[Date Prev][Date Next]
Re: Mozilla NSS / OpenLdap 2.4.23 cert not readable?
On 12/12/2011 12:29 PM, Aaron Bennett wrote:
not sure - start slapd and add "-d 1" to your slapd argument list (see
/etc/sysconfig/ldap? or slapd? for the argument list)
I'm trying to grok Mozilla NSS prior to deploying Openldap 2.4.23 on RHEL 6.2. I've been working through creating a self-signed cert and I think I have one that works. At least, if I do:
[root@animal ~]# certutil -d /etc/pki/nssdb/ -L
Certificate Nickname Trust Attributes
the its cert is the one I used to sign.
If I do:
[root@animal ~]# certutil -d /etc/pki/nssdb/ -L -n animal.clarku.edu
Then I see a normal looking cert:
Version: 3 (0x2)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=ITS Self Signed"
Not Before: Mon Dec 12 16:01:27 2011
Not After : Mon Mar 12 16:01:27 2012
Subject: "CN=animal.clarku.edu,O=Clark University ITS,L=Worcester,ST=
Here's what I've got in cn=config:
If do those commands as the ldap user with sudo -u ldap, I get the same output. I can even run "certutil -V -n animal.clarku.edu -u SR -d /etc/pki/nssdb/" and I get "certificate is valid".
However when I start slapd, I get:
[root@animal slapd.d]# service slapd start
animal.clarku.edu is not readable by "ldap" [WARNING]
Starting slapd: [ OK ]
What am I missing?
Also, please confirm that you are running slapd as the userid "ldap" and
that /etc/pki/nssdb is readable by "ldap".
Manager of Systems Administration
Clark University ITS