OpenLDAP, OpenSSL, and Fedora 10 Stop Liking One Another ?

Craig White craigwhite at azapple.com
Tue Feb 3 23:01:27 UTC 2009 

On Wed, 2009-02-04 at 09:39 +1100, Oscar Plameras wrote:
> 1. System1 - I had 3 test servers running OpenLDAP-2.3.30-3.fc6,
> OpenSSL-0.9.8b-15.fc6 on Linux-2.6.22.14-72.fc6.
> And these were perfectly running with OPENSSL configured on
> 'slapd.conf' as follows:
> 
> lines cut
> #
> #
> TLSCACertificateFile /etc/CA/cacert.pem
> TLSCertificateFile    /etc/pki/tls/newcert.pem
> TLSCertificateKeyFile /etc/pki/tls/newkey.pem
> #
> #
> lines cut
> 
> When I do,
> 
> #service ldap restart, and #ps -ax  I have this
> 
> slapd -h ldap:/// ldaps:/// -u ldap
> 
> I can do simple unsecured or secured queries from here.
> 
> 1. System2 - Now, I upgraded 2 test servers running
> OpenLDAP-2.4.12-1.fc10, OpenSSL-0.9.8g-12.fc10 on
> Linux-2.6.29-159.fc10.
> Suddenly I can't start slapd correctly. The problem is after
> configuring 'slapd.conf' with OPENSSL, as I did in System1 and I
> do a
> 
> #service ldap restart,  and #ps -ax
> 
> I found that I only have this process running:
> slapd -h ldap:/// -u ldap. The ldaps:/// process did not start
> suggesting I have incorrect certificates.
> But I can confirm that my certificates are correct with several tests.
> 
> I had expected this process:
> slapd -h ldap:/// ldaps:/// -u ldap.
> 
> So, when I do TLS secured query like:
> 
> #ldapwhoami -x -H ldaps://hostname
> 
> I got this:
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> 
> Has anyone had this problem on FC10 ?
> 
> Notes:
> 1. I can run this manually: #/usr/sbin/slapd -h ldap:/// ldaps:/// -u
> ldap and saw slapd -h ldap:/// ldaps:/// -u ldap in my #ps -ax
> I can do #ldapwhoami -x. But when I do a #ldapwhoami -x -H
> ldaps://hostname I go error message can't connect to server.
> 2. I can run this manually: #/usr/sbin/slapd -h ldaps:/// -u ldap
> I can then test my certificates correctly but SSL does not appear to
> have been started.
----
I don't have a /etc/CA directory...do you?

I do have /etc/pki/CA directory and user ldap wouldn't be able to
descend anyway because it is perm 700 root:root

I actually have my own methods of generating certs and don't use those
in /etc/pki but the theory is much the same (and for that matter, I
don't use fedora for running openldap server).

Craig

More information about the fedora-list mailing list