[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Mozilla NSS / OpenLdap 2.4.23 cert not readable?

On 12/12/2011 12:29 PM, Aaron Bennett wrote:

I'm trying to grok Mozilla NSS prior to deploying Openldap 2.4.23 on RHEL 6.2.  I've been working through creating a self-signed cert and I think I have one that works.  At least, if I do:

[root@animal ~]# certutil -d /etc/pki/nssdb/ -L

Certificate Nickname                                         Trust Attributes

its                                                          Cu,Cu,Cu
animal.clarku.edu                                            p,p,p

the its cert is the one I used to sign.

If I do:
[root@animal ~]# certutil -d /etc/pki/nssdb/ -L -n animal.clarku.edu

Then I see a normal looking cert:
         Version: 3 (0x2)
         Serial Number:
         Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
         Issuer: "CN=ITS Self Signed"
             Not Before: Mon Dec 12 16:01:27 2011
             Not After : Mon Mar 12 16:01:27 2012
         Subject: "CN=animal.clarku.edu,O=Clark University ITS,L=Worcester,ST=

Here's what I've got in cn=config:
olcTLSCACertificatePath: /etc/pki/nssdb/
olcTLSCertificateFile: animal.clarku.edu

If do those commands as the ldap user with sudo -u ldap, I get the same output.  I can even run "certutil -V -n animal.clarku.edu -u SR -d /etc/pki/nssdb/" and I get "certificate is valid".

However when I start slapd, I get:

[root@animal slapd.d]# service slapd start
animal.clarku.edu is not readable by "ldap"                [WARNING]
Starting slapd:                                            [  OK  ]

What am I missing?
not sure - start slapd and add "-d 1" to your slapd argument list (see /etc/sysconfig/ldap? or slapd? for the argument list)

Also, please confirm that you are running slapd as the userid "ldap" and that /etc/pki/nssdb is readable by "ldap".


Aaron Bennett
Manager of Systems Administration
Clark University ITS