openldap-technical

openldap-technical@openldap.org

7 participants
9901 discussions

ldapadd of LDIF files with attribute 'apple-generateduid' not allowed [Resolved]
by Alexander Hartner 07 Sep '08

07 Sep '08

At it turns out the problem was with the objectClasses. I should have used : objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: extensibleObject Instead of objectClass: top objectClass: person objectClass: inetOrgPerson Adding the extra attributes to the objectClass resolved this problem. Thanks for all your help. Regards Alex On 21 Feb 2008, at 11:56, Alexander Hartner wrote: > I am trying to import a simple LDIF file into OpenDirectory on OS X > 10.5.2 Leopard Server. > > However when I issue the following ldapadd command I get an error : > > ldapadd -D [rootdn] -x -w [secretPassword] -f Import.ldif > > Error : 65 Object class violation" > attribute 'apple-generateduid' not allowed > > > I would have thought that I had specified apple-generateduid, but I > didn't. > > This is my import file > -----------BEGIN----------- > # Alexander Hartner > dn: cn=Alexander Hartner2,cn=people,dc=macbook-znet,dc=local > objectClass: top > objectClass: person > objectClass: inetOrgPerson > displayName: Alexander Hartner2 > cn: Alexander Hartner2 > givenName: Alexander > sn: Hartner > mail: alex(a)j2anywhere.com > initials: A > o: j2anywhere.com > -----------END----------- > > I know this might not be the best forum for OS X support, but I am a > bit stuck on this. > Thanks in advance. > Alex > > >

2 2

anish_patil wants to keep up with you on Twitter
by anish_patil 07 Sep '08

07 Sep '08

To find out more about Twitter, visit the link below: http://twitter.com/i/6de68cfefa92375374ca938a55b8e865fa2162ab Thanks, -The Twitter Team About Twitter Twitter is a unique approach to communication and networking based on the simple concept of status. What are you doing? What are your friends doing—right now? With Twitter, you may answer this question over SMS, IM, or the Web and the responses are shared between contacts. This message was sent by a Twitter user who entered your email address. If you'd prefer not to receive emails when other people invite you to Twitter, click here: http://twitter.com/i/optout/dd31dad00025fa765c3307138c272038991bea18

1 0

Re: RHEL 5 will not do TLS/SSL authentication
by Dat Duong 05 Sep '08

05 Sep '08

Does anyone have the answer to my problem? thanks ----- Original Message ---- From: Dat Duong <datduong2000(a)yahoo.com> To: Buchan Milne <bgmilne(a)staff.telkomsa.net> Cc: openldap-technical(a)openldap.org Sent: Wednesday, September 3, 2008 7:45:45 AM Subject: Re: RHEL 5 will not do TLS/SSL authentication The slapd.conf is on Solaris 10 machine. This is how I compiled from the source for Openssl and Openldap. #cd openssl.0.98h # ./config shared # make clean # make # make install # cd openldap-2.4.11 # env LD_LIBRARY_PATH="/usr/lib:/usr/local/lib:/usr/local/BerkeleyDB.4.2/lib:/usr/local/ssl/lib" LDFLAGS="-L/usr/local/lib -L/usr/local/BerkeleyDB.4.2/lib -L/usr/local/ssl/lib -R/usr/local/lib -R/usr/local/BerkeleyDB.4.2/lib -R/usr/local/ssl/lib" CPPFLAGS="-I/usr/local/include -I/usr/local/BerkeleyDB.4.2/include -I/usr/local/ssl/include" ./configure --enable-bdb --enable-crypt --with-tls --without-cyrus-sasl # make depend # make clean ----- Original Message ---- From: Buchan Milne <bgmilne(a)staff.telkomsa.net> To: Dat Duong <datduong2000(a)yahoo.com> Cc: openldap-technical(a)openldap.org Sent: Wednesday, September 3, 2008 5:17:14 AM Subject: Re: RHEL 5 will not do TLS/SSL authentication On Wednesday 03 September 2008 09:49:54 Dat Duong wrote: > I'm thinking, if the gnutls which installed by default, was causing the > problem?? It doesn't matter if gnutls is installed, what matters is what OpenLDAP was compiled against. Now, you stated that you are using RHEL 5, and gave no other details of what software you installed, so it would be logical to assume you are using only the RHEL 5 packages. On RHEL 5, OpenLDAP 2.3.27 is compiled against openssl 0.9.8b. But, since you have some weird paths reflected in your slapd.conf etc., maybe you have built your own software. If you have, you need to supply the details thereof, or we are all wasting our time. Regards, Buchan

