[Fedora-directory-users] Auto-Staring slapd in SSL mode

Tay, Gary Gary_Tay at platts.com
Thu Jul 14 08:38:01 UTC 2005

You wrote:
Later, when you start the server on the command line, 
this second password is required.

I suspect something was not done properly, I may not wrong.

If the slapd-`hostname`-pin.txt has been setup correctly, ./start-slapd
will NOT prompt you for any SSL Security DB private key password.

Pls double check these two points (I am saying this based on my
experience with SUN ONE DS5.2 which is similar to FDS7.1)

1) When you create the PIN text file.

# echo "Internal (Software) Token:secret"

IMPORTANT NOTE: DO NOT LEAVE ANY SPACES after the "Token:" and at the
end of the line or else the password will not be recognized by

2) You need to protect this PIN text file with mode 400 or else
"start-slapd" will not be happy to let you go auto.

# chmod 400 $FDS_ROOT/alias/slapd-`hostname`-pin.txt


-----Original Message-----
From: fedora-directory-users-bounces at redhat.com
[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Vsevolod
(Simon) Ilyushchenko
Sent: Thursday, July 14, 2005 3:32 AM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Database recreation,automount and


Thanks for the quick answer! Perhaps this information should go into the

FAQ - what do you think?

Rich Megginson wrote on 07/13/2005 12:47 PM:
> The IETF LDAP community has decided to deprecated them in favor of the
> new netgroups stuff.

OK, I'll reconfigure my entries. Does Fedora automounter understand the 
netgroups structure?

> We don't yet have a way to set an ACI to allow users other than the
> Directory Manager (i.e. cn=Directory Manager, not the admin console 
> user) to create the entry for a root suffix.  In the console, you can 
> Log In As New User, and specify cn=directory manager (or whatever you 
> used for your directory manager user when you performed the initial 
> installation).

This is very non-trivial. :) Creating the root suffix now works, but I 
tried creating top-level entries one by one, as well as creating a new 
server in the administration console, and it all failed. I had to delete

the RPM and reinstall it.

By the way, I found out that if I install the RPM a second time, the 
admin console tries to connect to port 15918, but the admin server is 
running on port 25394. I don't remember what port was used the first 
time. :(

This time I successfully created an SSL-enabled directory and was able 
to authenticate to it. I followed the steps here:
to create a self-signed certificate.

For archives - the docs don't tell you that after running pk12util in 
step 9 you first have to enter the password 'secretpwd' that you've 
saved in the file pwdfile.txt, and then you have to create a different 
startup password. Later, when you start the server on the command line, 
this second password is required.


Simon (Vsevolod ILyushchenko)   simonf at cshl.edu

Terrorism is a tactic and so to declare war on terrorism
is equivalent to Roosevelt's declaring war on blitzkrieg.

Zbigniew Brzezinski, U.S. national security advisor, 1977-81

Fedora-directory-users mailing list Fedora-directory-users at redhat.com

More information about the Fedora-directory-users mailing list