1. System1 - I had 3 test servers running OpenLDAP-2.3.30-3.fc6, OpenSSL-0.9.8b-15.fc6 on Linux-2.6.22.14-72.fc6. And these were perfectly running with OPENSSL configured on 'slapd.conf' as follows:
lines cut # # TLSCACertificateFile /etc/CA/cacert.pem TLSCertificateFile /etc/pki/tls/newcert.pem TLSCertificateKeyFile /etc/pki/tls/newkey.pem # # lines cut
When I do,
#service ldap restart, and #ps -ax I have this
slapd -h ldap:/// ldaps:/// -u ldap
I can do simple unsecured or secured queries from here.
1. System2 - Now, I upgraded 2 test servers running OpenLDAP-2.4.12-1.fc10, OpenSSL-0.9.8g-12.fc10 on Linux-2.6.29-159.fc10. Suddenly I can't start slapd correctly. The problem is after configuring 'slapd.conf' with OPENSSL, as I did in System1 and I do a
#service ldap restart, and #ps -ax
I found that I only have this process running: slapd -h ldap:/// -u ldap. The ldaps:/// process did not start suggesting I have incorrect certificates. But I can confirm that my certificates are correct with several tests.
I had expected this process: slapd -h ldap:/// ldaps:/// -u ldap.
So, when I do TLS secured query like:
#ldapwhoami -x -H ldaps://hostname
I got this: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Has anyone had this problem on FC10 ?
Notes: 1. I can run this manually: #/usr/sbin/slapd -h ldap:/// ldaps:/// -u ldap and saw slapd -h ldap:/// ldaps:/// -u ldap in my #ps -ax I can do #ldapwhoami -x. But when I do a #ldapwhoami -x -H ldaps://hostname I go error message can't connect to server. 2. I can run this manually: #/usr/sbin/slapd -h ldaps:/// -u ldap I can then test my certificates correctly but SSL does not appear to have been started.
Oscar Plameras wrote:
- System1 - I had 3 test servers running OpenLDAP-2.3.30-3.fc6,
OpenSSL-0.9.8b-15.fc6 on Linux-2.6.22.14-72.fc6. And these were perfectly running with OPENSSL configured on 'slapd.conf' as follows:
lines cut # # TLSCACertificateFile /etc/CA/cacert.pem TLSCertificateFile /etc/pki/tls/newcert.pem TLSCertificateKeyFile /etc/pki/tls/newkey.pem # # lines cut
When I do,
#service ldap restart, and #ps -ax I have this
slapd -h ldap:/// ldaps:/// -u ldap
I can do simple unsecured or secured queries from here.
- System2 - Now, I upgraded 2 test servers running
OpenLDAP-2.4.12-1.fc10, OpenSSL-0.9.8g-12.fc10 on Linux-2.6.29-159.fc10. Suddenly I can't start slapd correctly. The problem is after configuring 'slapd.conf' with OPENSSL, as I did in System1 and I do a
#service ldap restart, and #ps -ax
I found that I only have this process running: slapd -h ldap:/// -u ldap. The ldaps:/// process did not start suggesting I have incorrect certificates. But I can confirm that my certificates are correct with several tests.
I had expected this process: slapd -h ldap:/// ldaps:/// -u ldap.
So, when I do TLS secured query like:
#ldapwhoami -x -H ldaps://hostname
I got this: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Has anyone had this problem on FC10 ?
Notes:
- I can run this manually: #/usr/sbin/slapd -h ldap:/// ldaps:/// -u
ldap and saw slapd -h ldap:/// ldaps:/// -u ldap in my #ps -ax I can do #ldapwhoami -x. But when I do a #ldapwhoami -x -H ldaps://hostname I go error message can't connect to server. 2. I can run this manually: #/usr/sbin/slapd -h ldaps:/// -u ldap I can then test my certificates correctly but SSL does not appear to have been started.
