openldap issues

[spyder]

I followed the guide to installing ldap and I am getting this error.....

can anyone give me a hand??


enterprise openldap # /etc/init.d/slapd start
* Starting ldap-server... [ !! ]

enterprise openldap # tail -f /var/log/messages
Jan 24 17:27:25 enterprise slapd[6594]: main: TLS init def ctx failed: 0
Jan 24 17:27:25 enterprise slapd[6594]: slapd stopped.
Jan 24 17:27:25 enterprise slapd[6594]: connections_destroy: nothing to destroy.




______
ldap.conf
---------

BASE dc=sitename, dc=org
URI ldaps://server.sitename.org:636
TLS_REQCERT allow

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never


______
slapd.conf
--------
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema

# Include the needed data schemes
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema

# Use crypt to hash the passwords
password-hash {crypt}

# Define SSL and TLS properties (optional)
TLSCertificateFile /etc/ssl/ldap.pem
TLSCertificateKeyFile /etc/ssl/ldap.pem
TLSCACertificateFile /etc/ssl/ldap.pem



# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

# Load dynamic backend modules:
# modulepath /usr/lib/openldap/openldap
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la

#
# Sample Access Control
# Allow read access of root DSE
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#
#access to dn="" by * read
#access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default is:
# Allow read by all
#
# rootdn can always write!

#######################################################################
# ldbm database definitions
#######################################################################

database ldbm
suffix "dc=sitename,dc=org"
rootdn "cn=Manager,dc=sitename,dc=org"

# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd( and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {MD5}BaZxxmrv6hJMwIt26m0wuw==

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /var/lib/openldap-ldbm

# Indices to maintain
index objectClass eq

[spyder]

# Define SSL and TLS properties (optional)
TLSCertificateFile /etc/ssl/ldap.pem
TLSCertificateKeyFile /etc/ssl/ldap.pem
TLSCACertificateFile /etc/ssl/ldap.pem

i changed this part i noticed i typed it wrong to....

# Define SSL and TLS properties (optional)
TLSCertificateFile /etc/ssl/ldap.pem
TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem
TLSCACertificateFile /etc/ssl/ldap.pem


the server starts now.... but i still cannot connect to it

enterprise openldap # ldapsearch -D "cn=Manager,dc=sitename,dc=org" -W
Enter LDAP Password:
ldap_bind: Can't contact LDAP server

[dreamer]

try to remove cn=Manager from your command

[spyder]

enterprise etc # ldapsearch -D "dc=sitename,dc=org" -W
Enter LDAP Password:
ldap_bind: Can't contact LDAP server

[dreamer]

My friend had the same problems a couple of days ago. I helped him fixing it, but i can't remember how
He wrote a minihowto, maybe it'll help you.
If it doesn't, let me know.

[spyder]

that doesn't help with the problem i am having...

anyone else have any ideas?

[Chris W]

Was it working before you started playing with SSL/TLS?
_________________
Cheers,
Chris W
"Common sense: The collection of prejudices acquired by age 18." -- Einstein

[spyder]

it never worked.. i followed the steps in the howoto guide... and it didn;t work

http://www.gentoo.org/doc/en/ldap-howto.xml

[Chris W]

[spyder]

what trailing slash?


tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 13475/slapd

_______________
/etc/conf.d/slapd
-------------------

# conf.d file for the openldap-2.1 series
#
# To enable both the standard unciphered server and the ssl encrypted
# one uncomment this line or set any other server starting options
# you may desire.
#
# OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"

OPTS="-h 'ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"

[spyder]

anyone... i added sasl to my make.conf..


and the configure didn't fail, but it said something about not working with sasl


i have cyrus-sasl 2.x.x installled.... i was trying to install the 1.x.x series but the ebuild doesn't work....

could all this be causing the problems mentioned?

[Chris W]

[waverider202]

first, start the start, and run ps and netstat to verify that the server is actually running. If its not, then something is wrong with slapd.conf. Run 'slapd -d 256' to see a better error message of why the server doesn't start. Next, when running ldapsearch, make sure you specify a -H ldap://localhost. If that works, then your ldap.conf is wrong. Also, specify a -x with ldapsearch. The default search machanism is usually SASL. -x makes a simple bind.
_________________

[spyder]

it is running..

enterprise root # ldapsearch -H ldap://localhost -x -D "cn=admin,dc=sitename,dc=org" -W
Enter LDAP Password:
ldap_bind: Can't contact LDAP server
enterprise root #

[mariourk]

It seems that the LDAP-servar can't be connected.
Maybe you have a firewall running that blocks everything that comes to lacalhost? (had that problem with 'portmap' once...)
In my ldap.conf, everything is commented out. Actualy, I never edited the file. Maybe you should do the same.
If this isn't the case I recommend that you disable all ssl options and put a plain-text password in you slapd.conf. You can always deal with security later, after you have OpenLDAP working.

[spyder]

how do i disabled all the ssl in openldap?


and i am not running a firewall on this box

[mariourk]

ldap.conf
Comment out everything.

ldap.conf

Make it look like this:

[spyder]

still nothing.... i did exactly what you said

[mariourk]

Do

[waverider202]

if it says it can't be connected, that sounds like either a firewall issue or its not running. If your database enviroment is not set correctly, openldap will start, gentoo will say its running, then slapd will stop, and gentoo's init script system, which is not stateful, will have issues with it.
_________________

[spyder]

no firewall...

it's running....

ldap 9137 0.0 1.9 8304 2432 ? S Jan26 0:00 /usr/lib/openldap/slapd -u ldap -g ldap -h ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.soc
ldap 12542 0.0 1.9 8304 2432 ? S Jan26 0:00 /usr/lib/openldap/slapd -u ldap -g ldap -h ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.soc
ldap 25811 0.0 1.9 8304 2432 ? S Jan26 0:00 /usr/lib/openldap/slapd -u ldap -g ldap -h ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.soc


but i can't connect

[spyder]

[spyder]

do i have to build it with sasl... or emerge sasl... i tried and sasl 1.x doesn't build it gets errors and 2.x doesn't seem to be compatible

[spyder]

anyone?

[fazer-ekky]

IMHO you have to compile openldap with sasl (USE-Flag) , also you have to emerge the cyrus-sasl-2.x package. The Gentoo Ldap-Authent.HOWTO seems to be not complete. See the Authentication-Section in the LDAP-Howto.
and the Section 10 in the LDAP-Administration-Guide. It has something to do with the sasl user database(saslpasswd2) But til now it's not so clear for me, what to do. Must study some howtos.