openldap-technical November 2012

openldap-technical@openldap.org

62 participants
68 discussions

ldif, a person with city and country
by Jobst Schmalenbach 23 Nov '12

23 Nov '12

Hi Sorry, new member and just started using ldap (openldap). I am not sure whether I can ask this question here as the name of the list specifies "technical", if not please tell me list(s) where I can do so. For starters I have read the O'reilly book, I tried to figure out my questions using the help in the FAQ's, I searched to net ... but I am a little out of my depth in the moment. I am trying to get LDAP to work to help authentication in wordpress and moodle, with wordpress being the main part and moodle uses LDAP for the authentication (subscription based) and some info for each student from LDAP. So far I can add entries to LDAP from wordpress, I can login to wordpress using LDAP. I have got it to work to allow access to moodle when the correct username (uid) and password is found in LDAP but I want to add some info about each student to LDAP, one the country and the other being the city (and later some more). So far I can add enough information for subscribers (billing address, uid, telephone etc) using the standard schemas and object classes, but I need a little mode info for each. This is what I have: dn: dc=MyDomain,dc=com,dc=au dc: MyDomain objectClass: domain dn: o=Subscriptions,dc=MyDomain,dc=com,dc=au o: Subscriptions objectClass: organization dn: ou=moodle,o=Subscriptions,dc=MyDomain,dc=com,dc=au ou: moodle objectClass: organizationalUnit dn: uid=gemma, ou=moodle, o=Subscriptions, dc=MyDomain, dc=com, dc=au objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetorgPerson objectclass: emailPerson objectclass: NameViewPerson cn=Gemma Turtle sn=Turtle givenName=Gemma Turtle uid=gemma countryCode=AU I end up with an error "invalid structural object class chain", which I think means the country needs to be higher up the tree, but then I would have to create the tree branches for every country (for each person)? Subscribers will come from different countries and countless cities (which I haven't added yet) as this is part of the target audience. I am not sure how to structure this. Are there any ldif file around I can have a look that deal with subscriptions like this? Jobst

3 4

OpenLDAP Proxy to AD of User Objects with full/correct schema
by Mailing Lists 23 Nov '12

23 Nov '12

I know this list gets a large number of questions about Active Directory integration and this one is no different. I've tried to do as much research as possible on my own but still have a few un-answered questions and issues, so i'm adding yet another AD question to the list. Sorry in advance. My initial foray into OpenLDAP was to use it to store the idmaps created by Samba, so that mapped user and group IDs were identical between file servers. As I thought about it more, I realized we could use LDAP to centralize our Linux users, groups, and access to other LDAP-enabled applications. The point of all this is, that I don't need to proxy Active Directory (and its schema) in its entirety, I really just want to use it as a central repository for user info and authentication. So, I guess, my first question is: Is this a viable use case? All signs seem to point to yes, but I just want to make sure. I currently have a proxy database configured that is successfully proxying/querying our AD infrastructure. From what I've read, OpenLDAP 2.3 and newer have the ability to proxy unknown schemas, but will be not be able to do any advanced filtering because the schema is unknown. My question is, given a full export of the AD schema from CN=Schema,CN=Configuration,DC=corp,DC=whatever,DC=com via LDIFDE, is there a way to leverage this to re-create parts of the AD schema so that OpenLDAP can perform native filtering? I'm primarily only interested in the user objects (ObjectClass=user). I know that all of this might be easier if I was to use ADAM/ADLDS and/or scrape the Samba4 schema, but i'd like to do it myself just for the education it provides and because I'm trying to implement just the bare minimum to our users. I've also seen the AD/Outlook Global Address List entry in the FAQ, but that involves editing the OpenLDAP provided .schema files. If possible, i'd like to keep all of these AD related schemas within their own files and keep the OpenLDAP provided ones untouched. Thanks for the help, -Dave

4 5

Fail to pass the basic functionality testing (test058-syncrepl-asymmetric)
by Jackie Zhang 22 Nov '12