OpenLDAP 2.4 uses SASL by default. Install cyrus-sasl-md5 and its requirements unless you always use simple binds. ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer ricks@nerd.com - - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 - - - - "You think that's tough? Try herding cats!" - ----------------------------------------------------------------------
I have these cyrus modules installed:
cyrus-sasl-md5-2.1.22-19.fc10.i386 cyrus-sasl-lib-2.1.22-19.fc10.i386 cyrus-sasl-krb4-2.1.22-19.fc10.i386 cyrus-sasl-plain-2.1.22-19.fc10.i386 cyrus-sasl-devel-2.1.22-19.fc10.i386 cyrus-sasl-2.1.22-19.fc10.i386
OPlameras
On Wed, Feb 4, 2009 at 9:59 AM, Rick Stevens ricks@nerd.com wrote:
Oscar Plameras wrote:
- System1 - I had 3 test servers running OpenLDAP-2.3.30-3.fc6,
OpenSSL-0.9.8b-15.fc6 on Linux-2.6.22.14-72.fc6. And these were perfectly running with OPENSSL configured on 'slapd.conf' as follows:
lines cut # # TLSCACertificateFile /etc/CA/cacert.pem TLSCertificateFile /etc/pki/tls/newcert.pem TLSCertificateKeyFile /etc/pki/tls/newkey.pem # # lines cut
When I do,
#service ldap restart, and #ps -ax I have this
slapd -h ldap:/// ldaps:/// -u ldap
I can do simple unsecured or secured queries from here.
- System2 - Now, I upgraded 2 test servers running
OpenLDAP-2.4.12-1.fc10, OpenSSL-0.9.8g-12.fc10 on Linux-2.6.29-159.fc10. Suddenly I can't start slapd correctly. The problem is after configuring 'slapd.conf' with OPENSSL, as I did in System1 and I do a
#service ldap restart, and #ps -ax
I found that I only have this process running: slapd -h ldap:/// -u ldap. The ldaps:/// process did not start suggesting I have incorrect certificates. But I can confirm that my certificates are correct with several tests.
I had expected this process: slapd -h ldap:/// ldaps:/// -u ldap.
So, when I do TLS secured query like:
#ldapwhoami -x -H ldaps://hostname
I got this: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Has anyone had this problem on FC10 ?
Notes:
- I can run this manually: #/usr/sbin/slapd -h ldap:/// ldaps:/// -u
ldap and saw slapd -h ldap:/// ldaps:/// -u ldap in my #ps -ax I can do #ldapwhoami -x. But when I do a #ldapwhoami -x -H ldaps://hostname I go error message can't connect to server. 2. I can run this manually: #/usr/sbin/slapd -h ldaps:/// -u ldap I can then test my certificates correctly but SSL does not appear to have been started.
OpenLDAP 2.4 uses SASL by default. Install cyrus-sasl-md5 and its requirements unless you always use simple binds.
- Rick Stevens, Systems Engineer ricks@nerd.com -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
-"You think that's tough? Try herding cats!" -
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
On Wed, 2009-02-04 at 09:39 +1100, Oscar Plameras wrote:
- System1 - I had 3 test servers running OpenLDAP-2.3.30-3.fc6,
OpenSSL-0.9.8b-15.fc6 on Linux-2.6.22.14-72.fc6. And these were perfectly running with OPENSSL configured on 'slapd.conf' as follows:
lines cut # # TLSCACertificateFile /etc/CA/cacert.pem TLSCertificateFile /etc/pki/tls/newcert.pem TLSCertificateKeyFile /etc/pki/tls/newkey.pem # # lines cut
When I do,
#service ldap restart, and #ps -ax I have this
slapd -h ldap:/// ldaps:/// -u ldap
I can do simple unsecured or secured queries from here.
- System2 - Now, I upgraded 2 test servers running
OpenLDAP-2.4.12-1.fc10, OpenSSL-0.9.8g-12.fc10 on Linux-2.6.29-159.fc10. Suddenly I can't start slapd correctly. The problem is after configuring 'slapd.conf' with OPENSSL, as I did in System1 and I do a
#service ldap restart, and #ps -ax
I found that I only have this process running: slapd -h ldap:/// -u ldap. The ldaps:/// process did not start suggesting I have incorrect certificates. But I can confirm that my certificates are correct with several tests.
I had expected this process: slapd -h ldap:/// ldaps:/// -u ldap.
So, when I do TLS secured query like:
#ldapwhoami -x -H ldaps://hostname
I got this: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Has anyone had this problem on FC10 ?