1 0

Re: Help needed to set up N-way multimaster replication
by piyush joshi 04 Sep '08

04 Sep '08

I have added serverid 1 to first server and serverid 2 to secondserver and rid=001 with syncrepl on both the server also added mirrormode true on both node but now when i make changes to one server that is not reflected to another one while before adding mirrormode true whenever i was trying to make changes in dir it gives me error [ Sep 4 10:18:39 mail slapd[20141]: conn=5 op=1 RESULT tag=103 err=53 text=shadow context; no update referral ] So now no idea where I am wrong. Please help me ... On Wed, Sep 3, 2008 at 6:25 PM, Miguel Jinez <miguel.jinez(a)gmail.com> wrote: > Hello, maybe try with a mirrormode line, look the comments in red > > Migue > > 2008/9/3 piyush joshi <joy.piyush(a)gmail.com> > > >> *Dear All,* >> *I am using openldap-2.4.11 version and trying to use >> N-way multimaster replication so that changes made to first server reflects >> to second and* *vice versa but with my current set up if i use syncprov >> overlay and syncrepl on both server then it doesn't allow me to make changes >> in any ldap server but if i configure syncprov overlay on one server and >> configure syncrepl on another server it allow me to make changes and as well >> reflect the changes to another however still i can't make changes to second >> ldap server my both server configuration is as follows. please let me know >> what is wrong with this configuration or what all changes to be made >> to running it.* >> >> Configuration on First LDAP Server >> >> allow bind_v2 >> include /usr/local/openldap/etc/openldap/schema/core.schema >> include /usr/local/openldap/etc/openldap/schema/corba.schema >> include /usr/local/openldap/etc/openldap/schema/cosine.schema >> include /usr/local/openldap/etc/openldap/schema/nis.schema >> include >> /usr/local/openldap/etc/openldap/schema/inetorgperson.schema >> pidfile /usr/local/openldap/var/run/slapd.pid >> argsfile /usr/local/openldap/var/run/slapd.args >> modulepath /usr/local/openldap/libexec/openldap >> moduleload syncprov >> password-hash {SSHA} >> database hdb >> suffix "dc=***,dc=com" >> rootdn "cn=root,dc=***,dc=com" >> rootpw {SSHA}yZkqhHmELfmUTsaQyfxgXBqq95gugTA4 >> directory /usr/local/openldap/var/openldap-data >> index uid pres,eq >> index cn,sn pres,eq,approx,sub >> index objectClass eq >> index entryCSN,entryUUID eq >> syncrepl rid=001 >> provider=ldap://192.168.1.12 >> type=refreshAndPersist >> retry="5 5 300 +" >> searchbase="dc=***,dc=com" >> attrs=* >> binddn="cn=root,dc=***,dc=com" >> credentials=secret >> > mirrormode true > > >> overlay syncprov >> syncprov-checkpoint 50 10 >> database monitor >> loglevel 256 >> >> >> Configuration on Second LDAP Server >> >> allow bind_v2 >> include /usr/local/openldap/etc/openldap/schema/core.schema >> include /usr/local/openldap/etc/openldap/schema/corba.schema >> include /usr/local/openldap/etc/openldap/schema/cosine.schema >> include /usr/local/openldap/etc/openldap/schema/nis.schema >> include >> /usr/local/openldap/etc/openldap/schema/inetorgperson.schema >> pidfile /usr/local/openldap/var/run/slapd.pid >> argsfile /usr/local/openldap/var/run/slapd.args >> >> modulepath /usr/local/openldap/libexec/openldap >> moduleload syncprov >> password-hash {SSHA} >> >> database hdb >> suffix "dc=***,dc=com" >> rootdn "cn=root,dc=***,dc=com" >> rootpw {SSHA}9nbNE9l1rTvPCoU95zgo6vVoL3nMRzMI >> directory /usr/local/openldap/var/openldap-data >> index uid pres,eq >> index cn,sn pres,eq,approx,sub >> index objectClass eq >> index entryCSN,entryUUID eq >> syncrepl rid=001 >> provider=ldap://192.168.1.8 >> type=refreshAndPersist >> retry="5 5 300 +" >> searchbase="dc=***,dc=com" >> attrs=* >> binddn="cn=root,dc=***,dc=com" >> credentials=secret >> mirrormode true >> > > >> overlay syncprov >> syncprov-checkpoint 50 10 >> database monitor >> loglevel 256 >> >> >> Thanks Regards >> >> Piyush Joshi >> 9415414376 >> >> >> >> >> >> > > -- Regards Piyush Joshi 9415414376

