# Certificate entries: TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSCACertificateFile /etc/openldap/cacert.pem TLSCertificateFile /etc/openldap/server_cert.pem TLSCertificateKeyFile /etc/openldap/server_cert.pem TLSVerifyClient never
Mar 10 07:51:07 a7470 slapd[32557]: sql_select option missing Mar 10 07:51:07 a7470 slapd[32557]: auxpropfunc error no mechanism available
If I comment those TLS lines out again, the server starts up with no errors.
drwxr-xr-x 3 ldap ldap 4096 Mar 10 07:37 . drwxr-xr-x 77 root root 12288 Mar 9 20:55 .. -rw-r--r-- 1 ldap ldap 2078 Mar 10 07:37 server_cert.pem -rw-r--r-- 1 ldap ldap 1411 Mar 10 07:37 cacert.pem
Any help would be appreciated! -- Karen R MCArthur, systems administrator Bates College, Lewiston, Maine kmcarthu@bates.edu
************************ My full Slapd.conf file: ************************ include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/eduperson-200412.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/krb5-kdc.schema include /usr/local/etc/openldap/schema/localeduperson.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/sendmail.schema include /usr/local/etc/openldap/schema/meetingmaker.schema
# Allow LDAPv2 for Mozilla address books allow bind_v2
# Remove idle connections idletimeout 14400
# Limit number of search results to prevent trolling of directory # by spammers, etc. sizelimit 10
pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args
# Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 #security simple_bind=64
#SASL configuration
sasl-realm KRB5.EXAMPLE.COM
sasl-host krb.example.com
sasl-secprops noactive,noanonymous
sasl-regexp
uid=Replicator,cn=krb.example.com,cn=gssapi,cn=auth
cn=Replicator,dc=example,dc=com
sasl-regexp
uid=(.*),cn=krb.example.com,cn=gssapi,cn=auth
uid=$1,ou=People,dc=example,dc=com# Certificate entries: #TLSCipherSuite HIGH:MEDIUM:+SSLv3 #TLSCACertificateFile /etc/openldap/cacert.pem #TLSCertificateFile /etc/openldap/server_cert.pem #TLSCertificateKeyFile /etc/openldap/server_cert.pem #TLSVerifyClient never
####################################################################### # database definition #######################################################################
database bdb suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com"
directory /usr/local/var/openldap-data
cachesize 5000 checkpoint 512 720
# replication directives replogfile /var/log/slapd.replog
replica host=krb.example.com:714
bindmethod=sasl
saslmech=GSSAPI
realm=KRB5.EXAMPLE.COM
authcID=Replicatorreplica host=krb.example.com:389
bindmethod=sasl
saslmech=GSSAPI
realm=KRB5.EXAMPLE.COM
authcID=Replicator
suffix="ou=People,dc=example,dc=com"# Indices to maintain index objectClass eq
limits group="cn=LDAPadmins,ou=LDAPauth,dc=example,dc=com" size=-1
access to attr=userPassword
by dn="cn=Replicator,dc=example,dc=com" write
by group.exact="cn=LDAPadmins,ou=LDAPauth,dc=example,dc=com" write
by dn.regex="uid=ldapadm.+\+(realm=KRB5\.EXAMPLE\.COM)" write
by anonymous auth
by * noneaccess to *
by dn="cn=Replicator,dc=example,dc=com" write
by group.exact="cn=LDAPadmins,ou=LDAPauth,dc=example,dc=com" write
by dn.regex="uid=ldapadm.+\+(realm=KRB5\.EXAMPLE\.COM)" write
by * none
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature