[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using NSS



On 11-10-26 11:28 PM, Dan White wrote:
On 26/10/11Â22:53Â-0400, Braden McDaniel wrote:
I am trying to get OpenLDAP (2.4.24) working with NSS on Fedora 15. In
cn=config.ldif I have:

ÂÂÂÂÂÂ olcTLSCACertificatePath: /etc/pki/nssdb
ÂÂÂÂÂÂ olcTLSCertificateFile: endoframe

I have used certutil to create a self-signed certificate:

ÂÂÂÂÂÂ # certutil -d /etc/pki/nssdb -L

ÂÂÂÂÂÂ Certificate NicknameÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Trust Attributes
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ SSL,S/MIME,JAR/XPI

ÂÂÂÂÂÂ endoframeÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ Cu,Cu,Cu

But this doesn't appear to be working:

ÂÂÂÂÂÂ $ ldapsearch -H ldaps://rail -b dc=endoframe,dc=net -x -d1
ÂÂÂÂÂÂ ldap_url_parse_ext(ldaps://rail)
ÂÂÂÂÂÂ ldap_create
ÂÂÂÂÂÂ ldap_url_parse_ext(ldaps://rail:636/??base)
ÂÂÂÂÂÂ ldap_sasl_bind
ÂÂÂÂÂÂ ldap_send_initial_request
ÂÂÂÂÂÂ ldap_new_connection 1 1 0
ÂÂÂÂÂÂ ldap_int_open_connection
ÂÂÂÂÂÂ ldap_connect_to_host: TCP rail:636
ÂÂÂÂÂÂ ldap_new_socket: 3
ÂÂÂÂÂÂ ldap_prepare_socket: 3
ÂÂÂÂÂÂ ldap_connect_to_host: Trying ::1 636
ÂÂÂÂÂÂ ldap_pvt_connect: fd: 3 tm: -1 async: 0
ÂÂÂÂÂÂ ldap_close_socket: 3
ÂÂÂÂÂÂ ldap_new_socket: 3
ÂÂÂÂÂÂ ldap_prepare_socket: 3
ÂÂÂÂÂÂ ldap_connect_to_host: Trying 127.0.0.1:636
ÂÂÂÂÂÂ ldap_pvt_connect: fd: 3 tm: -1 async: 0
ÂÂÂÂÂÂ ldap_close_socket: 3
ÂÂÂÂÂÂ ldap_err2string
ÂÂÂÂÂÂ ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

slapd is running:

ÂÂÂÂÂÂ # systemctl status slapd.service
ÂÂÂÂÂÂ slapd.service - LSB: starts and stopd OpenLDAP server daemon
ÂÂÂÂÂÂÂÂÂÂÂÂ Loaded: loaded (/etc/rc.d/init.d/slapd)
ÂÂÂÂÂÂÂÂÂÂÂÂ Active: active (running) since Wed, 05 Oct 2011 02:24:11 -0400; 3 weeks and 0 days ago
ÂÂÂÂÂÂÂÂÂÂ Main PID: 1429 (slapd)
ÂÂÂÂÂÂÂÂÂÂÂÂ CGroup: name=systemd:/system/slapd.service
 â 1429 /usr/sbin/slapd -h ldap:/// -u ldap

Any ideas of what I might be doing wrong, or where I should be looking
to debug this?

slapd was not started with the proper options to listen on ldaps:/// (port
636).

Your -h command line option should include it, e.g. '-h ldap:///
ldaps:///'. See slapd(8) for more details.


There is a control file on Fedora 15 for ldaps or tls

cat /etc/sysconfig/ldap

# Options of slapd (see man slapd)
#SLAPD_OPTIONS=

# At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to 'yes'!
#
# Run slapd with -h "... ldap:/// ..."
#ÂÂ yes/no, default: yes
#SLAPD_LDAP=yes

# Run slapd with -h "... ldapi:/// ..."
#ÂÂ yes/no, default: no
#SLAPD_LDAPI=no

# Run slapd with -h "... ldaps:/// ..."
#ÂÂ yes/no, default: no
#SLAPD_LDAPS=no
SLAPD_LDAPS=yes

# Run slapd with -h "... $SLAPD_URLS ..."
# This option could be used instead of previous three ones, but:
# - it doesn't overwrite settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
# - it isn't overwritten by settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
# example: SLAPD_URLS="ldapi:///var/lib/ldap_root/ldapi ldapi:/// ldaps:///"
# default: empty
#SLAPD_URLS=""

# Maximum allowed time to wait for slapd shutdown on 'service ldap stop' (in seconds)
#SLAPD_SHUTDOWN_TIMEOUT=3

# Parameters to ulimit, use to change system limits for slapd
#SLAPD_ULIMIT_SETTINGS=""ÂÂÂÂ