problem with ldap_start_tls_s
by Sankhadip Sengupta
Hi everyone,
I am trying to write an LDAP browser that uses both plain text and TLS.The plain text works fine but when I am using "ldap_start_tls_s" I get an error:
ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Also just to note ldapsearch works fine.
ldapsearch -vLxZZ -b "dc=example,dc=com" "(objectClass=*)"
no problem with this.
My code fragment is below:
if ((ld = ldap_init(ldap_host, LDAP_PORT)) == NULL ) {
perror( "ldap_init failed" );
exit( EXIT_FAILURE );
}
/* set the LDAP version to be 3 */
if (ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &desired_version) != LDAP_OPT_SUCCESS)
{
ldap_perror(ld, "ldap_set_option");
exit(EXIT_FAILURE);
}
if(ldap_start_tls_s(ld,NULL,NULL)!=LDAP_SUCCESS)
{
ldap_perror(ld, "ldap_start_tls");
exit(EXIT_FAILURE);
}
Please help :(
Thanks,
Shawn
14 years, 8 months
contextCSN
by jakjr
Hello,
I'm testing a multi-master installation of openldap 2.4.11 (debian lenny).
To check if the masters are consistent, I search for the contextCSN of each
one, and check this value.
If the values are the same, the masters are consistents, rigth ??
But now, after many, many changes (ADD/DELETE), I am searching for the
contextCSN and the server is reporting three contextCSN's.
Is this correct ??
EG:
# ldapsearch -x -h <IP> objectClass=organization contextCSN -b
dc=pr,dc=gov,dc=br -LLL -z 1
dn: dc=org
contextCSN: 20081226121401.392297Z#000000#000#000000
contextCSN: 20081226173429.931124Z#000000#001#000000
contextCSN: 20081226173327.189304Z#000000#002#000000
Thanks.
João Alfredo
14 years, 8 months
Database is getting corrupted
by Jason Voorhees
Hi all:
I'm running OpenLDAP 2.3.27 from CentOS 5.2 to build from scratch an
LDAP tree based on Phamm sample LDIF files.
I have these database definition in slapd.conf:
database bdb
suffix "dc=redtube,dc=com"
rootdn "cn=manager,dc=redtube,dc=com"
rootpw {SSHA}5b3FNT6a3PrldYD/X58ghCXa7vhUOO24
directory /var/lib/ldap
mode 660
index objectClass eq
index cn,mail eq,subinitial
index vd,delete eq,pres
index accountActive,forwardActive eq,pres
index smtpAuth eq,pres
index sn,uid,displayName pres,eq,sub
index uidNumber,gidNumber eq
index default sub
I always do the following:
1. # rm /var/lib/ldap/*
(to be sure i'm starting from scratch)
2. # slapadd -b dc=redtube,dc=com redtube.ldif
After step (2) I can see that /var/lib/ldap/alock has rw-r--r-- and all
the other files have -w----r-T as permissions and are owned by root.root
. Is that correct?
Well, as far as I know they should be owned by ldap user and ldap group
with 0660 permissions asigned (based on "mode" directive in slapd.conf).
So I do the following:
3. # chown ldap.ldap /var/lib/ldap/*
# chmod 660 /var/lib/ldap/*
(/var/lib/ldap directory is 0700 and owned by ldap.ldap already)
4. I check against posible errors and then start OpenLDAP:
# slapd -Tt
# service ldap start
5. OpenLDAP starts correctly, it works perfectly. I can even do
modificatons to the LDAP tree adding entries based on attributes like
vd, cn, mail, among others.
I'm aware that there are no uid.bdb created yet in /var/lib/ldap, so I
guess that's ok.
My problem comes when I try to perform some operation that causes
OpenLDAP to create an index file in /var/lib/ldap.
In example, when I try to log in with rootdn trough phpldapadmin I get
something like this in logs:
Dec 30 11:31:22 ha1 slapd[1889]: conn=5 fd=12 ACCEPT from
IP=127.0.0.1:38395 (IP=0.0.0.0:389) Dec 30 11:31:22 ha1
slapd[1889]: conn=5 op=0 BIND dn="" method=128
Dec 30 11:31:22 ha1 slapd[1889]: conn=5 op=0 RESULT
tag=97 err=0 text= Dec 30
11:31:22 ha1 slapd[1889]: conn=5 op=1 SRCH base="dc=redtube,dc=com"
scope=2 deref=0 filter="(uid=cn=manager,dc=redtube,dc=com)"
Dec 30 11:31:22 ha1 slapd[1889]: conn=5 op=1 SRCH attr=dn
Dec 30 11:31:22 ha1 slapd[1889]:
bdb(dc=redtube,dc=com): /var/lib/ldap/uid.bdb: Permission denied
Dec 30 11:31:22 ha1 slapd[1889]: bdb_db_cache: db_open(uid) failed:
Permission denied (13) Dec 30 11:31:22 ha1
slapd[1889]: <= bdb_equality_candidates: (uid) index_param failed (13)
Dec 30 11:31:22 ha1 slapd[1889]: conn=5 op=1 SEARCH
RESULT tag=101 err=0 nentries=0 text= Dec 30
11:31:22 ha1 slapd[1889]: conn=5 op=2 UNBIND
Dec 30 11:31:22 ha1 slapd[1889]: conn=5
fd=12 closed
I don't know why phpldapadmin performs a search based on a filter like
"(uid=cn=manager,dc=redtube,dc=com)" but well, it doesn't matter to me.
Then I stop and start OpenLDAP and I start getting this:
# /etc/init.d/ldap stop
Stopping slapd: [ OK ]
# /etc/init.d/ldap start
Checking configuration files for slapd: bdb_db_open: unclean shutdown
detected; attempting recovery.
bdb_db_open: Warning - No DB_CONFIG file found in directory
/var/lib/ldap: (2)
Expect poor performance for suffix dc=mailtest,dc=com.
bdb_db_open: Recovery skipped in read-only mode. Run manual recovery if
errors are encountered.
config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
Question is: Why can't OpenLDAP create /var/lib/ldap/uid.bdb? Why is
getting permission denied messages? The hole directory /var/lib/ldap is
owned by ldap user with 660 permissions.
Can anybody help me? Thanks
14 years, 8 months
Help with understandig behaviour of crashed OpenLDAP Server
by yukti kaura
Dear All,
I would like to seek clarification with one aspect of LDAP server recovery
When a crashed Server in replicated mode is restarted does it immediately
start publishing its services or it publishes itself only after
resynchronizing
Please guide
Thanks
Yukti Kaura
14 years, 9 months
