[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: fedora and openldap

To: openldap-technical@openldap.org
Subject: Re: fedora and openldap
From: harry.jede@arcor.de
Date: Wed, 13 Apr 2011 11:16:57 +0200
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=arcor.de; s=mail-in; t=1302686220; bh=2Avg5Xerhh8+ItssrJktDnLCSPJXSX3CZv8ZYtF4w/s=; h=From:To:Subject:Date:References:In-Reply-To:MIME-Version: Content-Type:Content-Transfer-Encoding:Message-Id; b=aYvyuAhuHzD5OllAGkKzgFIPkY68iXbSNLC+eBg8HuveS1TlhiOirH5C5IB5S79LH DfAHoIr1JGk3A0a+pEoKt27/wBv60PmacSQKOf41qL3mh9NwznjgwM+Yb7doixHofb ltGFCSJEaJt+Ic9EISs94q6J6n/0qHTraMaqsHyc=
In-reply-to: <4DA5587F.6000006@imppc.org>
References: <4D9B87A2.8040400@imppc.org> <201104130906.11499.harry.jede@arcor.de> <4DA5587F.6000006@imppc.org>
User-agent: KMail/1.9.9

Judith Flo Gaya wrote:
> Hi Harry,
>
> On 04/13/2011 09:06 AM, harry.jede@arcor.de wrote:
> > Judith Flo Gaya wrote:
> >> On 4/12/11 9:44 PM, Quanah Gibson-Mount wrote:
> >>> --On Tuesday, April 12, 2011 9:50 PM +0200 Judith Flo
> >>> Gaya<jflo@imppc.org>
> >>>
> >>> wrote:
> >>>> I'm using the default version of openldap for the clients :
> >>>> openldap-2.4.22-7.fc14.x86_64
> >>>> openldap-devel-2.4.22-7.fc14.x86_64
> >>>> openldap-clients-2.4.22-7.fc14.x86_64
> >
> > What means this?
> >
> > Are you using these packages on Client-PCs?
>
> a priori I was doing it, now I compiled from source the same version
> of openldap, so now both server and clients have the same openldap
fine

> > Do you also use these packages on your openldap server?
>
> The versions on the server side were old and I was suggested to
> update to a newer version, so I compiled it.
>
> >>>> I don't exactly know how to check the way they are compiled..
> >>>
> >>> Use "ldd" on the binary.  If they are compiled against MozNSS,
> >>> you'll probably have better success using your own built binaries
> >>> against OpenSSL.
> >
> > And don't forget: you should never never mix (openldap) packages
> > from two different builds on one machine. Such a setup can work
> > well, but it is for power users :-) .
>
> Yes, my idea was to get rid of the rpm packages after installing the
> source one, but I can get rid of the openldap-$version because it has
> plenty of dependencies, so I linked to /usr/local so that libraries
> and binaries can be found by the system before the rpm ones.
> One of the packages that uses these libraries is nss_pam_ldapd, maybe
> that's why now the ldapsearch is working but the authentication is
> not
ldapsearch works now with TLS and/or SSL. That's also fine.

> I can't do id <user>, it complains about a TLS negotiation problem :
> Apr 13 09:55:25 curri0 slapd[2025]: conn=1063 fd=39 ACCEPT from
> IP=<client_ip>:44725 (IP=0.0.0.0:636)
> Apr 13 09:55:25 curri0 slapd[2025]: conn=1063 fd=39 closed (TLS
> negotiation failure)
> Apr 13 09:55:25 curri0 slapd[2025]: connection_read(39): no
> connection! Apr 13 09:55:25 curri0 slapd[2025]: connection_read(39):
> no connection!
So, the nss_pam_ldapd needs also recompiling !?

> > I  have no  experience with fedora, so I can not really help you.
> > But in general, you may do it like this:
> >
> > 1. Check the packages meta information to find from which source
> > package they are build.
> > 2. Download these source packages
> > 3. Downlod the developer packages which are needed to build your
> > package 4. Download the openssl developer package
> > 5. Change the config from moznss to openssl
> > 6. Build the new packages
> > 7. Test them on one or two machines
> > 8. Distribute them to all your Fedora machines
>
> The devel packages and the openssl were already installed and the
> make depend worked without problem, so I only download, configure
> (with-tls=openssl) and installed this newer version, but still it
> doesn't work ;(
> I'll try to link the ldap libraries under /usr/lib64 to the new ones
> and see if I can fool the system to use mines.
>
> I'm told that I can also manage to make the openldap rpm version that
> uses the moznss library to accept a .pem file, I thought that in this
> way it would be much easier, but now I'm no longer sure...
Before you recompile all packages which depend on moznss, I suggest that 
you try this option, as Rich suggest.

If I remember correctly, one of yor previous mails, you have had a wrong 
setup. You have used TLS on client side, and SSL on serverside.

Try to recompile all openldap related packages with moznss and an 
uptodate openldap source. Use the config from fedora source.

Then run the tests again.

If this does not work, you may go with openssl and recompile all 
packages you need.

An other way to get it: change to a distribution which use openssl. 
Debian and derivates uses gnutls, so avoid them.

-- 

Harry Jede

Follow-Ups:
- Re: fedora and openldap
  - From: Judith Flo Gaya <jflo@imppc.org>

References:
- fedora and openldap
  - From: Judith Flo Gaya <jflo@imppc.org>
- Re: fedora and openldap
  - From: harry.jede@arcor.de
- Re: fedora and openldap
  - From: Judith Flo Gaya <jflo@imppc.org>

Prev by Date: how to use ldap_parse_sortresponse_control
Next by Date: Re: Issue when injecting a new AttributeTypes in OpenLdap
Index(es):
- Chronological
- Thread