3 4

objectclass sambaSamAccount
by Laurence Mayer 03 Sep '08

03 Sep '08

Hi, OS: Linux Redhat x86_64 OpenLdap 2.3.27 I am trying to add an objectclass sambaSamAccount to my ou=People. My goal would be to have both samba and posix account for each user. I have included the samba schema to the slapd.conf file. I tried adding this to a file and running ldapadd: dn: uid=laurence, ou=People,dc=istraresearch,dc=com sambaLogonTime: 0 displayName: Laurence Mayer sambaLMPassword: xxxxx sambaPrimaryGroupSID: S-1-5-21-2447931902-1787058256-3961074038-1201 objectClass: sambaSamAccount sambaAcctFlags: [UX ] gidNumber: 100 sambaKickoffTime: 2147483647 sambaPwdLastSet: 1010179230 sambaSID: S-1-5-21-2447931902-1787058256-3961074038-5004 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaNTPassword: xxxx However I received the error: adding new entry "uid=laurence, ou=People,dc=istraresearch,dc=com" ldap_add: Internal (implementation specific) error (80) additional info: no structuralObjectClass operational attribute Please can you tell me what I need to do to achieve this. Thanks in advance Laurence

4 10

Re: RHEL 5 will not do TLS/SSL authentication
by Dat Duong 03 Sep '08

03 Sep '08

The slapd.conf is on Solaris 10 machine. This is how I compiled from the source for Openssl and Openldap. #cd openssl.0.98h # ./config shared # make clean # make # make install # cd openldap-2.4.11 # env LD_LIBRARY_PATH="/usr/lib:/usr/local/lib:/usr/local/BerkeleyDB.4.2/lib:/usr/local/ssl/lib" LDFLAGS="-L/usr/local/lib -L/usr/local/BerkeleyDB.4.2/lib -L/usr/local/ssl/lib -R/usr/local/lib -R/usr/local/BerkeleyDB.4.2/lib -R/usr/local/ssl/lib" CPPFLAGS="-I/usr/local/include -I/usr/local/BerkeleyDB.4.2/include -I/usr/local/ssl/include" ./configure --enable-bdb --enable-crypt --with-tls --without-cyrus-sasl # make depend # make clean ----- Original Message ---- From: Buchan Milne <bgmilne(a)staff.telkomsa.net> To: Dat Duong <datduong2000(a)yahoo.com> Cc: openldap-technical(a)openldap.org Sent: Wednesday, September 3, 2008 5:17:14 AM Subject: Re: RHEL 5 will not do TLS/SSL authentication On Wednesday 03 September 2008 09:49:54 Dat Duong wrote: > I'm thinking, if the gnutls which installed by default, was causing the > problem?? It doesn't matter if gnutls is installed, what matters is what OpenLDAP was compiled against. Now, you stated that you are using RHEL 5, and gave no other details of what software you installed, so it would be logical to assume you are using only the RHEL 5 packages. On RHEL 5, OpenLDAP 2.3.27 is compiled against openssl 0.9.8b. But, since you have some weird paths reflected in your slapd.conf etc., maybe you have built your own software. If you have, you need to supply the details thereof, or we are all wasting our time. Regards, Buchan

1 0

Re: RHEL 5 will not do TLS/SSL authentication
by Buchan Milne 03 Sep '08

03 Sep '08

On Wednesday 03 September 2008 09:49:54 Dat Duong wrote: > I'm thinking, if the gnutls which installed by default, was causing the > problem?? It doesn't matter if gnutls is installed, what matters is what OpenLDAP was compiled against. Now, you stated that you are using RHEL 5, and gave no other details of what software you installed, so it would be logical to assume you are using only the RHEL 5 packages. On RHEL 5, OpenLDAP 2.3.27 is compiled against openssl 0.9.8b. But, since you have some weird paths reflected in your slapd.conf etc., maybe you have built your own software. If you have, you need to supply the details thereof, or we are all wasting our time. Regards, Buchan

