Hello all,
I try to install tls for ldap but without success :(
I make a CA (compiled openssl)
when i start ldap with : service ldap start i have this logs :
May 27 20:39:29 srvtest3 slapd[19546]: @(#) $OpenLDAP: slapd 2.3.27 (Jun 27 2007 08:48:26) $ brewbuilder@ls20-bc1-13.build.redhat.com:/builddir/build/BUIL D/openldap-2.3.27/openldap-2.3.27/build-servers/servers/slapd May 27 20:39:29 srvtest3 slapd[19546]: nss_ldap: could not search LDAP server - Server is unavailable May 27 20:39:29 srvtest3 slapd[19546]: nss_ldap: could not search LDAP server - Server is unavailable May 27 20:39:29 srvtest3 slapd[19546]: /etc/openldap/slapd.conf: line 39: rootdn is always granted unlimited privileges. May 27 20:39:29 srvtest3 slapd[19546]: /etc/openldap/slapd.conf: line 44: rootdn is always granted unlimited privileges. May 27 20:39:29 srvtest3 slapd[19546]: main: TLS init def ctx failed: -1 May 27 20:39:29 srvtest3 slapd[19546]: slapd stopped. May 27 20:39:29 srvtest3 slapd[19546]: connections_destroy: nothing to destroy.
my /etc/openldap/slapd.conf is :
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema # logs loglevel 4 # needed for login_ldap allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args database bdb suffix "dc=midian,dc=org" rootdn "cn=god,dc=midian,dc=org" rootpw {SSHA}EkM4ViGxzWnZQ2n5hKBBcfffFMTcCO-0E4 directory /var/lib/ldap index objectClass eq # ACL access to attrs=userPassword by self write by anonymous auth by dn="cn=god,dc=midian,dc=org" write by * none access to * by self write by dn="cn=god,dc=midian,dc=org" write by * read # CA signed certificate and server cert entries: # TLS & SSL TLSCertificateFile /etc/openldap/cacerts/srvtest3.test.org.pem TLSCertificateKeyFile /etc/openldap/cacerts/srvtest3.test.org.key TLSCACertificateFile /etc/ssl/cacert.pem TLSVerifyClient never
my /etc/openldap/ldap.conf
base dc=midian,dc=org uri ldap//srvtest3.test.org/ ldap_version 3 TLS_CACERT /etc/ssl/cacert.pem TLS_REQCERT demand
my /etc/ldap.conf
# SSL & TLS ssl start_tls #ssl on #tls_checkpeer yes # Afin que le client puisse valider l'identitéu serveur, on doit le fournir la cléublique # du CA avec laquelle il pourra éblir que le certificat du serveur a bien é signéar # la clérivéde cette mê CA. TLS_CACERT /etc/openldap/cacerts/ldap.crt # On demande élement au client de toujours valider l'identitéu serveur. TLS_REQCERT demand # IP du serveur ldap #host 127.0.0.1 uri ldap://srvtest3.test.org/ # Le DN de base pour effectuer les recherches base dc=midian,dc=org # Optimisation de recherche dans la base scope=one # Pour que le poste demarre meme si le server ldap ne repond pas bind_policy soft # Version du protocole utilise ldap_version 3 # Port ecoute serveur port 389 # Filtres de validation dun utilisateur pam_filter objectclass=account pam_filter host=srvtest3.test.org # Attribut compare avec lindentifiant de connexion de lutilisateur pam_login_attribute uid # Verification attribut host pam_check_host_attr yes # DN groupe auquel il faut appartenir pour acces machine locale pam_groupdn ou=group,dc=midian,dc=org # Definit lattribut dappartenance au groupe pam_member_attribute member # password envoi serveur pam_password crypt # Parametres nss-ldap de recherche nss_base_passwd ou=user,dc=midian,dc=org?sub nss_base_shadow ou=user,dc=midian,dc=org?sub nss_base_group ou=group,dc=midian,dc=org?sub nss_base_hosts ou=machines,dc=midian,dc=org?sub if someone could help me it would be nice sorry for my bad english - GanGan -
GanGan gangan@zalteam.com writes:
Hello all,
I try to install tls for ldap but without success :(
[...]
TLSCACertificateFile /etc/ssl/cacert.pem TLSVerifyClient never
[...]
TLS_CACERT /etc/openldap/cacerts/ldap.crt # On demande élement au client de toujours valider l'identitéu serveur. TLS_REQCERT demand
Read your configuration files carefully
-Dieter
openldap-technical@openldap.org