LDAP SSL Problems (was: service script (/etc/init.d/ldap))

Wed Nov 16 16:26:50 UTC 2005

>From: fedora-list-bounces at redhat.com
>[mailto:fedora-list-bounces at redhat.com]On Behalf Of Nigel Wade
>Sent: Wednesday, November 16, 2005 1:52 AM
>To: For users of Fedora Core releases
>Subject: Re: LDAP SSL Problems (was: service script (/etc/init.d/ldap))
>
>
>Daniel B. Thurman wrote:
>>>From: fedora-list-bounces at redhat.com
>>>[mailto:fedora-list-bounces at redhat.com]On Behalf Of Craig White
>>>Sent: Monday, November 14, 2005 5:10 PM
>>>To: For users of Fedora Core releases
>>>Subject: RE: LDAP SSL Problems (was: service script 
>(/etc/init.d/ldap))
>>>
>>>
>>>On Mon, 2005-11-14 at 16:42 -0800, Daniel B. Thurman wrote:
>>>
>>>
>>>>See: if LANG=C klist -k "$KRB5_KTNAME" | tail -n 4 | awk 
>>>
>>>'{print $2}' |
>>>
>>>>===============^^^^^
>>>>s/b ===========$klist
>>>
>>>----
>>>your previous email referenced the missing '$' on the word kinit not
>>>klist which was significant since kinit doesn't exist in the file but
>>>klist clearly does in a number of places. I understand how you
>>>transposed it though - going buggy after typing it a number 
>of times it
>>>probably just flowed naturally through your fingers.
>>>
>>>Craig
>>>
>>>
>> 
>> 
>> Yea... sorry... I was trying to solve my problem with ldap
>> and it was getting a bit frustrating - so I lost it somewhere
>> when my fingers starting running away from me :-)
>> 
>> Your certificate creation method did not work.  I saw that I
>> had to change the openssl.cnf path and I did get the two
>> files: ldap.csr and ldap.key but missing is ca.certs and
>> ca.key.
>> 
>> Dan
>> 
>
>I've just been setting up an LDAP server today (not using 
>Kerberos, but that 
>might come at some point). I created a CA certificate and 
>server certificate 
>using the instructions here: 
>http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
>
>
>-- 
>Nigel Wade, System Administrator, Space Plasma Physics Group,
>             University of Leicester, Leicester, LE1 7RH, UK
>E-mail :    nmw at ion.le.ac.uk
>Phone :     +44 (0)116 2523548, Fax : +44 (0)116 2523555
>

Thanks for the feedback.  Just be aware that the
openssl FC4 is version 0.9.7f and the latest is 0.9.8a, and
that many of the howtos are somewhat (very) different from the
past. One example is that the structure has changed (at least
from what I see in FC4 to be at /etc/pki and that some script
programs are no longer where you expected them to be or to
exist.)

I have successfully gotten LDAP to run, to get the SSL/TLS
component to run but still having a helluva time trying to
get SASL working.

Also still messing with kerberos and trying to get the nuances
worked out.  I do have kerberos running but still have a ways
to get it tied with ldap.  It could be that I will need to
switch to hemidal kerberos instead of MIT's version - as it
says that hemidal allows LDAP to be in a central DB and supports
LDAP where MIT's kerberos does not?  I will be at it for awhile.

Kind regards,
Dan

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.362 / Virus Database: 267.13.3/172 - Release Date: 11/15/2005