Hi Abdelkader, I have changed my ldap.conf file to following:
BASE dc=platalytics,dc=com URI ldaps://127.0.0.1 TLS_REQCERT demand TLS_CACERT /etc/ldap/cacert.pem I also works. Can you please verify is it correct approach? On Thu, Aug 20, 2015 at 11:36 PM, Aneela Saleem <[email protected]> wrote: > Hi Abdelkader, > > I tried following link > > http://rogermoffatt.com/2011/08/24/ubuntu-openldap-with-ssltls/ > > It worked. But don't you think setting "TLS_REQCERT never" kills the > purpose of ssl. As client FQDN is not checked in this againt. > > > On Thu, Aug 20, 2015 at 10:39 PM, Abdelkader Chelouah < > [email protected]> wrote: > >> On 20/08/2015 18:23, Aneela Saleem wrote: >> >> 55d5ff01 str2entry: entry -1 has multiple DNs "cn=config" and >> "cn=module{0},cn=config" >> >> >> On Thu, Aug 20, 2015 at 8:30 PM, Aneela Saleem <[email protected]> >> wrote: >> >>> 5/ Imports the new configuration >>> >>> slapadd -F /path/to/slapd.d -n 0 -l config.ldif >>> >>> I get the following error: >>> >>> slapadd: could not add entry dn="cn=config" (line=1): >>> _ 1.03% eta none elapsed none spd >>> 4.2 M/s >>> Closing DB... >>> >>> On Thu, Aug 20, 2015 at 2:11 AM, Abdelkader Chelouah < >>> <[email protected]>[email protected]> wrote: >>> >>>> On 19/08/2015 20:32, Aneela Saleem wrote: >>>> >>>> Anyone there? Please help me getting out of this problem >>>> >>>> On Wed, Aug 19, 2015 at 1:29 AM, Aneela Saleem < >>>> <[email protected]>[email protected]> wrote: >>>> >>>>> this is my /etc/ldap/ldap.conf file: >>>>> >>>>> BASE dc=platalytics,dc=com >>>>> >>>>> URI ldap://127.0.0.1 >>>>> >>>>> TLS_CACERT /etc/ldap/cacert.pem >>>>> >>>>> >>>>> On Wed, Aug 19, 2015 at 1:07 AM, Aneela Saleem < >>>>> <[email protected]>[email protected]> wrote: >>>>> >>>>>> Still i get following error: >>>>>> >>>>>> modifying entry "cn=config" >>>>>> ldap_result: Can't contact LDAP server (-1) >>>>>> >>>>>> >>>>>> On Wed, Aug 19, 2015 at 12:34 AM, Abdelkader Chelouah < >>>>>> <[email protected]>[email protected]> wrote: >>>>>> >>>>>>> On 18/08/2015 20:27, Aneela Saleem wrote: >>>>>>> >>>>>>> I get following result >>>>>>> >>>>>>> ldap_initialize( ldap://localhost:389/??base ) >>>>>>> dn:cn=admin,cn=config >>>>>>> Result: Success (0) >>>>>>> >>>>>>> >>>>>>> On Tue, Aug 18, 2015 at 11:24 PM, Abdelkader Chelouah < >>>>>>> <[email protected]>[email protected]> wrote: >>>>>>> >>>>>>>> On 18/08/2015 20:11, Aneela Saleem wrote: >>>>>>>> >>>>>>>> When i add below file i.e., ssl_mod.ldif >>>>>>>> >>>>>>>> *dn: cn=config* >>>>>>>> *changetype: modify* >>>>>>>> *add: olcTLSCACertificateFile* >>>>>>>> *olcTLSCACertificateFile: /etc/ldap/cacert.pem* >>>>>>>> *-* >>>>>>>> *add: olcTLSCertificateFile* >>>>>>>> *olcTLSCertificateFile: /etc/ldap/servercrt.pem* >>>>>>>> *-* >>>>>>>> *add: olcTLSCertificateKeyFile* >>>>>>>> *olcTLSCertificateKeyFile: /etc/ldap/serverkey.pem* >>>>>>>> *-* >>>>>>>> *add: olcTLSCipherSuite* >>>>>>>> *olcTLSCipherSuite: HIGH:MEDIUM:!SSLv3:!SSLv2* >>>>>>>> >>>>>>>> using following command: >>>>>>>> >>>>>>>> ldapmodify -h localhost -p 389 -D "cn=admin,cn=config" -w 123 -f >>>>>>>> mod_ssl.ldif >>>>>>>> >>>>>>>> i get ldap_result: Can't contact LDAP server (-1) error. >>>>>>>> >>>>>>>> Although LDAP is running. I can run following command i.e., >>>>>>>> >>>>>>>> ldapsearch -h localhost -p 389 -D "cn=admin,dc=platalytics,dc=com" >>>>>>>> -w 123 -b "dc=platalytics,dc=com" "objectclass=*" >>>>>>>> >>>>>>>> How can i make ldaps work? >>>>>>>> >>>>>>>> On Tue, Aug 18, 2015 at 7:37 PM, Aneela Saleem < >>>>>>>> <[email protected]>[email protected]> wrote: >>>>>>>> >>>>>>>>> Where i can find the logs? >>>>>>>>> >>>>>>>>> On Tue, Aug 18, 2015 at 7:36 PM, Aneela Saleem < >>>>>>>>> <[email protected]>[email protected]> wrote: >>>>>>>>> >>>>>>>>>> I wrote the above lines in olcDatabase={0}config.ldif file. When >>>>>>>>>> i restart slapd it gets failed. