Low Sensitivity/Aerospace Internal Use Only
LTB-Project.org or
OpenLDAP.org developers, please help:
I am still having problems with adding (via .ldif file) the following LDIF
file contents of /tmp/LDAP-CONFIG-TLS.ldif:
dn: cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: TLSv1+RSA:\!EXP:\!MD5:\!NULL (<- not sure if
that argument is valid for that CipherSuite selection either)
I use the following ldapmodify command:
ldapmodify -x -D "cn=admin,cn=config" -W -f
/tmp/LDAP-CONFIG-TLS.ldif
Because I have debugging turned up (to -d 32768), the results now look
like:
modifying entry "cn=config"
52e68423 connection_input: conn=1000 deferring operation: binding
slapd: result.c:813: slap_send_ldap_result: Assertion `!((rs->sr_err)<0)'
failed.
ldap_result: Can't contact LDAP server (-1)
I saw a thread on
openldap.org on the following link,
http://www.openldap.org/lists/openldap-bugs/201308/msg00066.html , that
has the exact same error. I can see that Howard Chu from Symas fixed the
problem for Symas, did LTB Project fix this problem? I cannot find any
threads via websearch for this issue.
What do I need to do in order to get my LDAP running with TLS?
Warron French, MBA, SCSA
From: Warron S French <Warron.S.French(a)aero.org>
To: Vikas Parashar <para.vikas(a)gmail.com>,
Cc: Ulrich Windl <Ulrich.Windl(a)rz.uni-regensburg.de>,
openldap-technical(a)openldap.org
Date: 01/27/2014 10:19 AM
Subject: [WARNING: SPOOFED E-MAIL--Non-Aerospace Sender] Re: Antw:
OpenLDAP slapd problems - ldap_result: Can't contact LDAP server (-1) ---
Low Sensitivity/Aerospace Internal Use Only
Sent by: openldap-technical-bounces(a)OpenLDAP.org
Low Sensitivity/Aerospace Internal Use Only
Vikas, thanks for replying some more, but your last email is a little out
of context for me personally.
I did drop the -b argument (and the associated value) and still the slapd
daemon crashed. I am starting to wonder if this is an OpenLDAP or LTB
Project OpenLDAP problem since no one else is chiming in with solutions
and troubleshooting.
As for the slaptest, it didn't generate any content into the slapd.d
directory at all. I mentioned this to the person I was collaborating with
since I am attempting to document a process from scratch-to-finish.
That same person suggested I attempt to use ApacheDirectoryStudio to
interact with the slapd and configurations. I just attempted to connect
to the cn=config ??Context?? And I was able to add an attribute (
olcTLSCipherSuite), but as soon as I attempted to add a value (
HIGH:MEDIUM+TLSv1+SSLv3) the connection dropped in ApacheDirectoryStudio.
Warron French, MBA, SCSA
From: Vikas Parashar <para.vikas(a)gmail.com>
To: Warron S French <Warron.S.French(a)aero.org>,
Cc: Ulrich Windl <Ulrich.Windl(a)rz.uni-regensburg.de>,
openldap-technical(a)openldap.org
Date: 01/27/2014 09:24 AM
Subject: Re: Antw: OpenLDAP slapd problems - ldap_result: Can't
contact LDAP server (-1) --- Low Sensitivity/Aerospace Internal Use Only
Hi,
Sorry! that was the typo. -b for the base only. In ldap modify, you don't
need to use -b.
You can do the same thing with slapd.conf file. later on, you can create a
slapd.d directory with the help of slaptest command.
slaptest -f slapd.conf -F slapd.d
In this temporary directory, you will get a configuration({0}config.ldif)
file under slapd.d/cn=conifg directory. you can replace it and resxtart
the service.
Or in current ldapmodify, please run it with deeper debug level. You may
use -d option for it.
On Mon, Jan 27, 2014 at 6:46 PM, Warron S French <Warron.S.French(a)aero.org
wrote:
Low Sensitivity/Aerospace Internal Use Only
Ulrich, I attempted what you suggested as well, but I got back a different
error. And I don't know if it makes any difference, but I don't have TLS
configurations in place yet; that is what I am attempting to accomplish.
Anyway, after performing the following command:
ldapmodify -ZZ -x -W -D cn=admin,cn=config -v -f /tmp/LDAP-CONFIG-TLS.ldif
I got the following error in response:
ldap_initialize( <DEFAULT> )
ldap_start_tls: Protocol error (2)
Additional info: unsupported extended operation
Thanks for the help,
Warron French, MBA, SCSA
From: "Ulrich Windl" <Ulrich.Windl(a)rz.uni-regensburg.de>
To: "Warron S French" <Warron.S.French(a)aero.org>, <
openldap-technical(a)openldap.org>,
Date: 01/27/2014 02:34 AM
Subject: Antw: OpenLDAP slapd problems - ldap_result: Can't contact
LDAP server (-1) --- Low Sensitivity/Aerospace Internal Use Only
>> Warron S French <Warron.S.French(a)aero.org> schrieb am
24.01.2014 um
17:28 in
Nachricht
<OFE6BBFCB7.3C423E61-ON85257C6A.005A0B4C-85257C6A.005A6E20(a)notes.aero.org
:
Low Sensitivity/Aerospace Internal Use Only
Working on a CentOS-6.5 server, running LTB Project's slapd-2.4.38.
Someone suggested I implement a cn=admin,cn=config for a cn=config
setup.
(I don't know how to technically word that).
Anyway, I need to make TLS-related changes and was told to do the
following command:
ldapmodify -x -D "cn=admin,cn=config" -W -d 256
Try "ldapmodify -ZZ -x -W -D cn=_your_admin_-v -f _your_ldif_file"
...then at the blank line type the following, each on a single line:
Dn: cn=config
Changetype: modify
Add: olcTLSCipherSuite
OlcTLSCipherSuite: HIGH:MEDIUM+TLSv1+SSLv3
<CTRL-D>
I have been getting an error reponse of:
ldap_result: Can't contact LDAP server (-1)
This __ONLY__ occurs after I hit <CTRL-D>, not before. Yes, the daemon,
slapd, is actually running, but after this failure it abruptly stops.
I
know this because in a separate terminal on the same system, I am
running
a while-loop with a ps -e | grep slapd in it.
Please note the "-x" option according to the man page for ldapmodify is
supposed to Use simple authentication instead of SASL.
Thank you all for your help, hopefully you can:
1) tell me what this error means, and
2) how to fix my problem so that I can complete the olcTLSxxxx changes I
need to implement.
Warron French, MBA, SCSA
The Aerospace Corporation
Sr. UNIX SA & Storage Admin
Mailstop: CH1-230
Desk: 571-307-5311
Cell: 703-967-8936
Low Sensitivity/Aerospace Internal Use Only
Low Sensitivity/Aerospace Internal Use Only
Low Sensitivity/Aerospace Internal Use Only
Low Sensitivity/Aerospace Internal Use Only