[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using NSS

Title: Re: Using NSS
Tail –f /var/log/messages
Has most of the ldap messages,
You also may have a :


If you are running a client on the server machine, the client info will be mixed in with the server info on
I believe you will only get the server [slapd] on localmessages

You have to choose either ldap [port 389] with tls,
Ldaps [port 636]

I am assuming you have a tls_cacert and either a uri with ldap://... Or ldaps://
As appropriate, in /etc/ldap.conf of the client machine.

On 10/27/11 10:23 AM, "Daniel Qian" <daniel@up247solution.com> wrote:

  On 11-10-26 11:28 PM, Dan White wrote:
On 26/10/11 22:53 -0400, Braden McDaniel wrote:
I am trying to get OpenLDAP (2.4.24) working with NSS on Fedora 15. In
 cn=config.ldif I have:
  olcTLSCACertificatePath: /etc/pki/nssdb
  olcTLSCertificateFile: endoframe
 I have used certutil to create a self-signed certificate:
  # certutil -d /etc/pki/nssdb -L
  Certificate Nickname Trust Attributes
  endoframe Cu,Cu,Cu
 But this doesn't appear to be working:
  $ ldapsearch -H ldaps://rail -b dc=endoframe,dc=net -x -d1
  ldap_new_connection 1 1 0
  ldap_connect_to_host: TCP rail:636
  ldap_new_socket: 3
  ldap_prepare_socket: 3
  ldap_connect_to_host: Trying ::1 636
  ldap_pvt_connect: fd: 3 tm: -1 async: 0
  ldap_close_socket: 3
  ldap_new_socket: 3
  ldap_prepare_socket: 3
  ldap_connect_to_host: Trying
  ldap_pvt_connect: fd: 3 tm: -1 async: 0
  ldap_close_socket: 3
  ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
 slapd is running:
  # systemctl status slapd.service
  slapd.service - LSB: starts and stopd OpenLDAP server daemon
  Loaded: loaded (/etc/rc.d/init.d/slapd)
  Active: active (running) since Wed, 05 Oct 2011 02:24:11 -0400; 3 weeks and 0 days ago
  Main PID: 1429 (slapd)
  CGroup: name=systemd:/system/slapd.service
  └ 1429 /usr/sbin/slapd -h ldap:/// -u ldap
 Any ideas of what I might be doing wrong, or where I should be looking
 to debug this?

 slapd was not started with the proper options to listen on ldaps:/// (port
 Your -h command line option should include it, e.g. '-h ldap:///
 ldaps:///'. See slapd(8) for more details.

There is a control file on Fedora 15 for ldaps or tls
 cat /etc/sysconfig/ldap
 # Options of slapd (see man slapd)
 # At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to 'yes'!
 # Run slapd with -h "... ldap:/// ..."
 # yes/no, default: yes
 # Run slapd with -h "... ldapi:/// ..."
 # yes/no, default: no
 # Run slapd with -h "... ldaps:/// ..."
 # yes/no, default: no
 # Run slapd with -h "... $SLAPD_URLS ..."
 # This option could be used instead of previous three ones, but:
 # - it doesn't overwrite settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
 # - it isn't overwritten by settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
 # example: SLAPD_URLS="ldapi:///var/lib/ldap_root/ldapi ldapi:/// ldaps:///"
 # default: empty
 # Maximum allowed time to wait for slapd shutdown on 'service ldap stop' (in seconds)
 # Parameters to ulimit, use to change system limits for slapd