Re: Reg OpenLdap on Ubuntu

Hi Matt, openldap user is already a part of ssl-cert group. Regarding apparmor, I am very much new to this. But I did some research on this and did some changes like : 1. moving the /usr/sbin/slapd profile to complain mode and 2. changing the following lines in /etc/apparmor.d/usr.sbin.slapd from : /etc/ssl/private/ r, /etc/ssl/private/* r, to /etc/ssl/private/ mixr, /etc/ssl/private/* mixr, After the changes, I did the following : /etc/init.d/apparmor stop* * update-rc.d -f apparmor remove* */etc/init.d/apparmor start update-rc.d apparmor defaults But it yields no positive result. Is there anything else that I need to do? Please let me know. Thank you very much for the reply. -Asimananda On Mon, Jul 13, 2009 at 8:29 PM, Matt Kassawara <battery(a)writeme.com&gt;wrote: > Make sure slapd can read the certs and private key. In addition to > typical ownership and permissions, the openldap user should belong to the > ssl-cert group and the slapd AppArmor profile must allow access to the > directories containing your certs. > > > On Mon, Jul 13, 2009 at 5:22 AM, Asimananda Mohanty < > asimananda.mohanty(a)gmail.com&gt; wrote: > >> Hi, >> >> I ran the command "slapd -d 16383" and attached is the output of the same >> in case it may prove to be useful. >> >> In this output, ldap-company.com.crt is server.crt as defined in in my >> earlier mails. I have changed it to try some luck, but it was fruitless. >> >> -Asimananda >> >> On Mon, Jul 13, 2009 at 10:55 AM, Asimananda Mohanty < >> asimananda.mohanty(a)gmail.com&gt; wrote: >> >>> Hi Matt, >>> >>> I created the certificates following the procedure defined in >>> https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html >>> >>> I created a CA and signed the certificate as defined the steps. >>> >>> The ownership is of openldap:openldap for cacert.pem and server.crt and >>> openldap:ssl-cert for server.key. >>> >>> rwx permission is 644 for all the three. >>> >>> Thanks for the reply. >>> >>> -Asimananda >>> >>> >>> On Fri, Jul 10, 2009 at 7:47 PM, Matt Kassawara <battery(a)writeme.com&gt;wrote: >>> >>>> How did you create the certificates? Can slapd read them? >>>> >>>> On Fri, Jul 10, 2009 at 5:00 AM, Asimananda Mohanty < >>>> asimananda.mohanty(a)gmail.com&gt; wrote: >>>> >>>>> Hi All, >>>>> >>>>> I am currently busy configuring OpenLdap on my newly installed Ubuntu >>>>> 9.04. >>>>> >>>>> Here is what I have done till now. >>>>> >>>>> I followed the steps defined in >>>>> https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html and >>>>> installation was successful. I installed PhpLdapAdmin also. >>>>> >>>>> After I created certificate, key etc, I created a .ldif file >>>>> (enable-ca.ldif) with the following content : >>>>> >>>>> *dn: cn=config >>>>> add: olcTLSCACertificateFile >>>>> olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem >>>>> - >>>>> add: olcTLSCertificateFile >>>>> olcTLSCertificateFile: /etc/ssl/certs/server.crt >>>>> - >>>>> add: olcTLSCertificateKeyFile >>>>> olcTLSCertificateKeyFile: /etc/ssl/private/server.key* >>>>> >>>>> Then I executed the command : >>>>> >>>>> *ldapmodify -D "cn=admin,cn=config" -x -w 12345678 -f enable-ca.ldif* >>>>> >>>>> and it was a success. >>>>> >>>>> But after this, when I tried to restart slapd, I got errors like the >>>>> following : >>>>> >>>>> *main: TLS init def ctx failed: -1* >>>>> >>>>> I noticed that after I executed "ldapmodify -D "cn=admin,cn=config" -x >>>>> -w 12345678 -f enable-ca.ldif", 3 lines are added to >>>>> /etc/ldap/slapd.d/cn=config.ldif and when I commented the last two >>>>> lines like the following, slapd started successfully. >>>>> >>>>> *olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem >>>>> #olcTLSCertificateFile: /etc/ssl/certs/server.crt >>>>> #olcTLSCertificateKeyFile: /etc/ssl/private/server.key* >>>>> >>>>> This looks quite strange. >>>>> >>>>> Please help me resolving the same. >>>>> >>>>> -Asimananda >>>>> >>>> >>>> >>> >> >