[Date Prev][Date Next] [Chronological] [Thread] [Top]

[ldap with tls] installation problem



Hello all,

I try to install tls for ldap but without success :(

I make a CA (compiled openssl)

 when i start ldap with : service ldap start i have this logs :

May 27 20:39:29 srvtest3 slapd[19546]: @(#) $OpenLDAP: slapd 2.3.27 (Jun 27 2007 08:48:26) $    brewbuilder@ls20-bc1-13.build.redhat.com:/builddir/build/BUIL
D/openldap-2.3.27/openldap-2.3.27/build-servers/servers/slapd
May 27 20:39:29 srvtest3 slapd[19546]: nss_ldap: could not search LDAP server - Server is unavailable
May 27 20:39:29 srvtest3 slapd[19546]: nss_ldap: could not search LDAP server - Server is unavailable
May 27 20:39:29 srvtest3 slapd[19546]: /etc/openldap/slapd.conf: line 39: rootdn is always granted unlimited privileges.
May 27 20:39:29 srvtest3 slapd[19546]: /etc/openldap/slapd.conf: line 44: rootdn is always granted unlimited privileges.
May 27 20:39:29 srvtest3 slapd[19546]: main: TLS init def ctx failed: -1
May 27 20:39:29 srvtest3 slapd[19546]: slapd stopped.
May 27 20:39:29 srvtest3 slapd[19546]: connections_destroy: nothing to destroy.

my /etc/openldap/slapd.conf is :

 include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema

# logs

loglevel 4

# needed for login_ldap
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
database bdb
suffix "dc=midian,dc=org"
rootdn "cn=god,dc=midian,dc=org"
rootpw {SSHA}EkM4ViGxzWnZQ2n5hKBBcfffFMTcCO-0E4
directory /var/lib/ldap
index objectClass eq

# ACL

access to attrs=userPassword
 by self write
 by anonymous auth
 by dn="cn=god,dc=midian,dc=org" write
 by * none

access to *
 by self write
 by dn="cn=god,dc=midian,dc=org" write
 by * read

# CA signed certificate and server cert entries:

# TLS & SSL

TLSCertificateFile /etc/openldap/cacerts/srvtest3.test.org.pem
TLSCertificateKeyFile /etc/openldap/cacerts/srvtest3.test.org.key
TLSCACertificateFile /etc/ssl/cacert.pem
TLSVerifyClient never

 my /etc/openldap/ldap.conf

base dc=midian,dc=org
uri ldap//srvtest3.test.org/
ldap_version 3
TLS_CACERT /etc/ssl/cacert.pem
TLS_REQCERT demand

my /etc/ldap.conf

 # SSL & TLS

ssl start_tls
#ssl on
#tls_checkpeer yes

# Afin que le client puisse valider l'identitéu serveur, on doit le fournir la cléublique
# du CA avec laquelle il pourra éblir que le certificat du serveur a bien é signéar
# la clérivéde cette mê CA.
TLS_CACERT /etc/openldap/cacerts/ldap.crt
# On demande élement au client de toujours valider l'identitéu serveur.
TLS_REQCERT demand

# IP du serveur ldap

#host 127.0.0.1
uri ldap://srvtest3.test.org/

# Le DN de base pour effectuer les recherches

base dc=midian,dc=org

# Optimisation de recherche dans la base

scope=one

# Pour que le poste demarre meme si le server ldap ne repond pas

bind_policy soft

# Version du protocole utilise

ldap_version 3

# Port ecoute serveur

port 389

# Filtres de validation dun utilisateur

pam_filter objectclass=account

pam_filter host=srvtest3.test.org

# Attribut compare avec lindentifiant de connexion de lutilisateur

pam_login_attribute uid

# Verification attribut host

pam_check_host_attr yes

# DN groupe auquel il faut appartenir pour acces machine locale

pam_groupdn ou=group,dc=midian,dc=org

# Definit lattribut dappartenance au groupe

pam_member_attribute member

# password envoi serveur

pam_password crypt

# Parametres nss-ldap de recherche

nss_base_passwd         ou=user,dc=midian,dc=org?sub
nss_base_shadow         ou=user,dc=midian,dc=org?sub
nss_base_group          ou=group,dc=midian,dc=org?sub
nss_base_hosts          ou=machines,dc=midian,dc=org?sub

if someone could help me it would be nice
sorry for my bad english

 
- GanGan -