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Tue, Aug 18, 2015 at 7:14 PM, Aneela Saleem < >>>>>>>>>> <[email protected]>[email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Which file i need to write this in? >>>>>>>>>>> >>>>>>>>>>> On Tue, Aug 18, 2015 at 7:09 PM, Abdelkader Chelouah < >>>>>>>>>>> <[email protected]>[email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> On 18/08/2015 16:05, Aneela Saleem wrote: >>>>>>>>>>>> >>>>>>>>>>>> I have no slapd.conf. I have cn=conf >>>>>>>>>>>> >>>>>>>>>>>> On Tue, Aug 18, 2015 at 6:54 PM, Abdelkader Chelouah < >>>>>>>>>>>> <[email protected]>[email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> On 18/08/2015 15:51, Aneela Saleem wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks Michael and Abdelkader. >>>>>>>>>>>>> >>>>>>>>>>>>> Abdelkaded the link you provided is for slapd.conf >>>>>>>>>>>>> distribution. Can you please guide me how to do "cn=config" >>>>>>>>>>>>> distribution? >>>>>>>>>>>>> >>>>>>>>>>>>> On Tue, Aug 18, 2015 at 6:45 PM, Abdelkader Chelouah < >>>>>>>>>>>>> <[email protected]>[email protected]> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> On 18/08/2015 15:41, Michael Ströder wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Aneela Saleem wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Can anyone please provide me some link for enabling "ldaps" >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> <http://www.openldap.org/doc/admin24/tls.html> >>>>>>>>>>>>>>> http://www.openldap.org/doc/admin24/tls.html >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Ciao, Michael. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> or <http://www.openldap.org/faq/data/cache/185.html> >>>>>>>>>>>>>> http://www.openldap.org/faq/data/cache/185.html >>>>>>>>>>>>>> >>>>>>>>>>>>>> regards >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> You can convert a slapd.conf to cn=config using slaptest >>>>>>>>>>>>> >>>>>>>>>>>>> slaptest -f path/to/slapd.conf -F path/to/slapd.d >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> # cn=config >>>>>>>>>>>> dn: cn=config >>>>>>>>>>>> objectClass: olcGlobal >>>>>>>>>>>> cn: config >>>>>>>>>>>> ... >>>>>>>>>>>> olcTLSCACertificateFile: /path/to/cacert >>>>>>>>>>>> olcTLSCertificateFile: /path/to/cert >>>>>>>>>>>> olcTLSCertificateKeyFile: /path/to/key >>>>>>>>>>>> olcTLSCipherSuite: HIGH:MEDIUM:!SSLv3:!SSLv2 >>>>>>>>>>>> ... >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> Can you run >>>>>>>> >>>>>>>> ldapwhoami -vxD cn=admin,cn=config -w 123 -H ldap://localhost:389 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> Ok, retry the "ldapmodify" command using >>>>>>> >>>>>>> ldapmodify -xD cn=admin,cn=config -w 123 -H ldap://localhost:389 >>>>>>> -f mod_ssl.ldif >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> There is something wrong with your setup. >>>> >>>> 1/ Stops your instance >>>> 2/ Exports your configuration >>>> >>>> slapcat -F /path/to/slapd.d -n 0 -l config.ldif >>>> >>>> 3/ Performs the modification directly on config.ldif >>>> 4/ Removes the old configuration >>>> >>>> rm -rf /path/to/slapd.d/* >>>> >>>> 5/ Imports the new configuration >>>> >>>> slapadd -F /path/to/slapd.d -n 0 -l config.ldif >>>> >>>> 6/ Starts your instance >>>> >>> >>> >> Did you removed the content of /path/to/slapd.d ? >> > >
