[ldap with tls] installation problem - openldap-technical

3 Jul 2008


      Hello all,
I try to install tls for ldap but without success :(
I make a CA (compiled openssl)
when i start ldap with : service ldap start i have this logs :
May 27 20:39:29 srvtest3 slapd[19546]: @(#) $OpenLDAP: slapd 2.3.27
(Jun 27 2007 08:48:26) $   
brewbuilder@ls20-bc1-13.build.redhat.com:/builddir/build/BUIL
 D/openldap-2.3.27/openldap-2.3.27/build-servers/servers/slapd
 May 27 20:39:29 srvtest3 slapd[19546]: nss_ldap: could not search
LDAP server - Server is unavailable
 May 27 20:39:29 srvtest3 slapd[19546]: nss_ldap: could not search
LDAP server - Server is unavailable
 May 27 20:39:29 srvtest3 slapd[19546]: /etc/openldap/slapd.conf:
line 39: rootdn is always granted unlimited privileges.
 May 27 20:39:29 srvtest3 slapd[19546]: /etc/openldap/slapd.conf:
line 44: rootdn is always granted unlimited privileges.
 May 27 20:39:29 srvtest3 slapd[19546]: main: TLS init def ctx
failed: -1
 May 27 20:39:29 srvtest3 slapd[19546]: slapd stopped.
 May 27 20:39:29
srvtest3 slapd[19546]: connections_destroy: nothing
to destroy.
my /etc/openldap/slapd.conf is :
include         /etc/openldap/schema/core.schema
 include         /etc/openldap/schema/cosine.schema
 include         /etc/openldap/schema/inetorgperson.schema
 include         /etc/openldap/schema/nis.schema
 # logs
 loglevel 4
 # needed for login_ldap
 allow bind_v2
 pidfile /var/run/openldap/slapd.pid
 argsfile /var/run/openldap/slapd.args
 database bdb
 suffix "dc=midian,dc=org"
 rootdn "cn=god,dc=midian,dc=org"
 rootpw {SSHA}EkM4ViGxzWnZQ2n5hKBBcfffFMTcCO-0E4
 directory /var/lib/ldap
 index objectClass eq
 # ACL
 access to attrs=userPassword
  by self write
  by anonymous auth
  by dn="cn=god,dc=midian,dc=org" write
  by * none
 access to *
  by self write
  by dn="cn=god,dc=midian,dc=org" write
  by * read
 # CA signed certificate and server cert entries:
 # TLS & SSL
 TLSCertificateFile /etc/openldap/cacerts/srvtest3.test.org.pem
 TLSCertificateKeyFile
/etc/openldap/cacerts/srvtest3.test.org.key
 TLSCACertificateFile /etc/ssl/cacert.pem
 TLSVerifyClient never
my /etc/openldap/ldap.conf
base dc=midian,dc=org
 uri ldap//srvtest3.test.org/
 ldap_version 3
 TLS_CACERT /etc/ssl/cacert.pem
 TLS_REQCERT demand
my /etc/ldap.conf
# SSL & TLS
 ssl start_tls
 #ssl on
 #tls_checkpeer yes
 # Afin que le client puisse valider l'identitéu serveur, on
doit le fournir la cléublique
 # du CA avec laquelle il pourra éblir que le certificat du
serveur a bien é signéar
 # la clérivéde cette mê CA.
 TLS_CACERT /etc/openldap/cacerts/ldap.crt
 # On demande élement au client de toujours valider
l'identitéu serveur.
 TLS_REQCERT demand
 # IP du serveur ldap
 #host 127.0.0.1
 uri ldap://srvtest3.test.org/
 # Le DN de base pour effectuer les recherches
 base dc=midian,dc=org
 # Optimisation de recherche dans la base
 scope=one
 # Pour que le poste demarre meme si le server
ldap ne repond pas
 bind_policy soft
 # Version du protocole utilise
 ldap_version 3
 # Port ecoute serveur
 port 389
 # Filtres de validation dun utilisateur
 pam_filter objectclass=account
 pam_filter host=srvtest3.test.org
 # Attribut compare avec lindentifiant de connexion de lutilisateur
 pam_login_attribute uid
 # Verification attribut host
 pam_check_host_attr yes
 # DN groupe auquel il faut appartenir pour acces machine locale
 pam_groupdn ou=group,dc=midian,dc=org
 # Definit lattribut dappartenance au groupe
 pam_member_attribute member
 # password envoi serveur
 pam_password crypt
 # Parametres nss-ldap de recherche
 nss_base_passwd         ou=user,dc=midian,dc=org?sub
 nss_base_shadow         ou=user,dc=midian,dc=org?sub
 nss_base_group          ou=group,dc=midian,dc=org?sub
 nss_base_hosts          ou=machines,dc=midian,dc=org?sub   if
someone could help me it would be nice   sorry for my bad english 
 - GanGan -