That looks like OK syntax. Get ldapwhoami(1) and similar working at the
command line directly. e.g.
server$ ldapwhoami -H ldaps://directory.company.com/ [...]
I suspect this will fail. (Often CA validation fails, for example.) Once
you have ldap.conf such that this works, the slapd.conf syntax you
mentioned should be OK. If you can get the command line to work as the
same user you're running slapd as, but slapd still fails, try turning up
slapd debugging.
You can also try "tls propagate" or "tls start". See slapd-meta man page
for details.
On Tue, 23 Jan 2007, Stephen Agar wrote:
> one more followup question. i want the "meta" database on the external
> server contacted via tls/ssl.
> if I set:
>
> uri "ldap://directory.company.com/ou=People,o=company,c=US"
>
> things work perfectly, however if i set:
>
> uri "ldaps://directory.company.com/ou=People,o=company,c=US"
>
> i get "server is unavailable" when i do things like ldapwhoami. is there
> something i can configure in my ldap.conf to allow ldaps authentication
to
> the server defined in my "meta" stanza?
>
> --stephen
>
> On 1/22/07, Stephen Agar <seagar@gmail.com> wrote:
>>
>> wow....thanks a bunch, that worked perfectly.
>>
>> --stephen
>>
>> On 1/22/07, Aaron Richton <richton@nbcs.rutgers.edu > wrote:
>> >
>> > Try something more like:
>> >
>> > database meta
>> > suffix "ou=people,o=company,c=US"
>> > subordinate
>> >
>> > database bdb
>> > suffix "o=company,c=US"
>> >
>> > see if that does what you want...
>> >
>> > On Mon, 22 Jan 2007, Stephen Agar wrote:
>> >
>> > > I have an LDAP server with a base "o=company, c=us". There is
another
>> >
>> > > server which controls "ou=people,o=company,c=us", so in slapd.confi
>> > have
>> > > the following:
>> > >
>> > > database bdb
>> > > suffix "o=company,c=US"
>> > > rootdn "cn=Manager,o=company,c=US"
>> > > rootpw *******
>> > > directory /usr/var/openldap-data
>> > > # Indices to maintain
>> > > index objectClass eq
>> > > index ou,cn,uid eq,pres,sub
>> > >
>> > > #meta test
>> > > database meta
>> > > suffix "ou=people,o=company,c=US"
>> > > uri
>> > "ldap://directory.company.com/ou=People,o=company,c=US"
>> > >
>> > >
>> > > When I try to start slapd, I get: /etc/openldap/slapd.conf: line
84:
>> > > <suffix> namingContext "o=company,c=US" already served by a
preceding
>> > bdb
>> > > database serving namingContext "o=company,c=US". Am I misusing
meta?
>> > Can I
>> > > not proxy binds/lookups to specific OUs to a secondary LDAP? I
>> > understand
>> > > what the message is saying, but don't think I understand the proper
>> > use of
>> > > meta.
>> > >
>> > > For example, I have an ou=groups that contains "groupofnames" and
the
>> > > members of those groups are like
>> > "uid=123456,ou=people,o=company,c=us". So I
>> > > want ou = groups owned on my server, then the when specific members
>> > try to
>> > > bind, they are proxied to this external LDAP server that serves
>> > > ou=people,o=company,c=us and contains their uids and passwords. Am
I
>> > going
>> > > about this the wrong way? Is there a way to accomplish what im
trying
>> > to do?
>> > >
>> > >
>> > > Thanks in advance...
>> > > --stephen
>> > >
>> >
>>
>>
>