22 Nov '12

Hi, I installed the newest openldap-2.4.33 on my Linux machine. I run the test in the tests directory. And I received the following error (attached below). Mainly: ERROR: Second site1 backend not replicated to central master I can replay it everytime by executing "./run -b hdb test058-syncrepl-asymmetric". Using hdb or mdb leads to the same result. Is anybody know what is this problem? Is there something wrong on my installation? Thank you very much! Best regards, Jackie Zhang ============test058-syncrepl-asymmetric================== Cleaning up test run directory leftover from previous run. Running ./scripts/test058-syncrepl-asymmetric for bdb... running defines.sh Initializing master configurations... Initializing search configurations... Starting central master slapd on TCP/IP port 9011... Using ldapsearch to check that central master slapd is running... Starting site1 master slapd on TCP/IP port 9012... Using ldapsearch to check that site1 master is running... Starting site2 master slapd on TCP/IP port 9013... Using ldapsearch to check that site2 master is running... Starting central search slapd on TCP/IP port 9014... Using ldapsearch to check that central search slapd is running... Starting site1 search slapd on TCP/IP port 9015... Using ldapsearch to check that site1 search slapd is running... Starting site2 search slapd on TCP/IP port 9016... Using ldapsearch to check that site2 search slapd is running... Adding schema on ldap://localhost:9011/... Adding schema on ldap://localhost:9012/... Adding schema on ldap://localhost:9013/... Adding schema on ldap://localhost:9014/... Adding schema on ldap://localhost:9015/... Adding schema on ldap://localhost:9016/... Adding database config on central master... Adding database config on site1 master... Adding database config on site2 master... Adding access rules on central master... Adding access rules on site1 master... Adding access rules on site2 master... Adding database config on central search... Adding database config on site1 search... Adding database config on site2 search... Populating central master... Adding syncrepl on site1 master... Adding syncrepl on site2 master... Using ldapsearch to check that site1 master received changes... Using ldapsearch to check that site2 master received changes... Populating site1 master... Populating site2 master... Stopping site1 master... Adding syncrepl on central master... Using ldapsearch to check that central master received site2 entries... Using ldapmodify to modify central master... Restarting site1 master slapd on TCP/IP port 9012... Using ldapsearch to check that site1 master is running... Using ldapsearch to check that central master received site1 entries... Using ldapsearch to check that site1 master received central master update... Using ldapsearch to check that site2 master received central master update... Adding syncrepl consumer on central search... Adding syncrepl consumer on site1 search... Adding syncrepl consumer on site2 search... Using ldapsearch to check that central search received changes... Using ldapsearch to check that site1 search received changes... Using ldapsearch to check that site2 search received changes... Checking contextCSN after initial replication... Using ldapmodify to modify first backend on central master... Using ldapsearch to check replication to central search... Using ldapsearch to check replication to site1 search... Using ldapsearch to check replication to site2 search... Checking contextCSN after modify of first backend on central master... Using ldapmodify to modify second backend on central master... Using ldapsearch to check replication to site2 search... Using ldapsearch to check no replication to site1 master... Using ldapsearch to check no replication to central search... Checking contextCSN after modify of second backend on central master... Using ldapmodify to modify first backend on site1 master... Using ldapsearch to check replication to site1 search... Using ldapsearch to check replication to site2 master... Using ldapsearch to check no replication to site2 search... Using ldapsearch to check no replication to central search... Checking contextCSN after modify of first backend on site1 master... Using ldapmodify to modify second backend on site1 master... Using ldapsearch to check replication to site1 search... Using ldapsearch to check no replication to central master... Checking contextCSN after modify of second backend on site1 master... Using ldapmodify to modify first backend on site2 master... Using ldapsearch to check replication to central master... Using ldapsearch to check replication to site2 search... Using ldapsearch to check no replication to site1 master... Using ldapsearch to check no replication to central search... Checking contextCSN after modify of first backend on site2 master... Using ldapmodify to modify second backend on site2 master... Using ldapsearch to check replication to site2 search... Using ldapsearch to check no replication to central master... Checking contextCSN after modify of second backend on site2 master... Stopping central master and site2 servers to test start with emtpy db... Starting site2 master slapd on TCP/IP port 9013... Using ldapsearch to check that site2 master slapd is running... Starting site2 search slapd on TCP/IP port 9016... Using ldapsearch to check that site2 search slapd is running... Starting central master slapd on TCP/IP port 9011... Using ldapsearch to check that central master slapd is running... Using ldapsearch to check that site2 master received base... Using ldapsearch to check that site2 search received base... Waiting 1 seconds for syncrepl to receive changes... Checking contextCSN after site2 servers repopulated... Adding syncrepl of second site1 master backend on central master... Using ldapsearch to check that central master received second site1 backend... Waiting 1 seconds for syncrepl to receive changes... Waiting 2 seconds for syncrepl to receive changes... Waiting 3 seconds for syncrepl to receive changes... Waiting 4 seconds for syncrepl to receive changes... Waiting 5 seconds for syncrepl to receive changes... ERROR: Second site1 backend not replicated to central master