Hello all,
I try to install tls for ldap but without success :(
I make a CA (compiled openssl)
when i start ldap with : service ldap start i have this logs :
May 27 20:39:29 srvtest3 slapd[19546]: @(#) $OpenLDAP: slapd 2.3.27 (Jun 27 2007 08:48:26) $ brewbuilder@ls20-bc1-13.build.redhat.com:/builddir/build/BUIL
D/openldap-2.3.27/openldap-2.3.27/build-servers/servers/slapd
May 27 20:39:29 srvtest3 slapd[19546]: nss_ldap: could not search LDAP server - Server is unavailable
May 27 20:39:29 srvtest3 slapd[19546]: nss_ldap: could not search LDAP server - Server is unavailable
May 27 20:39:29 srvtest3 slapd[19546]: /etc/openldap/slapd.conf: line 39: rootdn is always granted unlimited privileges.
May 27 20:39:29 srvtest3 slapd[19546]: /etc/openldap/slapd.conf: line 44: rootdn is always granted unlimited privileges.
May 27 20:39:29 srvtest3 slapd[19546]: main: TLS init def ctx failed: -1
May 27 20:39:29 srvtest3 slapd[19546]: slapd stopped.
May 27 20:39:29 srvtest3 slapd[19546]: connections_destroy: nothing to destroy.
my /etc/openldap/slapd.conf is :
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
# logs
loglevel 4
# needed for login_ldap
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
database bdb
suffix "dc=midian,dc=org"
rootdn "cn=god,dc=midian,dc=org"
rootpw {SSHA}EkM4ViGxzWnZQ2n5hKBBcfffFMTcCO-0E4
directory /var/lib/ldap
index objectClass eq
# ACL
access to attrs=userPassword
by self write
by anonymous auth
by dn="cn=god,dc=midian,dc=org" write
by * none
access to *
by self write
by dn="cn=god,dc=midian,dc=org" write
by * read
# CA signed certificate and server cert entries:
# TLS & SSL
TLSCertificateFile /etc/openldap/cacerts/srvtest3.test.org.pem
TLSCertificateKeyFile /etc/openldap/cacerts/srvtest3.test.org.key
TLSCACertificateFile /etc/ssl/cacert.pem
TLSVerifyClient never
my /etc/openldap/ldap.conf
base dc=midian,dc=org
uri ldap//srvtest3.test.org/
ldap_version 3
TLS_CACERT /etc/ssl/cacert.pem
TLS_REQCERT demand
my /etc/ldap.conf
# SSL & TLS
ssl start_tls
#ssl on
#tls_checkpeer yes
# Afin que le client puisse valider l'identitéu serveur, on doit le fournir la cléublique
# du CA avec laquelle il pourra éblir que le certificat du serveur a bien é signéar
# la clérivéde cette mê CA.
TLS_CACERT /etc/openldap/cacerts/ldap.crt
# On demande élement au client de toujours valider l'identitéu serveur.
TLS_REQCERT demand
# IP du serveur ldap
#host 127.0.0.1
uri ldap://srvtest3.test.org/
# Le DN de base pour effectuer les recherches
base dc=midian,dc=org
# Optimisation de recherche dans la base
scope=one
# Pour que le poste demarre meme si le server ldap ne repond pas
bind_policy soft
# Version du protocole utilise
ldap_version 3
# Port ecoute serveur
port 389
# Filtres de validation dun utilisateur
pam_filter objectclass=account
pam_filter host=srvtest3.test.org
# Attribut compare avec lindentifiant de connexion de lutilisateur
pam_login_attribute uid
# Verification attribut host
pam_check_host_attr yes
# DN groupe auquel il faut appartenir pour acces machine locale
pam_groupdn ou=group,dc=midian,dc=org
# Definit lattribut dappartenance au groupe
pam_member_attribute member
# password envoi serveur
pam_password crypt
# Parametres nss-ldap de recherche
nss_base_passwd ou=user,dc=midian,dc=org?sub
nss_base_shadow ou=user,dc=midian,dc=org?sub
nss_base_group ou=group,dc=midian,dc=org?sub
nss_base_hosts ou=machines,dc=midian,dc=org?sub
- GanGan -