[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: OpenLDAP, OpenSSL, and Fedora 10 Stop Liking One Another ?



On Wed, Feb 04, 2009 at 09:39:07AM +1100, Oscar Plameras wrote:
> 1. System1 - I had 3 test servers running OpenLDAP-2.3.30-3.fc6,
> OpenSSL-0.9.8b-15.fc6 on Linux-2.6.22.14-72.fc6.
> And these were perfectly running with OPENSSL configured on
> 'slapd.conf' as follows:
> 
> lines cut
> #
> #
> TLSCACertificateFile /etc/CA/cacert.pem
> TLSCertificateFile    /etc/pki/tls/newcert.pem
> TLSCertificateKeyFile /etc/pki/tls/newkey.pem
> #
> #
> lines cut
> 
> When I do,
> 
> #service ldap restart, and #ps -ax  I have this
> 
> slapd -h ldap:/// ldaps:/// -u ldap
> 
> I can do simple unsecured or secured queries from here.
> 
> 1. System2 - Now, I upgraded 2 test servers running
> OpenLDAP-2.4.12-1.fc10, OpenSSL-0.9.8g-12.fc10 on
> Linux-2.6.29-159.fc10.
> Suddenly I can't start slapd correctly. The problem is after
> configuring 'slapd.conf' with OPENSSL, as I did in System1 and I
> do a
> 
> #service ldap restart,  and #ps -ax
> 
> I found that I only have this process running:
> slapd -h ldap:/// -u ldap. The ldaps:/// process did not start
> suggesting I have incorrect certificates.
> But I can confirm that my certificates are correct with several tests.

In older releases, the init script checked for TLS-related settings in
slapd.conf and if it found some, forcibly added 'ldaps:///' to the list
of values passed to slapd as arguments for its '-h' flag.

It looks like it doesn't do that any more.  Rather, it expects that
you'll set SLAPD_LDAPS to "yes" in /etc/sysconfig/ldap.  I'm only
guessing as to why, but it looks like one of the benefits of changing
the way that the init script works is that you can now disable listening
for non-SSL connections without editing the init script.

HTH,

Nalin


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]