# Certificate entries: TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSCACertificateFile /etc/openldap/cacert.pem TLSCertificateFile /etc/openldap/server_cert.pem TLSCertificateKeyFile /etc/openldap/server_cert.pem TLSVerifyClient never
Then, my ldap server does not start. I receive the following errors in /var/log/messages:
Mar 10 07:51:07 a7470 slapd[32557]: sql_select option missing Mar 10 07:51:07 a7470 slapd[32557]: auxpropfunc error no mechanism available If I comment those TLS lines out again, the server starts up with no errors.The directory "/etc/openldap" contains nothing but those certificates. Here is a directory listing:
drwxr-xr-x 3 ldap ldap 4096 Mar 10 07:37 .
drwxr-xr-x 77 root root 12288 Mar 9 20:55 ..
-rw-r--r-- 1 ldap ldap 2078 Mar 10 07:37 server_cert.pem
-rw-r--r-- 1 ldap ldap 1411 Mar 10 07:37 cacert.pem
Any help would be appreciated!
--
Karen R MCArthur, systems administrator
Bates College, Lewiston, Maine
[EMAIL PROTECTED]
************************
My full Slapd.conf file:
************************
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/eduperson-200412.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/krb5-kdc.schema
include /usr/local/etc/openldap/schema/localeduperson.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/sendmail.schema
include /usr/local/etc/openldap/schema/meetingmaker.schema
# Allow LDAPv2 for Mozilla address books
allow bind_v2
# Remove idle connections
idletimeout 14400
# Limit number of search results to prevent trolling of directory
# by spammers, etc.
sizelimit 10
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
#security simple_bind=64
#SASL configuration
sasl-realm KRB5.EXAMPLE.COM
sasl-host krb.example.com
sasl-secprops noactive,noanonymous
sasl-regexp
uid=Replicator,cn=krb.example.com,cn=gssapi,cn=auth
cn=Replicator,dc=example,dc=com
sasl-regexp
uid=(.*),cn=krb.example.com,cn=gssapi,cn=auth
uid=$1,ou=People,dc=example,dc=com
# Certificate entries:
#TLSCipherSuite HIGH:MEDIUM:+SSLv3
#TLSCACertificateFile /etc/openldap/cacert.pem
#TLSCertificateFile /etc/openldap/server_cert.pem
#TLSCertificateKeyFile /etc/openldap/server_cert.pem
#TLSVerifyClient never
#######################################################################
# database definition
#######################################################################
database bdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
directory /usr/local/var/openldap-data
cachesize 5000
checkpoint 512 720
# replication directives
replogfile /var/log/slapd.replog
replica host=krb.example.com:714
bindmethod=sasl
saslmech=GSSAPI
realm=KRB5.EXAMPLE.COM
authcID=Replicator
replica host=krb.example.com:389
bindmethod=sasl
saslmech=GSSAPI
realm=KRB5.EXAMPLE.COM
authcID=Replicator
suffix="ou=People,dc=example,dc=com"
# Indices to maintain
index objectClass eq
limits group="cn=LDAPadmins,ou=LDAPauth,dc=example,dc=com" size=-1
access to attr=userPassword
by dn="cn=Replicator,dc=example,dc=com" write
by group.exact="cn=LDAPadmins,ou=LDAPauth,dc=example,dc=com" write
by dn.regex="uid=ldapadm.+\+(realm=KRB5\.EXAMPLE\.COM)" write
by anonymous auth
by * none
access to *
by dn="cn=Replicator,dc=example,dc=com" write
by group.exact="cn=LDAPadmins,ou=LDAPauth,dc=example,dc=com" write
by dn.regex="uid=ldapadm.+\+(realm=KRB5\.EXAMPLE\.COM)" write
by * none
smime.p7s
Description: S/MIME Cryptographic Signature