Restarting central master slapd on TCP/IP port 9011... Using ldapsearch to check that central master slapd is running... Waiting 1 seconds for slapd to start... Using ldapsearch to check that central master received second site1 backend... Using ldapsearch to check that central search received second site1 backend... Waiting 1 seconds for syncrepl to receive changes... Waiting 2 seconds for syncrepl to receive changes... Waiting 3 seconds for syncrepl to receive changes... Waiting 4 seconds for syncrepl to receive changes... Waiting 5 seconds for syncrepl to receive changes... ERROR: Second site1 backend not replicated to central search Restarting central search slapd on TCP/IP port 9014... Using ldapsearch to check that central search slapd is running... Waiting 1 seconds for slapd to start... Using ldapsearch to check that central search received second site1 backend... Running 1 of 10 syncrepl race tests... Stopping central master... Using ldapadd to add entry on site1 master... Starting central master again... Using ldapsearch to check that central master received entry... Using ldapsearch to check that central search received entry... Stopping central master... Using ldapdelete to delete entry on site1 master... Starting central master again... Using ldapsearch to check that entry was deleted on central master... Using ldapsearch to check that entry was deleted on central search... Running 2 of 10 syncrepl race tests... Stopping central master... Using ldapadd to add entry on site1 master... Starting central master again... Using ldapsearch to check that central master received entry... Using ldapsearch to check that central search received entry... Stopping central master... Using ldapdelete to delete entry on site1 master... Starting central master again... Using ldapsearch to check that entry was deleted on central master... Using ldapsearch to check that entry was deleted on central search... Running 3 of 10 syncrepl race tests... Stopping central master... Using ldapadd to add entry on site1 master... Starting central master again... Using ldapsearch to check that central master received entry... Using ldapsearch to check that central search received entry... Stopping central master... Using ldapdelete to delete entry on site1 master... Starting central master again... Using ldapsearch to check that entry was deleted on central master... Using ldapsearch to check that entry was deleted on central search... Running 4 of 10 syncrepl race tests... Stopping central master... Using ldapadd to add entry on site1 master... Starting central master again... Using ldapsearch to check that central master received entry... Using ldapsearch to check that central search received entry... Stopping central master... Using ldapdelete to delete entry on site1 master... Starting central master again... Using ldapsearch to check that entry was deleted on central master... Using ldapsearch to check that entry was deleted on central search... Running 5 of 10 syncrepl race tests... Stopping central master... Using ldapadd to add entry on site1 master... Starting central master again... Using ldapsearch to check that central master received entry... Using ldapsearch to check that central search received entry... Stopping central master... Using ldapdelete to delete entry on site1 master... Starting central master again... Using ldapsearch to check that entry was deleted on central master... Using ldapsearch to check that entry was deleted on central search... Running 6 of 10 syncrepl race tests... Stopping central master... Using ldapadd to add entry on site1 master... Starting central master again... Using ldapsearch to check that central master received entry... Using ldapsearch to check that central search received entry... Stopping central master... Using ldapdelete to delete entry on site1 master... Starting central master again... Using ldapsearch to check that entry was deleted on central master... Using ldapsearch to check that entry was deleted on central search... Running 7 of 10 syncrepl race tests... Stopping central master... Using ldapadd to add entry on site1 master... Starting central master again... Using ldapsearch to check that central master received entry... Using ldapsearch to check that central search received entry... Stopping central master... Using ldapdelete to delete entry on site1 master... Starting central master again... Using ldapsearch to check that entry was deleted on central master... Using ldapsearch to check that entry was deleted on central search... Running 8 of 10 syncrepl race tests... Stopping central master... Using ldapadd to add entry on site1 master... Starting central master again... Using ldapsearch to check that central master received entry... Using ldapsearch to check that central search received entry... Stopping central master... Using ldapdelete to delete entry on site1 master... Starting central master again... Using ldapsearch to check that entry was deleted on central master... Using ldapsearch to check that entry was deleted on central search... Running 9 of 10 syncrepl race tests... Stopping central master... Using ldapadd to add entry on site1 master... Starting central master again... Using ldapsearch to check that central master received entry... Using ldapsearch to check that central search received entry... Stopping central master... Using ldapdelete to delete entry on site1 master... Starting central master again... Using ldapsearch to check that entry was deleted on central master... Using ldapsearch to check that entry was deleted on central search... Running 10 of 10 syncrepl race tests... Stopping central master... Using ldapadd to add entry on site1 master... Starting central master again... Using ldapsearch to check that central master received entry... Using ldapsearch to check that central search received entry... Stopping central master... Using ldapdelete to delete entry on site1 master... Starting central master again... Using ldapsearch to check that entry was deleted on central master... Using ldapsearch to check that entry was deleted on central search... No race errors found after 10 iterations Found 2 errors >>>>>> Exiting with a false success status for now

