I agree... following a basic tutorial for 'newbies' like I am in LDAP it's a good start, once it's up and running you can and should starting reading the f* documentation so you can tune up your installation. :-)
On Wed, Feb 19, 2014 at 7:03 PM, Tim Dunphy <[email protected]> wrote: > Hey Dan, > > Those docs you pointed me to worked beautifully! And thanks for the > examples from your own config. I've used those too. Worked great! Thanks > again. > > Although I do also apprecaite the advice to read the official docs. Good > advice, however the ones that I've been pointed to worked well for me. I'll > read the official docs for a fuller understanding tho. > > Tim > > > > On Wed, Feb 19, 2014 at 2:08 PM, Dan Pritts <[email protected]> wrote: > >> I have simply >> >> TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt >> TLSCertificateFile /etc/pki/tls/certs/ldap.icpsr.umich.edu.crt >> TLSCertificateKeyFile /etc/pki/tls/private/ldap.icpsr.umich.edu.key >> >> >> in my slapd.conf. CACertificateFile is almost certainly not required >> for a server cert. >> >> >> Maybe you are running into an oddity of the cn=config? Have you tried >> just opening up the permissions to make sure the files are world readable? >> no selinux involved? >> >> >> >> Folks on the list will probably yell at you to use the current version >> rather than the centos packages. >> >> If you look through the archives for the last few weeks, you will find a >> pointer to a site that has rpm builds of current openldap. >> >> Tim Dunphy <[email protected]> >> February 19, 2014 at 1:35 PM >> Hey ldap folks! >> >> I've attempted to add TLS capabilities to my newly created LDAP server >> using the following document: >> >> http://www.server-world.info/en/note?os=CentOS_6&p=ldap&f=3 >> >> This is how my cert files are looking in terms of ownership and >> permissions: >> >> [root@puppet:~] #ls -l /etc/pki/tls/*/* | grep ldap >> -r-------- 1 ldap root 1241 Feb 19 13:06 /etc/pki/tls/certs/ldap.crt >> -r-------- 1 ldap root 1021 Feb 19 13:05 /etc/pki/tls/misc/ldap.csr >> -r-------- 1 ldap root 1679 Feb 19 13:01 /etc/pki/tls/private/ldap.key >> >> I got to the point where I'm attempting to add the configuration >> parameters to my ldap setup like so: >> >> [root@puppet:~] #ldapmodify -Y EXTERNAL -H ldapi:/// >> SASL/EXTERNAL authentication started >> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth >> SASL SSF: 0 >> dn: cn=config >> add: olcTLSCertificateFile >> olcTLSCertificateFile: /etc/pki/tls/certs/ldap.crt >> - >> add: olcTLSCertificateKeyFile >> olcTLSCertificateKeyFile: /etc/pki/tls/private/ldap.key >> modifying entry "cn=config" >> ldap_modify: Inappropriate matching (18) >> additional info: modify/add: olcTLSCertificateFile: no equality >> matching rule >> >> >> These are the package version numbers I have installed via yum on CentOS >> 6.5: >> >> openldap-2.4.23-34.el6_5.1.x86_64 >> openldap-devel-2.4.23-34.el6_5.1.x86_64 >> openldap-servers-2.4.23-34.el6_5.1.x86_64 >> openldap-clients-2.4.23-34.el6_5.1.x86_64 >> >> Can anyone offer some wisdom as to why this error is happening? Or >> perhaps offer some better documentation on how to enable the TLS abilities >> of openldap? >> >> Thanks >> Tim >> >> -- >> GPG me!! >> >> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B >> >> >> -- >> Dan Pritts >> ICPSR Computing & Network Services >> University of Michigan >> +1 (734)615-7362 >> > > > > -- > GPG me!! > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B > > -- Att, Daniel Szortyka :: Infraestrutura * [email protected] ( 5133823316 -- Esta mensagem é destinada exclusivamente para a(s) pessoa(s) a quem é dirigida, podendo conter informação confidencial. Se você não for destinatário desta mensagem, desde já fica notificado de abster-se a divulgar, copiar, distribuir, examinar ou, de qualquer forma, utilizar a informação contida nesta mensagem, por ser ilegal. Caso você tenha recebido esta mensagem por engano, pedimos que nos retorne este E-Mail, promovendo, desde logo, a eliminação do seu conteúdo em sua base de dados, registros ou sistema de controle. This message is exclusively destined for the people to whom it is directed, and it can bear private and/or legally exceptional information. If you are not addressee of this message, since now you are advised to not release, copy, distribute, check or, otherwise, use the information contained in this message, because it is illegal. If you received this message by mistake, we ask you to return this email, making possible, as soon as possible, the elimination of its contents of your database, registrations or controls system. Este mensaje ha sido enviado exclusivamente para la(s) persona(s) destinataria(s) y puede contener información confidencial. Si Usted no es el destinatario, esta desde ya compelido a no divulgar, copiar, distribuir, examinar o, de cualquier manera, utilizar la información contenida en este mensaje, por razones legales. Caso Usted haya recibido este mensaje equivocadamente, favor contestar al remitente en forma inmediata, borrándolo de su base de datos, registros o sistema de control.
<<inline: postbox-contact.jpg>>
