[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Yes, you're right. Whereas before the script simply checks if TLS is
configured and invokes ldaps. So, now it has to be expressly set
to 'yes' if you wish ldaps to start otherwise it will say and do nothing.

Thanks for that.

On Wed, Feb 4, 2009 at 11:04 AM, Nalin Dahyabhai <[email protected]> wrote:
> On Wed, Feb 04, 2009 at 09:39:07AM +1100, Oscar Plameras wrote:
>> 1. System1 - I had 3 test servers running OpenLDAP-2.3.30-3.fc6,
>> OpenSSL-0.9.8b-15.fc6 on Linux-2.6.22.14-72.fc6.
>> And these were perfectly running with OPENSSL configured on
>> 'slapd.conf' as follows:
>>
>> lines cut
>> #
>> #
>> TLSCACertificateFile /etc/CA/cacert.pem
>> TLSCertificateFile    /etc/pki/tls/newcert.pem
>> TLSCertificateKeyFile /etc/pki/tls/newkey.pem
>> #
>> #
>> lines cut
>>
>> When I do,
>>
>> #service ldap restart, and #ps -ax  I have this
>>
>> slapd -h ldap:/// ldaps:/// -u ldap
>>
>> I can do simple unsecured or secured queries from here.
>>
>> 1. System2 - Now, I upgraded 2 test servers running
>> OpenLDAP-2.4.12-1.fc10, OpenSSL-0.9.8g-12.fc10 on
>> Linux-2.6.29-159.fc10.
>> Suddenly I can't start slapd correctly. The problem is after
>> configuring 'slapd.conf' with OPENSSL, as I did in System1 and I
>> do a
>>
>> #service ldap restart,  and #ps -ax
>>
>> I found that I only have this process running:
>> slapd -h ldap:/// -u ldap. The ldaps:/// process did not start
>> suggesting I have incorrect certificates.
>> But I can confirm that my certificates are correct with several tests.
>
> In older releases, the init script checked for TLS-related settings in
> slapd.conf and if it found some, forcibly added 'ldaps:///' to the list
> of values passed to slapd as arguments for its '-h' flag.
>
> It looks like it doesn't do that any more.  Rather, it expects that
> you'll set SLAPD_LDAPS to "yes" in /etc/sysconfig/ldap.  I'm only
> guessing as to why, but it looks like one of the benefits of changing
> the way that the init script works is that you can now disable listening
> for non-SSL connections without editing the init script.
>
> HTH,
>
> Nalin
>
> --
> fedora-list mailing list
> [email protected]
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
> Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
>

-- 
fedora-list mailing list
[email protected]
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]
  Powered by Linux