1 0

slapo-rwm overlay and backend databases
by Bryce Powell 22 Nov '12

22 Nov '12

Hi, The OpenLDAP 2.4 documentation states: "When using slapd.conf(5), overlays that are configured before any other databases are considered global, as mentioned above. In fact they are implicitly stacked on top of the frontend database. They can also be explicitly configured as such: database frontend overlay <overlay name>" I currently use slapo-rwm, defined as a global declaration in slapd.conf, to provide bindDN rewrites to a remote LDAP server via slapo-ldap (LDAP proxy database). Is it possible then, if I'm interpreting the documentation correctly, to additionally stack a rewrite/remap overly in each defined database section? The objective would be to achieve database specific rewrites that are not applicable to all defined databases. e.g. database ldap suffix "dc=abc,dc=local" uri "ldap://172.11.250.200/" overlay rwm rwm-rewriteEngine on rwm-rewriteContext searchEntryDN rwm-rewriteRule "^cn=(.+)?\\\\2C(.+)?,ou=users,dc=abc,dc=local$" "cn=$1_$2,ou=users,dc=abc,dc=local" ":@" [...etc.] database ldap suffix "dc=xyz,dc=local" uri "ldap://172.11.250.201/" overlay rwm rwm-rewriteEngine on rwm-rewriteContext searchEntryDN rwm-rewriteRule <some other rewrite rule here> [...etc.] If this is possible, does the configuration allow one to define the overlay at the "backend" level, so that it applies to all databases of the same type? e.g. backend ldap overlay rwm rwm-rewriteEngine on database ldap suffix "dc=abc,dc=local" uri "ldap://172.11.250.200/" rwm-rewriteContext searchEntryDN rwm-rewriteRule "^cn=(.+)?\\\\2C(.+)?,ou=users,dc=abc,dc=local$" "cn=$1_$2,ou=users,dc=abc,dc=local" ":@" [...etc.] database ldap suffix "dc=xyz,dc=local" uri "ldap://172.11.250.201/" rwm-rewriteContext searchEntryDN rwm-rewriteRule <some other rewrite rule here> [...etc.] Thanks Bryce Powell

2 1

Password policy
by jeevan kc 22 Nov '12

22 Nov '12

Hello I want to enable password policy on Openldap 2.4.30(to all users. I see that the ppolicy.ldif and ppolicy.schema are listed under /usr/local/etc/openldap/schema but are not present on /usr/local/etc/openldap/slapd.d/cn=config folder. So do I need to add the policy.ldif to the cn=config folder ? Is there like specific procedure to do that or can I add manually with ldapadd ? Also how do I enable that schema to all users ? Please help. Jeevan

4 5

Re: OpenLDAP-Client TLS
by Martin.Heinzmann＠belden.com 20 Nov '12

20 Nov '12

Little update...i managed to get it to work :-) It looks like it was the option "LDAP_OPT_X_TLS_ALLOW" i have to set. Unfortunately i did it on the wrong position in my code. Now this option is the first thing i do, even prior the initialization. Nevertheless "LDAP_START_TLS_S" returns 3 errors: 1.unable to get local issuer certificate, 2. certificate not trusted, 3.unable to verify the first certificate. I think the 2nd and 3rd appear because the server uses a self signed certificate? One question i still have on my mind. I am only able to compile my client by including the library "sasl2" although i am not using "ldap_sals_bind" or anything like that. Is it possible expel sasl from my program or do i have to use that library? Regards Martin DISCLAIMER: Privileged and/or Confidential information may be contained in this message. If you are not the addressee of this message, you may not copy, use or deliver this message to anyone. In such event, you should destroy the message and kindly notify the sender by reply e-mail. It is understood that opinions or conclusions that do not relate to the official business of the company are neither given nor endorsed by the company. Thank You.

