Hey Dan,
Those docs you pointed me to worked beautifully! And thanks for the examples from your own config. I've used those too. Worked great! Thanks again.
Although I do also apprecaite the advice to read the official docs. Good advice, however the ones that I've been pointed to worked well for me. I'll read the official docs for a fuller understanding tho.
Tim
On Wed, Feb 19, 2014 at 2:08 PM, Dan Pritts danno@umich.edu wrote:
I have simply
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt TLSCertificateFile /etc/pki/tls/certs/ldap.icpsr.umich.edu.crt TLSCertificateKeyFile /etc/pki/tls/private/ldap.icpsr.umich.edu.key
in my slapd.conf. CACertificateFile is almost certainly not required for a server cert.
Maybe you are running into an oddity of the cn=config? Have you tried just opening up the permissions to make sure the files are world readable? no selinux involved?
Folks on the list will probably yell at you to use the current version rather than the centos packages.
If you look through the archives for the last few weeks, you will find a pointer to a site that has rpm builds of current openldap.
Tim Dunphy bluethundr@gmail.com February 19, 2014 at 1:35 PM Hey ldap folks!
I've attempted to add TLS capabilities to my newly created LDAP server using the following document:
http://www.server-world.info/en/note?os=CentOS_6&p=ldap&f=3
This is how my cert files are looking in terms of ownership and permissions:
[root@puppet:~] #ls -l /etc/pki/tls/*/* | grep ldap -r-------- 1 ldap root 1241 Feb 19 13:06 /etc/pki/tls/certs/ldap.crt -r-------- 1 ldap root 1021 Feb 19 13:05 /etc/pki/tls/misc/ldap.csr -r-------- 1 ldap root 1679 Feb 19 13:01 /etc/pki/tls/private/ldap.key
I got to the point where I'm attempting to add the configuration parameters to my ldap setup like so:
[root@puppet:~] #ldapmodify -Y EXTERNAL -H ldapi:/// SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: cn=config add: olcTLSCertificateFile olcTLSCertificateFile: /etc/pki/tls/certs/ldap.crt
add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/pki/tls/private/ldap.key modifying entry "cn=config" ldap_modify: Inappropriate matching (18) additional info: modify/add: olcTLSCertificateFile: no equality matching rule
These are the package version numbers I have installed via yum on CentOS 6.5:
openldap-2.4.23-34.el6_5.1.x86_64 openldap-devel-2.4.23-34.el6_5.1.x86_64 openldap-servers-2.4.23-34.el6_5.1.x86_64 openldap-clients-2.4.23-34.el6_5.1.x86_64
Can anyone offer some wisdom as to why this error is happening? Or perhaps offer some better documentation on how to enable the TLS abilities of openldap?
Thanks Tim
-- GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
-- Dan Pritts ICPSR Computing & Network Services University of Michigan +1 (734)615-7362
I agree... following a basic tutorial for 'newbies' like I am in LDAP it's a good start, once it's up and running you can and should starting reading the f* documentation so you can tune up your installation. :-)
On Wed, Feb 19, 2014 at 7:03 PM, Tim Dunphy bluethundr@gmail.com wrote:
Hey Dan,
Those docs you pointed me to worked beautifully! And thanks for the examples from your own config. I've used those too. Worked great! Thanks again.
Although I do also apprecaite the advice to read the official docs. Good advice, however the ones that I've been pointed to worked well for me. I'll read the official docs for a fuller understanding tho.
Tim
On Wed, Feb 19, 2014 at 2:08 PM, Dan Pritts danno@umich.edu wrote:
I have simply
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt TLSCertificateFile /etc/pki/tls/certs/ldap.icpsr.umich.edu.crt TLSCertificateKeyFile /etc/pki/tls/private/ldap.icpsr.umich.edu.key
in my slapd.conf. CACertificateFile is almost certainly not required for a server cert.
