The URI is not correct. You have to use the FQDN instead of 127.0.0.1, ie
URI ldaps://FQDDN:PORT
You can omit the PORT part if you use 636.
On 20/08/2015 23:12, Aneela Saleem wrote:
Hi Abdelkader,
I have changed my ldap.conf file to following:
BASE dc=platalytics,dc=com
URI ldaps://127.0.0.1 <
http://127.0.0.1>
TLS_REQCERT demand
TLS_CACERT /etc/ldap/cacert.pem
I also works.
Can you please verify is it correct approach?
On Thu, Aug 20, 2015 at 11:36 PM, Aneela Saleem
<aneela(a)platalytics.com <mailto:aneela@platalytics.com>> wrote:
Hi Abdelkader,
I tried following link
http://rogermoffatt.com/2011/08/24/ubuntu-openldap-with-ssltls/
It worked. But don't you think setting "TLS_REQCERT never" kills
the purpose of ssl. As client FQDN is not checked in this againt.
On Thu, Aug 20, 2015 at 10:39 PM, Abdelkader Chelouah
<a.chelouah(a)gmail.com <mailto:a.chelouah@gmail.com>> wrote:
On 20/08/2015 18:23, Aneela Saleem wrote:
> 55d5ff01 str2entry: entry -1 has multiple DNs "cn=config" and
> "cn=module{0},cn=config"
>
>
> On Thu, Aug 20, 2015 at 8:30 PM, Aneela Saleem
> <aneela(a)platalytics.com <mailto:aneela@platalytics.com>> wrote:
>
> 5/ Imports the new configuration
>
> slapadd -F /path/to/slapd.d -n 0 -l config.ldif
>
> I get the following error:
>
> slapadd: could not add entry dn="cn=config" (line=1):
> _ 1.03% eta none elapsed none
> spd 4.2 M/s
> Closing DB...
>
> On Thu, Aug 20, 2015 at 2:11 AM, Abdelkader Chelouah
> <a.chelouah(a)gmail.com <mailto:a.chelouah@gmail.com>> wrote:
>
> On 19/08/2015 20:32, Aneela Saleem wrote:
>> Anyone there? Please help me getting out of this problem
>>
>> On Wed, Aug 19, 2015 at 1:29 AM, Aneela Saleem
>> <aneela(a)platalytics.com
>> <mailto:aneela@platalytics.com>> wrote:
>>
>> this is my /etc/ldap/ldap.conf file:
>>
>> BASE dc=platalytics,dc=com
>>
>> URI ldap://127.0.0.1 <
http://127.0.0.1>
>>
>> TLS_CACERT /etc/ldap/cacert.pem
>>
>>
>> On Wed, Aug 19, 2015 at 1:07 AM, Aneela Saleem
>> <aneela(a)platalytics.com
>> <mailto:aneela@platalytics.com>> wrote:
>>
>> Still i get following error:
>>
>> modifying entry "cn=config"
>> ldap_result: Can't contact LDAP server (-1)
>>
>>
>> On Wed, Aug 19, 2015 at 12:34 AM, Abdelkader
>> Chelouah <a.chelouah(a)gmail.com
>> <mailto:a.chelouah@gmail.com>> wrote:
>>
>> On 18/08/2015 20:27, Aneela Saleem wrote:
>>> I get following result
>>>
>>> ldap_initialize(
>>> ldap://localhost:389/??base )
>>> dn:cn=admin,cn=config
>>> Result: Success (0)
>>>
>>>
>>> On Tue, Aug 18, 2015 at 11:24 PM,
>>> Abdelkader Chelouah
>>> <a.chelouah(a)gmail.com
>>> <mailto:a.chelouah@gmail.com>> wrote:
>>>
>>> On 18/08/2015 20:11, Aneela Saleem
>>> wrote:
>>>> When i add below file i.e.,
>>>> ssl_mod.ldif
>>>> *
>>>> *
>>>> *dn: cn=config*
>>>> *changetype: modify*
>>>> *add: olcTLSCACertificateFile*
>>>> *olcTLSCACertificateFile:
>>>> /etc/ldap/cacert.pem*
>>>> *-*
>>>> *add: olcTLSCertificateFile*
>>>> *olcTLSCertificateFile:
>>>> /etc/ldap/servercrt.pem*
>>>> *-*
>>>> *add: olcTLSCertificateKeyFile*
>>>> *olcTLSCertificateKeyFile:
>>>> /etc/ldap/serverkey.pem*
>>>> *-*
>>>> *add: olcTLSCipherSuite*
>>>> *olcTLSCipherSuite:
>>>> HIGH:MEDIUM:!SSLv3:!SSLv2*
>>>> *
>>>> *
>>>> using following command:
>>>>
>>>> ldapmodify -h localhost -p 389 -D
>>>> "cn=admin,cn=config" -w 123 -f
>>>> mod_ssl.ldif
>>>>
>>>> i get ldap_result: Can't contact
>>>> LDAP server (-1) error.
>>>>
>>>> Although LDAP is running. I can
>>>> run following command i.e.,
>>>>
>>>> ldapsearch -h localhost -p 389 -D
>>>>
"cn=admin,dc=platalytics,dc=com"
>>>> -w 123 -b
"dc=platalytics,dc=com"
>>>> "objectclass=*"
>>>>
>>>> How can i make ldaps work?
