LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

January 2009

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS January 2009

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: ssl ldap on SL-5.2 x86_64
From:	Olf Epler <[log in to unmask]>
Reply To:	Olf Epler <[log in to unmask]>
Date:	Fri, 23 Jan 2009 10:17:54 +0100
Content-Type:	TEXT/PLAIN
Parts/Attachments:	TEXT/PLAIN (72 lines)

  Hello,

following the related parts of slapd.conf:

TLSCACertificateFile    /usr/etc/openldap/CA/cacert.pem
TLSCertificateFile      /usr/etc/openldap/CA/sacert.pem
TLSCertificateKeyFile   /usr/etc/openldap/CA/sackey.pem

The server runs as follows:

/usr/libexec/slapd -u ldap -h ldap:/// ldaps:///

Normally the port 389 (ldap:///) is closed.

and ldap.conf:

base            dc=organization,dc=com
uri             ldaps://ldap_server.organizatiom.com
sizelimit       0
bind_policy     soft
tls_cacert      /usr/etc/openldap/CA/cacert.pem
tls_checkpeer   yes

-> new
ssl             yes

The file cacert.pem is a self signed certificate I created
together with sacert.pem and the key file sakey.pem.

As I already wrote - exactly the same configuration works without
any problems on different installations including SL-5.1.
Therefore it's not clear for me why I have now to set the port option
because I use uri!

 Regards, Olf Epler

> 
> At least two types of problems were reported with ldap use at about the 
> time that the updates for sl52 came out.
> 
> One was related to dbus not being listed as an ignoregroups option and so 
> systems would hang during dbus startup.
> 
> Another was related to changes in nss_ldap which changes how the 
> ldap.conf was being parsed - so previously working configs stopped - and 
> most of the reported problems were with people using ssl.  That may have 
> been related to the port option in the config (or might not).
> 
> Using "ldap://<server>" and "ssl tls_start" may work depending on whether 
> your ldap server allows starttls.
> 
> If you include a copy of your /etc/ldap.conf (and perhaps the ldap server 
> config) it may all be obvious to those who had the problems last year...
> 
> -- 
> /--------------------------------------------------------------------\
> | "Computers are different from telephones.  Computers do not ring." |
> |       -- A. Tanenbaum, "Computer Networks", p. 32                  |
> ---------------------------------------------------------------------|
> | Jon Peatfield, _Computer_ Officer, DAMTP,  University of Cambridge |
> | Mail:  [log in to unmask]     Web:  http://www.damtp.cam.ac.uk/ |
> \--------------------------------------------------------------------/
> 

----------------------------------------------------------
Olf Epler                          phone: +49 30 2093-7804
Humboldt University Berlin           fax: +49 30 2093-7642
Department of Physics
Newtonstr. 15
12489 Berlin              email: [log in to unmask]
----------------------------------------------------------

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV