Hello,
I play around al little bit with the OpenLDAP 2.5alpha. I'm trying the new overlay for the certificates. I start with the configuration with slapd.conf, because it's faster to change ;-). I started with the two lines from the manpage:
-------- overlay autoca caKeybits 4096 ------- The first start of the slapd failed with the error-message: --------- Oct 20 20:39:47 ldap25 systemd[1]: slapd-current.service: Control process exited, code=exited, status=1/FAILURE Oct 20 20:39:47 ldap25 systemd[1]: slapd-current.service: Failed with result 'exit-code'. --------- I checked the config, everything was ok, I tried it a second time and then the slapd startet without problem. This happens after neatly every change of the parameters for this overlay. First start failed, second start was ok without any change in the configuration.
Now, when I do an ldapsearch I see: --------- dn: dc=example,dc=net objectClass: domain objectClass: dcObject objectClass: autoCA dc: example cACertificate;binary:: MIIFcDCCA1igAwIBAgIJAKh3GIChqUPoMA0GCSqGSIb3DQEBCwUAMC4 ... VYd8XlDNv6d/04FDyEqKH9KAV5RMXiI9GHbQ== ---------
Then I did the following changes in my configuration: --------- overlay autoca caKeybits 4096 userClass inetOrgPerson userKeybits 4096 serverClass ipHost serverKeybits 4096 --------- Because it's a TESTSYSTEM my acl are set: --------- access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to attrs=pKCS8PrivateKey by self ssf=128 write access to * by self write by users read by anonymous auth --------- But when I create a user or a server there is no certificate. In the manpage said: --------- Certificates for users and servers are generated on demand using a Search request ---------
But I never saw any certificate. As a user I search for my own Object, but I don't see any certificate. Can I (if it works ;-) ) the server-certificate for TLS? Where can I find some more information about autoca.
Thanks for any help
Stefan