Maybe you are running into an oddity of the cn=config? Have you tried just opening up the permissions to make sure the files are world readable? no selinux involved?
Folks on the list will probably yell at you to use the current version rather than the centos packages.
If you look through the archives for the last few weeks, you will find a pointer to a site that has rpm builds of current openldap.
Tim Dunphy bluethundr@gmail.com February 19, 2014 at 1:35 PM Hey ldap folks!
I've attempted to add TLS capabilities to my newly created LDAP server using the following document:
http://www.server-world.info/en/note?os=CentOS_6&p=ldap&f=3
This is how my cert files are looking in terms of ownership and permissions:
[root@puppet:~] #ls -l /etc/pki/tls/*/* | grep ldap -r-------- 1 ldap root 1241 Feb 19 13:06 /etc/pki/tls/certs/ldap.crt -r-------- 1 ldap root 1021 Feb 19 13:05 /etc/pki/tls/misc/ldap.csr -r-------- 1 ldap root 1679 Feb 19 13:01 /etc/pki/tls/private/ldap.key
I got to the point where I'm attempting to add the configuration parameters to my ldap setup like so:
[root@puppet:~] #ldapmodify -Y EXTERNAL -H ldapi:/// SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: cn=config add: olcTLSCertificateFile olcTLSCertificateFile: /etc/pki/tls/certs/ldap.crt
add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/pki/tls/private/ldap.key modifying entry "cn=config" ldap_modify: Inappropriate matching (18) additional info: modify/add: olcTLSCertificateFile: no equality matching rule
These are the package version numbers I have installed via yum on CentOS 6.5:
openldap-2.4.23-34.el6_5.1.x86_64 openldap-devel-2.4.23-34.el6_5.1.x86_64 openldap-servers-2.4.23-34.el6_5.1.x86_64 openldap-clients-2.4.23-34.el6_5.1.x86_64
Can anyone offer some wisdom as to why this error is happening? Or perhaps offer some better documentation on how to enable the TLS abilities of openldap?
Thanks Tim
-- GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
-- Dan Pritts ICPSR Computing & Network Services University of Michigan +1 (734)615-7362
-- GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
The problem with the various tutorials out on the net is that they are often incomplete, outdated, or sometimes just wrong.
Unfortunately, I too have found the official documentation a bit heavy on syntax description and a bit light on examples and how-tos.
So, I'd recommend double checking everything with the official docs if you choose to use external resources.
hint, "die.net" man pages show up first in google results. I am not sure they are out of date but I just go to the source. The openldap man pages are available here:
http://www.openldap.org/software/man.cgi
Tim Dunphy mailto:bluethundr@gmail.com February 19, 2014 at 5:03 PM Hey Dan,
Those docs you pointed me to worked beautifully! And thanks for the examples from your own config. I've used those too. Worked great! Thanks again.
Although I do also apprecaite the advice to read the official docs. Good advice, however the ones that I've been pointed to worked well for me. I'll read the official docs for a fuller understanding tho.
Tim
-- GPG me!!
gpg --keyserver pool.sks-keyservers.net http://pool.sks-keyservers.net --recv-keys F186197B
Dan Pritts mailto:danno@umich.edu February 19, 2014 at 2:08 PM I have simply
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt TLSCertificateFile /etc/pki/tls/certs/ldap.icpsr.umich.edu.crt TLSCertificateKeyFile /etc/pki/tls/private/ldap.icpsr.umich.edu.key
in my slapd.conf. CACertificateFile is almost certainly not required for a server cert.
Maybe you are running into an oddity of the cn=config? Have you tried just opening up the permissions to make sure the files are world readable? no selinux involved?
Folks on the list will probably yell at you to use the current version rather than the centos packages.
If you look through the archives for the last few weeks, you will find a pointer to a site that has rpm builds of current openldap.
openldap-technical@openldap.org
-
Dan Pritts -
Daniel Szortyka -
Tim Dunphy