1 0

Help needed to set up N-way multimaster replication
by piyush joshi 03 Sep '08

03 Sep '08

*Dear All,* *I am using openldap-2.4.11 version and trying to use N-way multimaster replication so that changes made to first server reflects to second and* *vice versa but with my current set up if i use syncprov overlay and syncrepl on both server then it doesn't allow me to make changes in any ldap server but if i configure syncprov overlay on one server and configure syncrepl on another server it allow me to make changes and as well reflect the changes to another however still i can't make changes to second ldap server my both server configuration is as follows. please let me know what is wrong with this configuration or what all changes to be made to running it.* Configuration on First LDAP Server allow bind_v2 include /usr/local/openldap/etc/openldap/schema/core.schema include /usr/local/openldap/etc/openldap/schema/corba.schema include /usr/local/openldap/etc/openldap/schema/cosine.schema include /usr/local/openldap/etc/openldap/schema/nis.schema include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema pidfile /usr/local/openldap/var/run/slapd.pid argsfile /usr/local/openldap/var/run/slapd.args modulepath /usr/local/openldap/libexec/openldap moduleload syncprov password-hash {SSHA} database hdb suffix "dc=***,dc=com" rootdn "cn=root,dc=***,dc=com" rootpw {SSHA}yZkqhHmELfmUTsaQyfxgXBqq95gugTA4 directory /usr/local/openldap/var/openldap-data index uid pres,eq index cn,sn pres,eq,approx,sub index objectClass eq index entryCSN,entryUUID eq syncrepl rid=001 provider=ldap://192.168.1.12 type=refreshAndPersist retry="5 5 300 +" searchbase="dc=***,dc=com" attrs=* binddn="cn=root,dc=***,dc=com" credentials=secret overlay syncprov syncprov-checkpoint 50 10 database monitor loglevel 256 Configuration on Second LDAP Server allow bind_v2 include /usr/local/openldap/etc/openldap/schema/core.schema include /usr/local/openldap/etc/openldap/schema/corba.schema include /usr/local/openldap/etc/openldap/schema/cosine.schema include /usr/local/openldap/etc/openldap/schema/nis.schema include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema pidfile /usr/local/openldap/var/run/slapd.pid argsfile /usr/local/openldap/var/run/slapd.args modulepath /usr/local/openldap/libexec/openldap moduleload syncprov password-hash {SSHA} database hdb suffix "dc=***,dc=com" rootdn "cn=root,dc=***,dc=com" rootpw {SSHA}9nbNE9l1rTvPCoU95zgo6vVoL3nMRzMI directory /usr/local/openldap/var/openldap-data index uid pres,eq index cn,sn pres,eq,approx,sub index objectClass eq index entryCSN,entryUUID eq syncrepl rid=001 provider=ldap://192.168.1.8 type=refreshAndPersist retry="5 5 300 +" searchbase="dc=***,dc=com" attrs=* binddn="cn=root,dc=***,dc=com" credentials=secret overlay syncprov syncprov-checkpoint 50 10 database monitor loglevel 256 Thanks Regards Piyush Joshi 9415414376