2 2

olcPcacheAttrset/olcPcacheTemplate values for set acl
by Tio Teath 19 Nov '12

19 Nov '12

I'm trying to write ACL, using set entries, like this: to * by set="[cn=remote group,dc=host]/member & user" write, where cn=remote group,dc=host is a remote group, available via ldap-proxy. The remote group looks like this: dn: cn=remote group,dc=host cn: remote member: cn=user1,ou=users,dc=host member: cn=user2,ou=users,dc=host objectClass: group It works fine, except it raises search query to remote ldap server each time, I'm trying to search against objects, the ACL applies. Is it possible to set up pcache overlay to handle such kind of requests to speed up ACL processing? Which values olcPcacheAttrset and olcPcacheTemplate attributes should have?

1 0

Assertion failed: errno != EDEADLK, file alock.c, line 77
by cjkry156＠yahoo.co.jp 19 Nov '12

19 Nov '12

Hi World, We are using OpenLDAP 2.3.5 on Solaris 9. For security reason, System administrator start to use corporate LDAP, (disable local authorization) and disable inetd services (comment out inetd.conf). After that, when we try to start the OpenLDAP, this is not same as the corporate LDAP, we recived Dead lock error message as, Assertion failed: errno != EDEADLK, file alock.c, line 77 And the OpenLDAP was aborted. Does anybody know this error? Best Regards, Ken

2 2

OpenLDAP-Client TLS
by Martin.Heinzmann＠belden.com 19 Nov '12

19 Nov '12

Hi, i am trying to write my own client which connects to an active directory and searches for an user. So far it works, i call "ldap_initialize", set version 3, "ldap_simple_bind_s" and then search the directory. Now i want the connection to be secure by executing a "Simple TLS handshake ". I changed my hostname variable to "ldaps://ip:636" and tried "ldap_start_tls_s(ld,NULL,NULL)" before the bind but get a "cant contact ldap server" error. I think my active directory is configured the right way because with JXplorer it works over ssl and port 636. Does anyone know which functions i have to call so a successful tls connection will be set up? Regards Martin DISCLAIMER: Privileged and/or Confidential information may be contained in this message. If you are not the addressee of this message, you may not copy, use or deliver this message to anyone. In such event, you should destroy the message and kindly notify the sender by reply e-mail. It is understood that opinions or conclusions that do not relate to the official business of the company are neither given nor endorsed by the company. Thank You.