Notes:
- I can run this manually: #/usr/sbin/slapd -h ldap:/// ldaps:/// -u
ldap and saw slapd -h ldap:/// ldaps:/// -u ldap in my #ps -ax I can do #ldapwhoami -x. But when I do a #ldapwhoami -x -H ldaps://hostname I go error message can't connect to server. 2. I can run this manually: #/usr/sbin/slapd -h ldaps:/// -u ldap I can then test my certificates correctly but SSL does not appear to have been started.
---- I don't have a /etc/CA directory...do you?
I do have /etc/pki/CA directory and user ldap wouldn't be able to descend anyway because it is perm 700 root:root
I actually have my own methods of generating certs and don't use those in /etc/pki but the theory is much the same (and for that matter, I don't use fedora for running openldap server).
Craig
Yes, I have. This what I do to create certificates:
#cd /etc/pki/tls #./misc/CA -newca # do once the first time #./misc/CA -newreq # do everytime you want another #./misc/CA -sign #
This will create a directory CA under /etc when you do #./misc/CA the first time.
On Wed, Feb 4, 2009 at 10:01 AM, Craig White craigwhite@azapple.com wrote:
On Wed, 2009-02-04 at 09:39 +1100, Oscar Plameras wrote:
- System1 - I had 3 test servers running OpenLDAP-2.3.30-3.fc6,
OpenSSL-0.9.8b-15.fc6 on Linux-2.6.22.14-72.fc6. And these were perfectly running with OPENSSL configured on 'slapd.conf' as follows:
lines cut # # TLSCACertificateFile /etc/CA/cacert.pem TLSCertificateFile /etc/pki/tls/newcert.pem TLSCertificateKeyFile /etc/pki/tls/newkey.pem # # lines cut
When I do,
#service ldap restart, and #ps -ax I have this
slapd -h ldap:/// ldaps:/// -u ldap
I can do simple unsecured or secured queries from here.
- System2 - Now, I upgraded 2 test servers running
OpenLDAP-2.4.12-1.fc10, OpenSSL-0.9.8g-12.fc10 on Linux-2.6.29-159.fc10. Suddenly I can't start slapd correctly. The problem is after configuring 'slapd.conf' with OPENSSL, as I did in System1 and I do a
#service ldap restart, and #ps -ax
I found that I only have this process running: slapd -h ldap:/// -u ldap. The ldaps:/// process did not start suggesting I have incorrect certificates. But I can confirm that my certificates are correct with several tests.
I had expected this process: slapd -h ldap:/// ldaps:/// -u ldap.
So, when I do TLS secured query like:
#ldapwhoami -x -H ldaps://hostname
I got this: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Has anyone had this problem on FC10 ?
Notes:
- I can run this manually: #/usr/sbin/slapd -h ldap:/// ldaps:/// -u
ldap and saw slapd -h ldap:/// ldaps:/// -u ldap in my #ps -ax I can do #ldapwhoami -x. But when I do a #ldapwhoami -x -H ldaps://hostname I go error message can't connect to server. 2. I can run this manually: #/usr/sbin/slapd -h ldaps:/// -u ldap I can then test my certificates correctly but SSL does not appear to have been started.
I don't have a /etc/CA directory...do you?
I do have /etc/pki/CA directory and user ldap wouldn't be able to descend anyway because it is perm 700 root:root
I actually have my own methods of generating certs and don't use those in /etc/pki but the theory is much the same (and for that matter, I don't use fedora for running openldap server).
Craig
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
On Wed, 2009-02-04 at 10:21 +1100, Oscar Plameras wrote:
Yes, I have. This what I do to create certificates:
#cd /etc/pki/tls #./misc/CA -newca # do once the first time #./misc/CA -newreq # do everytime you want another #./misc/CA -sign #
This will create a directory CA under /etc when you do #./misc/CA the first time.
---- can user 'ldap' access the file/directory?
Craig
Yes. and all certificate files. Of course I changed owner of newkey.pem to ldap.ldap and chmod to 600.
On Wed, Feb 4, 2009 at 10:43 AM, Craig White craigwhite@azapple.com wrote:
On Wed, 2009-02-04 at 10:21 +1100, Oscar Plameras wrote:
Yes, I have. This what I do to create certificates:
#cd /etc/pki/tls #./misc/CA -newca # do once the first time #./misc/CA -newreq # do everytime you want another #./misc/CA -sign #
This will create a directory CA under /etc when you do #./misc/CA the first time.
can user 'ldap' access the file/directory?