2 1

Re: RHEL 5 will not do TLS/SSL authentication
by Buchan Milne 03 Sep '08

03 Sep '08

On Tuesday 02 September 2008 21:26:10 Dat Duong wrote: > Also I did the certs test on the client RHEL5: And it failed for some reason, meaning this isn't an OpenLDAP problem, but an OpenSSL problem. > > # openssl s_client -connect xxx.xxx.xxx.xxx:636 -showcerts -state -CAfile > /etc/openldap/cacerts/cacert.pem > > > CONNECTED(00000003) > SSL_connect:before/connect initialization > SSL_connect:SSLv2/v3 write client hello A > SSL_connect:SSLv3 read server hello A > depth=1 > /C=US/ST=California/O=/OU=/CN=ldap01.example.com/emailAddress=dduong@yahoo. >com verify return:1 > depth=0 /C=US/ST=California/L=Mountain > View/O=/OU=/CN=ldap01.example.com/emailAddress=dduong@yahoo.com verify > return:1 > SSL_connect:SSLv3 read server certificate A > SSL_connect:SSLv3 read server done A > SSL_connect:SSLv3 write client key exchange A > SSL_connect:SSLv3 write change cipher spec A > SSL_connect:SSLv3 write finished A > SSL_connect:SSLv3 flush data At this point, I get: SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=ZA .... > SSL3 alert read:fatal:bad record mac > SSL_connect:failed in SSLv3 read finished A > 29751:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record > mac:s3_pkt.c:1057:SSL alert number 20 29751:error:140790E5:SSL > routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: > So it looks like a problem with the certificate. > > > ----- Original Message ---- > From: Dat Duong <datduong2000(a)yahoo.com> > To: Buchan Milne <bgmilne(a)staff.telkomsa.net>; > openldap-technical(a)openldap.org Sent: Tuesday, September 2, 2008 12:14:12 > PM > Subject: Re: RHEL 5 will not do TLS/SSL authentication > > > I'm using ldapsearch from openldap-2.4.xx on Solaris 10. I can do the > ldapsearch with -ZZ option and I can get the result back just fine. > However, on my RHEL 5 using the native ldapsearch with -ZZ and a -d1 > options for debug, will give some errors below. I can do a ldapsearch > without the -ZZ and it just run fine. > > ERROR: > > TLS trace: SSL_connect:before/connect initialization > TLS trace: SSL_connect:SSLv2/v3 write client hello A > TLS trace: SSL_connect:SSLv3 read server hello A > TLS certificate verification: depth: 1, err: 19, subject: > /C=US/ST=California/O=/OU=/CN=ldap01.example.com/emailAddress=dduong@yahoo. >com, issuer: > /C=US/ST=California/O=/OU=/CN=ldap01.example.com/emailAddress=dduong@yahoo. >com TLS certificate verification: Error, self signed certificate in > certificate chain TLS trace: SSL3 alert write:fatal:unknown CA > TLS trace: SSL_connect:error in SSLv3 read server certificate B > TLS trace: SSL_connect:error in SSLv3 read server certificate B > TLS: can't connect. > ldap_perror > ldap_start_tls: Connect error (-11) > additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > > **** Here is how I setup the TLS: > > On the Client side, I copied over the cacert.pem from the server to > /etc/openldap/cacerts/cacert.pem. A look at the cacert.pem show: > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > b1:fe:10:70:c6:7e:fe:24 > Signature Algorithm: sha1WithRSAEncryption > Issuer: C=US, ST=California, O=, OU=ODIN, > CN=ldap01.example.com/emailAddress=dduong@yahoo.com Validity > Not Before: Sep 2 17:31:55 2008 GMT > Not After : Sep 2 17:31:55 2011 GMT > Subject: C=US, ST=California, O=, OU=, > CN=ldap01.example.com/emailAddress=dduong@yahoo.com Subject Public Key > Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (1024 bit) > Modulus (1024 bit): > 00:bf:eb:3e:89:2b:aa:4f:2f:31:0e:45:8f:7e:1b: > c6:3f:49:ae:62:ea:1b:fe:4a:71:60:38:b9:a8:02: > eb:7e:e4:3b:a6:cb:bb:9c:bb:23:b7:86:11:87:b4: > 2d:59:99:33:20:f4:90:dd:90:52:b0:59:1d:e4:e4: > 68:03:7f:d2:7f:0b:9d:e7:10:81:9d:d0:ef:d8:98: > dc:49:a0:2b:c1:71:5d:2c:63:34:e5:38:7c:13:11: > f4:cf:bd:0b:4a:2b:2c:03:23:9a:e1:67:6d:d9:ae: > c6:60:ac:85:41:98:43:03:28:fa:e1:e6:76:3e:69: > 8f:66:de:ca:56:ff:de:33:4d > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Subject Key Identifier: > 7C:49:79:29:08:EE:77:8D:C0:93:9B:44:62:63:F6:3F:FD:26:1E:E9 > X509v3 Authority Key Identifier: > > keyid:7C:49:79:29:08:EE:77:8D:C0:93:9B:44:62:63:F6:3F:FD:26:1E:E9 > DirName:/C=US/ST=California/O=/OU=ODIN/CN=ldap01.example.com/emailAddress=d >duong(a)yahoo.com serial:B1:FE:10:70:C6:7E:FE:24 > > X509v3 Basic Constraints: > CA:TRUE > Signature Algorithm: sha1WithRSAEncryption > 4f:c5:42:62:d2:75:38:0f:cd:8c:18:a3:6f:d5:9b:92:23:4b: > a6:74:f9:e1:fd:9a:2f:43:ee:25:d6:f4:33:cb:2c:e1:f9:f2: > 1c:13:87:f4:cf:1c:68:ef:99:a3:5e:8c:4c:73:bd:e1:43:80: > 14:bb:dc:96:12:bf:93:4c:03:f3:f5:0d:bb:2f:92:26:fb:ae: > 54:62:de:cc:0a:d5:f1:cf:9a:b0:61:53:eb:6c:76:a4:f5:f2: > 9a:90:a6:a8:cc:db:f6:ba:aa:8c:ad:f5:4d:63:d2:3a:4b:e9: > 45:41:73:ac:5b:a8:ab:7f:8f:41:07:5d:02:73:a2:b9:9d:27: > 87:67 > -----BEGIN CERTIFICATE----- > . > . > . > . > . > -----END CERTIFICATE----- > > > *****On the client RHEL5, /etc/openldap/ldap.conf look like this: > > # > # LDAP Defaults > # > > # See ldap.conf(5) for details > # This file should be world readable but not world writable. > > #BASE dc=example, dc=com > #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 > > #SIZELIMIT 12 > #TIMELIMIT 15 > #DEREF never > URI ldap://xxx.xxx.xxx.xxx/ > BASE dc=foobar,dc=example,dc=com > TLS_CACERTDIR /etc/openldap/cacerts If you use this directive (and not TLS_CACERT), then you must have created the hashes in /etc/openldap/cacerts, using c_rehash (on RHEL, you must install openssl-perl to get this), e.g. c_rehash /etc/openldap/cacerts > > > ***** On Client RHEL5, the ldap.conf located at /etc/ldap.conf look like > this: I've removed the useless lines of commented defaults .... > base dc=example,dc=com > > timelimit 120 > > bind_timelimit 120 > > idle_timelimit 3600 > > nss_base_passwd ou=People,dc=foobar,dc=example,dc=com?one > nss_base_shadow ou=People,dc=foobar,dc=example,dc=com?one > nss_base_group ou=Group,dc=foobar,dc=example,dc=com?one > nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon > ssl start_tls > tls_checkpeer yes > tls_cacertfile /etc/openldap/cacerts/cacert.pem > > uri ldap://ldap01.example.com/ > #ssl no > tls_cacertdir /etc/openldap/cacerts > pam_password crypt This should work, if your certificate wasn't broken. > On the LDAP server, This is how I create CA and certificates: > > #openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout > server.pem -days 365 I'm wondering if some files left over by the order in which you did things caused a problem. > ## create self signed certs > > ## generate root signing cert: > /usr/share/ssl/misc/CA.pl -newca Did you really give your CA the subject: C=US, ST=California, O=, OU=,CN=ldap01.example.com/emailAddress=dduong@yahoo.com ? Why did you make it so close to that of the LDAP server's certificate ? > > ## create a signing req for the server > openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem > > ## sign it with root CA > # /usr/local/ssl/misc/CA.sh -sign > > ## call the cert/key something useful > mv newcert.pem ldap01-cert.pem > mv newreq.pem ldap01-key.pem > > Copy ldap01-cert.pem and ldap01-key.pem and the root CA (in > demoCA/cacert.pem) to server:/opt/openldap/keys > > chmod 400 * > > Add these config params: > > TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv3 > TLSCACertificateFile /usr/local/etc/openldap/keys/cacert.pem > TLSCertificateFile /opt/openldap/keys/ldap01-cert.pem > TLSCertificateKeyFile /opt/openldap/keys/ldap01-key.pem > TLSVerifyClient never Can you verify the certificate on the server? E.g.: # openssl verify -CAfile /usr/local/etc/openldap/keys/cacert.pem /opt/openldap/keys/ldap01-cert.pem Regards, Buchan

1 0

Re: objectclass sambaSamAccount
by Michael Ströder 02 Sep '08

02 Sep '08

Laurence, please stay on the mailing list. Laurence Mayer wrote: > > I got this working and now I can add sambaSamAccounts. > > When I add passdb backend = ldapsam:ldap://ldap.example.com to my > smb.conf with all the other needed options the smb does not come up. You should provide more information. At first I'd recommend to have a closer look at the logs of OpenLDAP and Samba. Ciao, Michael.

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical