--On Monday, April 16, 2012 03:00:48 PM -0700 "Richards, Toby" toby.richards@slo.courts.ca.gov wrote:
I've been attempting to get an OpenLDAP server running all day, and I've been reading official documentation, tutorials, and anything else relevant on Google. I have some questions:
First, it would be helpful to know what version of OpenLDAP you are attempting to use and on what OS.
- What is the difference between ldapd & slapd (and commands such as ldapadd & slapdadd)? Slapd doesn't seem to respond on LDAP ports, but ldapd does.
The LDAP server provided with OpenLDAP is slapd. I don't know what you are referring to when you talk about ldapd.
The executive summary of the difference between slapadd and ldapadd is slapadd operates directly on the database and ldapadd operates over protocol. Or in other words you can slapadd entries to the database without having the slapd daemon running. The best documentation for these commands are the man pages that are delivered with OpenLDAP, i.e. 'man slapadd' and 'man ldapadd'.
- When using commands & configuring ldap.conf, can I use an IP address
instead of an FQDN for the host URI?
Yes.
- Do self-signed certificates break ldapadd?
No.
- I'm running with an SSL certificate, but no TLS. I commonly get the error "Confidentiality Required." The -Z option is for TLS. How do I tell ldapadd that I'm using SSL only? I tried with -Hldaps://hostname:636, but then I get "ldap_sasl_bind(SIMPLE): Can't connect to LDAP server" (even if I use the -x option). I know that the ldap server is running because when ldapd is running, I can connect with external tools such as jxplorer or ldap-at (but trying to make changes to my database will crash both of those utilities).
You probably should drop back and get a working ldap server first with a minimum amount of data. It will make the changes that you make to support secure connections to the directory simpler to test. It is also useful to run the server interactively in debug mode so you can see what is happening. On a debian system you would use the command:
/usr/sbin/slapd -d 1
When you are testing it makes a lot of sense to use ldapsearch as your first client.
Bill