Subject: | |
From: | |
Reply To: | |
Date: | Fri, 23 Jan 2009 10:17:54 +0100 |
Content-Type: | TEXT/PLAIN |
Parts/Attachments: |
|
|
Hello,
following the related parts of slapd.conf:
TLSCACertificateFile /usr/etc/openldap/CA/cacert.pem
TLSCertificateFile /usr/etc/openldap/CA/sacert.pem
TLSCertificateKeyFile /usr/etc/openldap/CA/sackey.pem
The server runs as follows:
/usr/libexec/slapd -u ldap -h ldap:/// ldaps:///
Normally the port 389 (ldap:///) is closed.
and ldap.conf:
base dc=organization,dc=com
uri ldaps://ldap_server.organizatiom.com
sizelimit 0
bind_policy soft
tls_cacert /usr/etc/openldap/CA/cacert.pem
tls_checkpeer yes
-> new
ssl yes
The file cacert.pem is a self signed certificate I created
together with sacert.pem and the key file sakey.pem.
As I already wrote - exactly the same configuration works without
any problems on different installations including SL-5.1.
Therefore it's not clear for me why I have now to set the port option
because I use uri!
Regards, Olf Epler
>
> At least two types of problems were reported with ldap use at about the
> time that the updates for sl52 came out.
>
> One was related to dbus not being listed as an ignoregroups option and so
> systems would hang during dbus startup.
>
> Another was related to changes in nss_ldap which changes how the
> ldap.conf was being parsed - so previously working configs stopped - and
> most of the reported problems were with people using ssl. That may have
> been related to the port option in the config (or might not).
>
> Using "ldap://<server>" and "ssl tls_start" may work depending on whether
> your ldap server allows starttls.
>
> If you include a copy of your /etc/ldap.conf (and perhaps the ldap server
> config) it may all be obvious to those who had the problems last year...
>
> --
> /--------------------------------------------------------------------\
> | "Computers are different from telephones. Computers do not ring." |
> | -- A. Tanenbaum, "Computer Networks", p. 32 |
> ---------------------------------------------------------------------|
> | Jon Peatfield, _Computer_ Officer, DAMTP, University of Cambridge |
> | Mail: [log in to unmask] Web: http://www.damtp.cam.ac.uk/ |
> \--------------------------------------------------------------------/
>
----------------------------------------------------------
Olf Epler phone: +49 30 2093-7804
Humboldt University Berlin fax: +49 30 2093-7642
Department of Physics
Newtonstr. 15
12489 Berlin email: [log in to unmask]
----------------------------------------------------------
|
|
|