10:22 p.m.
Hi Matt,
openldap user is already a part of ssl-cert group.
Regarding apparmor, I am very much new to this. But I did some research on
this and did some changes like :
1. moving the /usr/sbin/slapd profile to complain mode and
2. changing the following lines in /etc/apparmor.d/usr.sbin.slapd from :
/etc/ssl/private/ r,
/etc/ssl/private/* r,
to
/etc/ssl/private/ mixr,
/etc/ssl/private/* mixr,
After the changes, I did the following :
/etc/init.d/apparmor stop*
* update-rc.d -f apparmor remove*
*/etc/init.d/apparmor start
update-rc.d apparmor defaults
But it yields no positive result.
Is there anything else that I need to do?
Please let me know.
Thank you very much for the reply.
-Asimananda
On Mon, Jul 13, 2009 at 8:29 PM, Matt Kassawara <battery(a)writeme.com> wrote:
Make sure slapd can read the certs and private key. In addition to
typical
ownership and permissions, the openldap user should belong to the ssl-cert
group and the slapd AppArmor profile must allow access to the directories
containing your certs.
On Mon, Jul 13, 2009 at 5:22 AM, Asimananda Mohanty <
asimananda.mohanty(a)gmail.com> wrote:
> Hi,
>
> I ran the command "slapd -d 16383" and attached is the output of the same
> in case it may prove to be useful.
>
> In this output, ldap-company.com.crt is server.crt as defined in in my
> earlier mails. I have changed it to try some luck, but it was fruitless.
>
> -Asimananda
>
> On Mon, Jul 13, 2009 at 10:55 AM, Asimananda Mohanty <
> asimananda.mohanty(a)gmail.com> wrote:
>
>> Hi Matt,
>>
>> I created the certificates following the procedure defined in
>> https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html
>>
>> I created a CA and signed the certificate as defined the steps.
>>
>> The ownership is of openldap:openldap for cacert.pem and server.crt and
>> openldap:ssl-cert for server.key.
>>
>> rwx permission is 644 for all the three.
>>
>> Thanks for the reply.
>>
>> -Asimananda
>>
>>
>> On Fri, Jul 10, 2009 at 7:47 PM, Matt Kassawara
<battery(a)writeme.com>wrote:
>>
>>> How did you create the certificates? Can slapd read them?
>>>
>>> On Fri, Jul 10, 2009 at 5:00 AM, Asimananda Mohanty <
>>> asimananda.mohanty(a)gmail.com> wrote:
>>>
>>>> Hi All,
>>>>
>>>> I am currently busy configuring OpenLdap on my newly installed Ubuntu
>>>> 9.04.
>>>>
>>>> Here is what I have done till now.
>>>>
>>>> I followed the steps defined in
>>>> https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html and
>>>> installation was successful. I installed PhpLdapAdmin also.
>>>>
>>>> After I created certificate, key etc, I created a .ldif file
>>>> (enable-ca.ldif) with the following content :
>>>>
>>>> *dn: cn=config
>>>> add: olcTLSCACertificateFile
>>>> olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
>>>> -
>>>> add: olcTLSCertificateFile
>>>> olcTLSCertificateFile: /etc/ssl/certs/server.crt
>>>> -
>>>> add: olcTLSCertificateKeyFile
>>>> olcTLSCertificateKeyFile: /etc/ssl/private/server.key*
>>>>
>>>> Then I executed the command :
>>>>
>>>> *ldapmodify -D "cn=admin,cn=config" -x -w 12345678 -f
enable-ca.ldif*
>>>>
>>>> and it was a success.
>>>>
>>>> But after this, when I tried to restart slapd, I got errors like the
>>>> following :
>>>>
>>>> *main: TLS init def ctx failed: -1*
>>>>
>>>> I noticed that after I executed "ldapmodify -D
"cn=admin,cn=config" -x
>>>> -w 12345678 -f enable-ca.ldif", 3 lines are added to
>>>> /etc/ldap/slapd.d/cn=config.ldif and when I commented the last two
>>>> lines like the following, slapd started successfully.
>>>>
>>>> *olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
>>>> #olcTLSCertificateFile: /etc/ssl/certs/server.crt
>>>> #olcTLSCertificateKeyFile: /etc/ssl/private/server.key*
>>>>
>>>> This looks quite strange.
>>>>
>>>> Please help me resolving the same.
>>>>
>>>> -Asimananda
>>>>
>>>
>>>
>>
>