On 12/12/2011 12:29 PM, Aaron Bennett wrote:
Hello,
I'm trying to grok Mozilla NSS prior to deploying Openldap 2.4.23 on RHEL 6.2. I've been working through creating a self-signed cert and I think I have one that works. At least, if I do:
[root@animal ~]# certutil -d /etc/pki/nssdb/ -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
its Cu,Cu,Cu animal.clarku.edu p,p,p
the its cert is the one I used to sign.
If I do: [root@animal ~]# certutil -d /etc/pki/nssdb/ -L -n animal.clarku.edu
Then I see a normal looking cert: Certificate: Data: Version: 3 (0x2) Serial Number: 00:96:7c:e7:ea Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "CN=ITS Self Signed" Validity: Not Before: Mon Dec 12 16:01:27 2011 Not After : Mon Mar 12 16:01:27 2012 Subject: "CN=animal.clarku.edu,O=Clark University ITS,L=Worcester,ST= Massachusetts,C=US"
Here's what I've got in cn=config: olcTLSCACertificatePath: /etc/pki/nssdb/ olcTLSCertificateFile: animal.clarku.edu
If do those commands as the ldap user with sudo -u ldap, I get the same output. I can even run "certutil -V -n animal.clarku.edu -u SR -d /etc/pki/nssdb/" and I get "certificate is valid".
However when I start slapd, I get:
[root@animal slapd.d]# service slapd start animal.clarku.edu is not readable by "ldap" [WARNING] Starting slapd: [ OK ]
What am I missing?
not sure - start slapd and add "-d 1" to your slapd argument list (see /etc/sysconfig/ldap? or slapd? for the argument list)
Also, please confirm that you are running slapd as the userid "ldap" and that /etc/pki/nssdb is readable by "ldap".
Thanks,
Aaron
Aaron Bennett Manager of Systems Administration Clark University ITS