>>>>
>>>> On Tue, Aug 18, 2015 at 7:37 PM,
>>>> Aneela Saleem
>>>> <aneela(a)platalytics.com
>>>>
<mailto:aneela@platalytics.com>>
>>>> wrote:
>>>>
>>>> Where i can find the logs?
>>>>
>>>> On Tue, Aug 18, 2015 at 7:36
>>>> PM, Aneela Saleem
>>>> <aneela(a)platalytics.com
>>>>
<mailto:aneela@platalytics.com>>
>>>> wrote:
>>>>
>>>> I wrote the above lines in
>>>> olcDatabase={0}config.ldif
>>>> file. When i restart slapd
>>>> it gets failed.
>>>>
>>>>
>>>> On Tue, Aug 18, 2015 at
>>>> 7:14 PM, Aneela Saleem
>>>> <aneela(a)platalytics.com
>>>>
<mailto:aneela@platalytics.com>>
>>>> wrote:
>>>>
>>>> Which file i need to
>>>> write this in?
>>>>
>>>> On Tue, Aug 18, 2015
>>>> at 7:09 PM, Abdelkader
>>>> Chelouah
>>>> <a.chelouah(a)gmail.com
>>>>
<mailto:a.chelouah@gmail.com>>
>>>> wrote:
>>>>
>>>> On 18/08/2015
>>>> 16:05, Aneela
>>>> Saleem wrote:
>>>>> I have no
>>>>> slapd.conf. I
>>>>> have cn=conf
>>>>>
>>>>> On Tue, Aug 18,
>>>>> 2015 at 6:54 PM,
>>>>> Abdelkader
>>>>> Chelouah
>>>>>
<a.chelouah(a)gmail.com
>>>>>
<mailto:a.chelouah@gmail.com>>
>>>>> wrote:
>>>>>
>>>>> On 18/08/2015
>>>>> 15:51, Aneela
>>>>> Saleem wrote:
>>>>>> Thanks
>>>>>> Michael and
>>>>>> Abdelkader.
>>>>>>
>>>>>> Abdelkaded
>>>>>> the link you
>>>>>> provided is
>>>>>> for
>>>>>> slapd.conf
>>>>>> distribution.
Can
>>>>>> you please
>>>>>> guide me how
>>>>>> to do
>>>>>>
"cn=config"
>>>>>>
distribution?
>>>>>>
>>>>>> On Tue, Aug
>>>>>> 18, 2015 at
>>>>>> 6:45 PM,
>>>>>> Abdelkader
>>>>>> Chelouah
>>>>>>
<a.chelouah(a)gmail.com
>>>>>>
<mailto:a.chelouah@gmail.com>>
>>>>>> wrote:
>>>>>>
>>>>>> On
>>>>>>
18/08/2015
>>>>>> 15:41,
>>>>>> Michael
>>>>>> Ströder
>>>>>> wrote:
>>>>>>
>>>>>>
Aneela
>>>>>>
Saleem
>>>>>>
wrote:
>>>>>>
>>>>>>
Can
>>>>>>
anyone
>>>>>>
please
>>>>>>
provide
>>>>>>
me
>>>>>>
some
>>>>>>
link
>>>>>>
for
>>>>>>
enabling
>>>>>>
"ldaps"
>>>>>>
>>>>>>
http://www.openldap.org/doc/admin24/tls.html
>>>>>>
>>>>>> Ciao,
Michael.
>>>>>>
>>>>>> or
>>>>>>
http://www.openldap.org/faq/data/cache/185.html
>>>>>>
>>>>>> regards
>>>>>>
>>>>>>
>>>>> You can
>>>>> convert a
>>>>> slapd.conf to
>>>>> cn=config
>>>>> using slaptest
>>>>>
>>>>> slaptest -f
>>>>>
path/to/slapd.conf
>>>>> -F
>>>>> path/to/slapd.d
>>>>>
>>>>>
>>>> # cn=config
>>>> dn: cn=config
>>>> objectClass: olcGlobal
>>>> cn: config
>>>> ...
>>>> olcTLSCACertificateFile:
>>>> /path/to/cacert
>>>> olcTLSCertificateFile:
>>>> /path/to/cert
>>>>
olcTLSCertificateKeyFile:
>>>> /path/to/key
>>>> olcTLSCipherSuite:
>>>>
HIGH:MEDIUM:!SSLv3:!SSLv2
>>>> ...
>>>>
>>>>
>>>>
>>>>
>>>>
>>> Can you run
>>>
>>> ldapwhoami -vxD cn=admin,cn=config
>>> -w 123 -H ldap://localhost:389
>>>
>>>
>>>
>> Ok, retry the "ldapmodify" command using
>>
>> ldapmodify -xD cn=admin,cn=config -w 123
>> -H ldap://localhost:389 -f mod_ssl.ldif
>>
>>
>>
>>
>>
>>
> There is something wrong with your setup.
>
> 1/ Stops your instance
> 2/ Exports your configuration
>
> slapcat -F /path/to/slapd.d -n 0 -l config.ldif
>
> 3/ Performs the modification directly on config.ldif
> 4/ Removes the old configuration
>
> rm -rf /path/to/slapd.d/*
>
> 5/ Imports the new configuration
>
> slapadd -F /path/to/slapd.d -n 0 -l config.ldif
>
> 6/ Starts your instance
>
>
>
Did you removed the content of /path/to/slapd.d ?