3 3

Re: n-way multimaster replication with ssl and tls
by anil beniwal 16 Nov '12

16 Nov '12

Yes I am able to access using JXplorer using tls and 636. I am using diff self singed certificate for each server. I have done same configuration on 3 servers. i am having /etc/openldap/ldap.conf and /apps/openldap/etc/openldap/ldap.conf file I have compiled ldap to /apps/openldap directory. I am getting same output running on each server against the other 2 servers. [root@sjprodam01 ~]# openssl s_client -connect mmprodam01.abc.com:636 -showcerts CONNECTED(00000003) depth=0 C = IN, ST = HR, L = GGN, O = SAP, OU = ISST, CN = mmprodam01.abc.com verify error:num=18:self signed certificate verify return:1 depth=0 C = IN, ST = HR, L = GGN, O = SAP, OU = ISST, CN = mmprodam01.abc.com verify return:1 --- Certificate chain 0 s:/C=IN/ST=HR/L=GGN/O=SAP/OU=ISST/CN=mmprodam01.abc.com i:/C=IN/ST=HR/L=GGN/O=SAP/OU=ISST/CN=mmprodam01.abc.com -----BEGIN CERTIFICATE----- MIICoDCCAgmgAwIBAgIJAJ5P5x76CGAUMA0GCSqGSIb3DQEBBQUAMGkxCzAJBgNV BAYTAklOMQswCQYDVQQIDAJIUjEMMAoGA1UEBwwDR0dOMRAwDgYDVQQKDAdTQVBJ RU5UMQ0wCwYDVQQLDARJU1NUMR4wHAYDVQQDDBVtbXByb2RhbTAxLm5hc2Nhci5j b20wHhcNMTIxMTE2MDMyMDAxWhcNMTMxMTE2MDMyMDAxWjBpMQswCQYDVQQGEwJJ TjELMAkGA1UECAwCSFIxDDAKBgNVBAcMA0dHTjEQMA4GA1UECgwHU0FQSUVOVDEN MAsGA1UECwwESVNTVDEeMBwGA1UEAwwVbW1wcm9kYW0wMS5uYXNjYXIuY29tMIGf MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDETDjOiWY1hkHcZ82BRtDabD7mPN8 A9OwLAule0NC6Y76mI8fHDs+vip9P6ASyVaSkxT8g+dOLGDBBy7winj52wcnP9aW u38kE5Sm+suSFLlJ3A0uIfgmLr6dglyGsFMiYJCkeHKxBpF5zeJHTnKpqWZ+emwj XwO0Dv22AYvATQIDAQABo1AwTjAdBgNVHQ4EFgQUhhRZ1mSzr1zccS4aHSKcoy8o F5owHwYDVR0jBBgwFoAUhhRZ1mSzr1zccS4aHSKcoy8oF5owDAYDVR0TBAUwAwEB /zANBgkqhkiG9w0BAQUFAAOBgQCr2gh0U000EttpCQeSjAoUjjkHB3zWMpGZ64Pr SynPEy7uTFT4N5SRx11dZAHIOslQLhr8MiobqX+9EGvQo9ua3TQKd/jT+tgX32Nc iZZyerd6IcT4SZTvH67UZwTxtlqu397Ti8cI8fcqziHoY76MBHCVcG6pvpW4e5H+ LvitdA== -----END CERTIFICATE----- --- Server certificate subject=/C=IN/ST=HR/L=GGN/O=SAP/OU=ISST/CN=mmprodam01.abc.com issuer=/C=IN/ST=HR/L=GGN/O=SAP/OU=ISST/CN=mmprodam01.abc.com --- No client certificate CA names sent --- SSL handshake has read 1008 bytes and written 311 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 2D97EE613D427036C9A1B1BB5E2371283763DDA8A761D9BED3385D4793E6E061 Session-ID-ctx: Master-Key: 161A39EC4E5B5C0E0F211A014E6CE4B643F77C8C77B9175BFEF399A08319A56C9C199AF417E09EA9508579368E31F7AA Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket: 0000 - 82 43 eb e1 46 c2 bd 6f-7a 8b 44 20 cc 8a d5 c4 .C..F..oz.D .... 0010 - 9f 34 ee 02 36 1b 24 32-05 7e e4 3c a7 de 01 e6 .4..6.$2.~.<.... 0020 - c0 b9 39 8b 50 b6 b8 b2-21 3a 81 02 16 3d a1 b1 ..9.P...!:...=.. 0030 - b6 ac 98 fe 34 f5 ba e2-f1 e2 30 c8 ed ad f8 8b ....4.....0..... 0040 - 00 5f bf f8 ed 75 90 65-7e c1 e6 b5 b1 e7 a3 ba ._...u.e~....... 0050 - 75 67 6e a3 d2 ab f5 2b-20 77 31 90 cd 3f b0 38 ugn....+ w1..?.8 0060 - 1f 60 da e9 8e dc 7c e2-97 56 95 55 61 c9 51 da .`....|..V.Ua.Q. 0070 - c7 4f 65 13 48 64 8f 67-1d d1 75 b2 91 b2 7c b5 .Oe.Hd.g..u...|. 0080 - 7e 5f 6b 7b 61 e3 73 63-2b d7 91 c0 91 61 e7 27 ~_k{a.sc +....a.' 0090 - 16 4b c5 e9 e0 ea 03 7a-6c 77 51 77 5c b6 f0 93 .K.....zlwQw\... 00a0 - ab 82 f9 8c 23 06 61 88-86 43 5a 20 1a 11 c5 e7 ....#.a..CZ .... Compression: 1 (zlib compression) Start Time: 1353129151 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- ^C On Sat, Nov 17, 2012 at 11:22 AM, houston <houston.r.hopkins(a)gmail.com>wrote: > just curious, did you get ldap running over ssl on rhel 6.3? if so did > you have to compile your ownnor did you use the red hat version? i cant > seem to get ldapsearch to work over ldaps when using red hats 2.4 version > > thx, > Houston > > anil beniwal <beni.anil(a)gmail.com> wrote: > Hi List > > Can any body guide me through the steps required to setup n-way > multimaster(3 or more servers at diff countries) replication with > openldap 2.4.2 > > 1. ssl based > 2. tls based > > I am having normal replication running b/w 3 servers. Now i want to setup > secure replication. > > i am using self signed certificate on RHEL 6.3. > How can i validate whether replication is working fine for ssl or tls. > How to enable replication logs. > > Anything else i should check out. > > I have already gone through a lot of postings on google. > > > > > > > > -- > > Thanks&Regards > Anil Beniwal > > >

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical November 2012