Craig
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
On Wed, Feb 04, 2009 at 09:39:07AM +1100, Oscar Plameras wrote:
- System1 - I had 3 test servers running OpenLDAP-2.3.30-3.fc6,
OpenSSL-0.9.8b-15.fc6 on Linux-2.6.22.14-72.fc6. And these were perfectly running with OPENSSL configured on 'slapd.conf' as follows:
lines cut # # TLSCACertificateFile /etc/CA/cacert.pem TLSCertificateFile /etc/pki/tls/newcert.pem TLSCertificateKeyFile /etc/pki/tls/newkey.pem # # lines cut
When I do,
#service ldap restart, and #ps -ax I have this
slapd -h ldap:/// ldaps:/// -u ldap
I can do simple unsecured or secured queries from here.
- System2 - Now, I upgraded 2 test servers running
OpenLDAP-2.4.12-1.fc10, OpenSSL-0.9.8g-12.fc10 on Linux-2.6.29-159.fc10. Suddenly I can't start slapd correctly. The problem is after configuring 'slapd.conf' with OPENSSL, as I did in System1 and I do a
#service ldap restart, and #ps -ax
I found that I only have this process running: slapd -h ldap:/// -u ldap. The ldaps:/// process did not start suggesting I have incorrect certificates. But I can confirm that my certificates are correct with several tests.
In older releases, the init script checked for TLS-related settings in slapd.conf and if it found some, forcibly added 'ldaps:///' to the list of values passed to slapd as arguments for its '-h' flag.
It looks like it doesn't do that any more. Rather, it expects that you'll set SLAPD_LDAPS to "yes" in /etc/sysconfig/ldap. I'm only guessing as to why, but it looks like one of the benefits of changing the way that the init script works is that you can now disable listening for non-SSL connections without editing the init script.
HTH,
Nalin
Yes, you're right. Whereas before the script simply checks if TLS is configured and invokes ldaps. So, now it has to be expressly set to 'yes' if you wish ldaps to start otherwise it will say and do nothing.
Thanks for that.
On Wed, Feb 4, 2009 at 11:04 AM, Nalin Dahyabhai nalin@redhat.com wrote:
On Wed, Feb 04, 2009 at 09:39:07AM +1100, Oscar Plameras wrote:
- System1 - I had 3 test servers running OpenLDAP-2.3.30-3.fc6,
OpenSSL-0.9.8b-15.fc6 on Linux-2.6.22.14-72.fc6. And these were perfectly running with OPENSSL configured on 'slapd.conf' as follows:
lines cut # # TLSCACertificateFile /etc/CA/cacert.pem TLSCertificateFile /etc/pki/tls/newcert.pem TLSCertificateKeyFile /etc/pki/tls/newkey.pem # # lines cut
When I do,
#service ldap restart, and #ps -ax I have this
slapd -h ldap:/// ldaps:/// -u ldap
I can do simple unsecured or secured queries from here.
- System2 - Now, I upgraded 2 test servers running
OpenLDAP-2.4.12-1.fc10, OpenSSL-0.9.8g-12.fc10 on Linux-2.6.29-159.fc10. Suddenly I can't start slapd correctly. The problem is after configuring 'slapd.conf' with OPENSSL, as I did in System1 and I do a
#service ldap restart, and #ps -ax
I found that I only have this process running: slapd -h ldap:/// -u ldap. The ldaps:/// process did not start suggesting I have incorrect certificates. But I can confirm that my certificates are correct with several tests.
In older releases, the init script checked for TLS-related settings in slapd.conf and if it found some, forcibly added 'ldaps:///' to the list of values passed to slapd as arguments for its '-h' flag.
It looks like it doesn't do that any more. Rather, it expects that you'll set SLAPD_LDAPS to "yes" in /etc/sysconfig/ldap. I'm only guessing as to why, but it looks like one of the benefits of changing the way that the init script works is that you can now disable listening for non-SSL connections without editing the init script.
HTH,
Nalin
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
-
Craig White -
Nalin Dahyabhai -
Oscar Plameras -
Rick Stevens