Hey Dan, Those docs you pointed me to worked beautifully! And thanks for the examples from your own config. I've used those too. Worked great! Thanks again.
Although I do also apprecaite the advice to read the official docs. Good advice, however the ones that I've been pointed to worked well for me. I'll read the official docs for a fuller understanding tho. Tim On Wed, Feb 19, 2014 at 2:08 PM, Dan Pritts <[email protected]> wrote: > I have simply > > TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt > TLSCertificateFile /etc/pki/tls/certs/ldap.icpsr.umich.edu.crt > TLSCertificateKeyFile /etc/pki/tls/private/ldap.icpsr.umich.edu.key > > > in my slapd.conf. CACertificateFile is almost certainly not required > for a server cert. > > > Maybe you are running into an oddity of the cn=config? Have you tried > just opening up the permissions to make sure the files are world readable? > no selinux involved? > > > > Folks on the list will probably yell at you to use the current version > rather than the centos packages. > > If you look through the archives for the last few weeks, you will find a > pointer to a site that has rpm builds of current openldap. > > Tim Dunphy <[email protected]> > February 19, 2014 at 1:35 PM > Hey ldap folks! > > I've attempted to add TLS capabilities to my newly created LDAP server > using the following document: > > http://www.server-world.info/en/note?os=CentOS_6&p=ldap&f=3 > > This is how my cert files are looking in terms of ownership and > permissions: > > [root@puppet:~] #ls -l /etc/pki/tls/*/* | grep ldap > -r-------- 1 ldap root 1241 Feb 19 13:06 /etc/pki/tls/certs/ldap.crt > -r-------- 1 ldap root 1021 Feb 19 13:05 /etc/pki/tls/misc/ldap.csr > -r-------- 1 ldap root 1679 Feb 19 13:01 /etc/pki/tls/private/ldap.key > > I got to the point where I'm attempting to add the configuration > parameters to my ldap setup like so: > > [root@puppet:~] #ldapmodify -Y EXTERNAL -H ldapi:/// > SASL/EXTERNAL authentication started > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > SASL SSF: 0 > dn: cn=config > add: olcTLSCertificateFile > olcTLSCertificateFile: /etc/pki/tls/certs/ldap.crt > - > add: olcTLSCertificateKeyFile > olcTLSCertificateKeyFile: /etc/pki/tls/private/ldap.key > modifying entry "cn=config" > ldap_modify: Inappropriate matching (18) > additional info: modify/add: olcTLSCertificateFile: no equality > matching rule > > > These are the package version numbers I have installed via yum on CentOS > 6.5: > > openldap-2.4.23-34.el6_5.1.x86_64 > openldap-devel-2.4.23-34.el6_5.1.x86_64 > openldap-servers-2.4.23-34.el6_5.1.x86_64 > openldap-clients-2.4.23-34.el6_5.1.x86_64 > > Can anyone offer some wisdom as to why this error is happening? Or perhaps > offer some better documentation on how to enable the TLS abilities of > openldap? > > Thanks > Tim > > -- > GPG me!! > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B > > > -- > Dan Pritts > ICPSR Computing & Network Services > University of Michigan > +1 (734)615-7362 > -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
<<inline: postbox-contact.jpg>>
