[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Antw: Re: Error when try modify olcTLS*
>>> Igor Sousa <igorvolt@gmail.com> schrieb am 18.07.2019 um 19:16 in
Nachricht
<CAAg2ztWMayH_6_x1DEti_B9TLcm9CXG+5gwWjFZwuR9-DC4E4w@mail.gmail.com>:
> Hi Howard,
>
> Howard Chu wrote:
>
>>
>> ^^ shouldn't this also be replace: ?
>>
>
> By default, the Openldap-Servers-Symas (or openldap-servers from default
> repository) doesn't have olcTLSCACertificateFile entry. Due to this, I've
> used add operation instead of replace.
>
> I've tried to set this entries in the cn=config following the commands
> below:
>
> systemctl stop slapd
> slapcat -n 0 >> config.ldif
> rm -rf /etc/openldap/slapd.d/*
> cat config.ldif | slapadd -v -F /etc/openldap/slapd.d -n 0
> chown ldap:ldap -R /etc/openldap/slapd.d
>
>
> I've got to set this entries, but slapd hasn't started and when I've
> checked systemctl status slapd, I've seen as the slapd hasn't got to read
> key file. I've checked again and ldap user has had privilegies to read all
> entires has set in *olcTLSCACertificateFile*, *olcTLSCertificateFile *and
> *olcTLSCertificateKeyFile.*
Random thought: Could it be "selinux" policy that prtevents reading the file?
And does your certificate really have "localhost.localdomain" as subject?
>
> [root@localhost ~]# systemctl status slapd
> ● slapd.service - OpenLDAP Server Daemon
> Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor
> preset: disabled)
> Active: failed (Result: exit-code) since Thu 2019-07-18 11:55:29 -03; 2h
> 5min ago
> Docs: man:slapd
> man:slapd-config
> man:slapd-hdb
> man:slapd-mdb
> file:///usr/share/doc/openldap-servers/guide.html
> Process: 2133 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS}
> $SLAPD_OPTIONS (code=exited, status=1/FAILURE)
> Process: 2120 ExecStartPre=/usr/libexec/openldap/check-config.sh
> (code=exited, status=0/SUCCESS)
> Main PID: 1928 (code=exited, status=0/SUCCESS)
>
> Jul 18 11:55:29 localhost.localdomain runuser[2123]:
> pam_unix(runuser:session): session opened for user ldap by (uid=0)
> Jul 18 11:55:29 localhost.localdomain slapd[2133]: @(#) $OpenLDAP: slapd
> 2.4.47 (Mar 11 2019 17:22:04) $
> build@c7rpm
> :/home/build/git/rheldap/RHEL7_x86_64/BUILD...lapd
> Jul 18 11:55:29 localhost.localdomain slapd[2133]: main: TLS init def ctx
> failed: -1
> Jul 18 11:55:29 localhost.localdomain slapd[2133]: Enter PEM pass phrase:
> Jul 18 11:55:29 localhost.localdomain slapd[2133]: slapd stopped.
> Jul 18 11:55:29 localhost.localdomain slapd[2133]: connections_destroy:
> nothing to destroy.
> Jul 18 11:55:29 localhost.localdomain systemd[1]: slapd.service: control
> process exited, code=exited status=1
> Jul 18 11:55:29 localhost.localdomain systemd[1]: Failed to start OpenLDAP
> Server Daemon.
> Jul 18 11:55:29 localhost.localdomain systemd[1]: Unit slapd.service
> entered failed state.
> Jul 18 11:55:29 localhost.localdomain systemd[1]: slapd.service failed.
>
> -----
>
> [root@localhost ~]# ls /etc/openldap/certs -l
> total 100
> -rw-r--r--. 1 root ldap 2078 Jul 18 10:47 ca.cert.pem
> -rw-r--r--. 1 root root 65536 Jul 15 15:16 cert8.db
> -rw-r--r--. 1 root root 16384 Jul 15 15:16 key3.db
> -rw-r--r--. 1 root ldap 3326 Jul 18 10:47 ldap.key.pem
> -rw-r--r--. 1 root ldap 1732 Jul 18 10:47 ldap.local.csr
> -rw-r--r--. 1 root ldap 2102 Jul 18 11:55 ldap.local.pem
> -r--r-----. 1 root ldap 45 Jun 21 16:09 password
> -rw-r--r--. 1 root root 16384 Jun 21 16:09 secmod.db
>
> OBS: I've changed *olcTLSCACertificateFile*, *olcTLSCertificateFile
> *and *olcTLSCertificateKeyFile
> *files to ca.cert.pem, ldap.local.pem and ldap.key.pem respectively.
>
> I've started thinking to test it on a Debian system aiming it works better.
> I don't have any idea about it.
>
> --
> Igor Sousa