// ldap_url_parse_ext(ldaps:///) daemon: TLS not supported (ldaps:///) slapd stopped. connections_destroy: nothing to destroy.
From this I can understand that ,TLS is not supported.what should I do
now? One more question.Is there any difference between enabling SSL and TLS ? please help me( It is difficult to rebuild openldap again,as there are many applications that are using our current LDAP)
THANX IN ADVANCE TO ALL. =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you
On Tuesday 04 March 2008 07:57:03 Padmavathi Dt wrote:
Hii List,
We have installed and configured our openLDAP-2.4.7 on RedHat LINUX
Out of interest, what version of RedHat LINUX ?
machine using simple configure( . /configure) without any options.
Did you have a suitable SSL library's development files (headers, linking library) installed ? Did you check whether configure found a suitable SSL library, and enabled SSL support?
It has been working fine.Now we want to use SSL with that we are using openssl-0.9.7g package.We got all the required certificates. Now the problem is that,when I run the following command:
/usr/local/etc/openldap/slapd.conf -d127 -h "ldap:/// ldaps:///"
It is giving the following error message:
ldap_pvt_gethostbyname_a: host=as3, r=0 daemon_init: ldap:/// ldaps:/// daemon_init: listen on ldap:/// daemon_init: listen on ldaps:/// daemon_init: 2 listeners to open... ldap_url_parse_ext(ldap:///) daemon: listener initialized ldap:/// ldap_url_parse_ext(ldaps:///) daemon: TLS not supported (ldaps:///) slapd stopped. connections_destroy: nothing to destroy.
From this I can understand that ,TLS is not supported.what should I do
now? One more question.Is there any difference between enabling SSL and TLS ? please help me( It is difficult to rebuild openldap again,as there are many applications that are using our current LDAP)
Compilation should not be impacted by home many applications are "using your current LDAP". Any sane environment should be deployed with some kind of software management tool (such as rpm), in which case you would build the software independently of installing it. This would also allow you to test the configuration on a different machine first, before deploying it etc. etc.
If you are running Red Hat Enterprise Linux (3, 4 or 5), you may want to look here:
http://staff.telkomsa.net/packages/
(2.4.8 and 2.3.41 coming ... just have some hardware issues on our internal package repo to sort out before I can afford time building packages ...).
Regards, Buchan
On Tue, 4 Mar 2008, Padmavathi Dt wrote:
We have installed and configured our openLDAP-2.4.7 on RedHat LINUX machine using simple configure( . /configure) without any options. It has been working fine.Now we want to use SSL with that we are using openssl-0.9.7g package.We got all the required certificates. Now the problem is that,when I run the following command:
/usr/local/etc/openldap/slapd.conf -d127 -h "ldap:/// ldaps:///"
It is giving the following error message:
...
daemon: TLS not supported (ldaps:///)
Your build didn't include TLS support. You're going to have to reconfigure and rebuild and this time you should read the output from 'configure' to see why it didn't find your OpenSS install. Did you install OpenSSL in a non-standard location? If you, you probably need to set the CPPFLAGS and LDFLAGS environment variables so that configure can find and build against it, ala:
env CPPFLAGS=-I/usr/local/openssl/include \ LDFLAGS=-L/usr/local/openssl/lib \ ./configure --enable-tls=openssl --with-other-stuff --enable-bits-here ...etc
One more question. Is there any difference between enabling SSL and TLS?
Unfortunately, different people use those terms in different ways.
"SSL" is a protocol for carrying other protocols with confidentiality, integrity, authentication, etc. "TLS" is the standardized and revised version of that protocol.
For many people, "enabling SSL" means "using the negotiate-SSL-on-connect" version of the protocol. I.e., "ldaps" instead of "ldap". TLS is then generally associated with using the "upgrade-to-TLS" method where you connect normally (in cleartext) and then use a protocol request to initiate the SSL/TLS handshake, aka STARTTLS. e.g., the -Z option to ldap{search,modify,etc}.
please help me( It is difficult to rebuild openldap again,as there are many applications that are using our current LDAP)
Why is that a problem? Rebuild and test before installing, then do the install when you're sure it's working properly.
Philip Guenther
Philip, Thanks for your response.I have a doubt. What happens to the data in current LDAP,if I rebuild it and install it again? Should I create all the users again?
I dont know much about LDAP(even after reading the admin guide many times).So i dont know whether it is a meaningful doubt or not. Kindly clarify my doubt as soon as possible because I am approaching my deadline.. Thanx in advance.. =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you
From my understanding of your question, if you rebuild and install LDAP
you risk losing all the information stored in your LDAP directory. You should consider backing up your entire directory and then re-import it again. I would also backup your slapd.conf and any other configuration files. Understanding how to backup and restore and LDAP database is one of the most fundamental principles in LDAP administration.
Some commands you may want to look at include:
slapcat <--Dumps the entire LDAP directory, see man page ldapsearch <-- carefully crafted LDAP searches can be used too dump data into LDIF format
On a side note, I am not 100% certain if you can just "reuse" your old LDAP databases? Anyone from the list care to comment because I would like to know too.
There may be others as well. The thing I like about OpenLDAP, is it that it provides a pretty basic, nuts and bolts LDAP implementation.
Thanks,
- Randall Svancara Systems Administrator
On Wed, 2008-03-05 at 11:52 +0530, Padmavathi Dt wrote:
Philip, Thanks for your response.I have a doubt. What happens to the data in current LDAP,if I rebuild it and install it again? Should I create all the users again?
I dont know much about LDAP(even after reading the admin guide many times).So i dont know whether it is a meaningful doubt or not. Kindly clarify my doubt as soon as possible because I am approaching my deadline.. Thanx in advance.. =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you
What happens to the data in current LDAP,if I rebuild it and install it again?
Most likely it will still be in the database and openldap will still use it. For me that is at /var/lib/openldap-data This is unless you are deleting the old system with your reinstall.
You probably want to make a backup of your data.
slapcat > backup.ldif
Should I create all the users again?
No. If you did not change db versions or wipe your disk the data should be there. If you did make a major change in db version you it probably will find it better to restore the backup.
slapadd -l backup.ldif
John
John
openldap-software@openldap.org
-
Buchan Milne -
John Drescher -
Padmavathi Dt -
Philip Guenther -
Randall Svancara