[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: -u and -g not working with slapd
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jim C. wrote:
| Figured it out.
|
| OK, so:
| [root@enigma openldap]# /usr/sbin/slapd -d 16 -u ldap -g ldap -l LOCAL0
| -s 0 -h "ldap:/// ldaps:/// "
|
| returns this:
|
| bdb_initialize: Sleepycat Software: Berkeley DB 4.2.52: (March 25, 2004)
| TLS: could not load verify locations
| (file:`/etc/ssl/openldap/ldap.pem',dir:`').
| TLS: error:02001002:system library:fopen:No such file or directory
| bss_file.c:104
| TLS: error:2006D080:BIO routines:BIO_new_file:no such file bss_file.c:107
| TLS: error:0B084002:x509 certificate
| routines:X509_load_cert_crl_file:system lib by_file.c:274
| main: TLS init def ctx failed: -1
| slapd stopped.
| connections_destroy: nothing to destroy.
| [root@enigma openldap]#
|
| ldap.pem, huh? Bad perms/ownership?
|
| It is showing root.root as owner. I've changed it to root.ldap and now
| it works fine.... except when /etc/ssl/openldap/ldap.pem does not exist.
| ~ Then we have the same error because the new script does not generate
| /etc/ssl/openldap/ldap.pem dynamically when the file is found to be
| non-existant. This was the case in previous versions of the
| /etc/init.d/ldap initscript on Mandrake.
I don't think so:
http://cvs.mandrakesoft.com/cgi-bin/cvsweb.cgi/SPECS/openldap/ldap.init?rev=1.8&content-type=text/x-cvsweb-markup
Certs are currently (and have been for a long time) generated in %post
of openldap-servers:
$ rpm -q --scripts openldap-servers |grep -C5 "\.pem"
~ chmod 0600 $i
~ chown ldap:ldap $i
~ fi
done
# generate the ldap.pem cert here instead of the initscript
if [ ! -e /etc/ssl/openldap/ldap.pem ] ; then
~ if [ -x /usr/share/openldap/gencert.sh ] ; then
~ echo "Generating self-signed certificate..."
~ pushd /etc/ssl/openldap/ > /dev/null
~ yes ""|/usr/share/openldap/gencert.sh >/dev/null 2>&1
~ chmod 640 ldap.pem
~ chown root:ldap ldap.pem
~ popd > /dev/null
~ fi
~ echo "To generate a self-signed certificate, you can use the utility"
~ echo "/usr/share/openldap/gencert.sh..."
fi
We can't do *everything* for the user ... (but a better solution is
required for managing certificates, don't know if we'll have time to
implement for 10.1 though ...).
Either you lost your cert in the upgrade, ora combination of your
slapd.conf and the bad regex that was in the older init script was
saving you from this problem before?
Regards,
Buchan
- --
Buchan Milne Senior Support Technician
Obsidian Systems http://www.obsidian.co.za
B.Eng RHCE (803004789010797)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFAzYMtrJK6UGDSBKcRAiOLAKCesM9DOO1DvRW4jT/Vb33O8SgriQCeKiCd
rfnd8PJaYcppdWoo08thZ9I=
=Mola
-----END PGP SIGNATURE-----