Yes, you're right. Whereas before the script simply checks if TLS is configured and invokes ldaps. So, now it has to be expressly set to 'yes' if you wish ldaps to start otherwise it will say and do nothing. Thanks for that. On Wed, Feb 4, 2009 at 11:04 AM, Nalin Dahyabhai <nalin@xxxxxxxxxx> wrote: > On Wed, Feb 04, 2009 at 09:39:07AM +1100, Oscar Plameras wrote: >> 1. System1 - I had 3 test servers running OpenLDAP-2.3.30-3.fc6, >> OpenSSL-0.9.8b-15.fc6 on Linux-2.6.22.14-72.fc6. >> And these were perfectly running with OPENSSL configured on >> 'slapd.conf' as follows: >> >> lines cut >> # >> # >> TLSCACertificateFile /etc/CA/cacert.pem >> TLSCertificateFile /etc/pki/tls/newcert.pem >> TLSCertificateKeyFile /etc/pki/tls/newkey.pem >> # >> # >> lines cut >> >> When I do, >> >> #service ldap restart, and #ps -ax I have this >> >> slapd -h ldap:/// ldaps:/// -u ldap >> >> I can do simple unsecured or secured queries from here. >> >> 1. System2 - Now, I upgraded 2 test servers running >> OpenLDAP-2.4.12-1.fc10, OpenSSL-0.9.8g-12.fc10 on >> Linux-2.6.29-159.fc10. >> Suddenly I can't start slapd correctly. The problem is after >> configuring 'slapd.conf' with OPENSSL, as I did in System1 and I >> do a >> >> #service ldap restart, and #ps -ax >> >> I found that I only have this process running: >> slapd -h ldap:/// -u ldap. The ldaps:/// process did not start >> suggesting I have incorrect certificates. >> But I can confirm that my certificates are correct with several tests. > > In older releases, the init script checked for TLS-related settings in > slapd.conf and if it found some, forcibly added 'ldaps:///' to the list > of values passed to slapd as arguments for its '-h' flag. > > It looks like it doesn't do that any more. Rather, it expects that > you'll set SLAPD_LDAPS to "yes" in /etc/sysconfig/ldap. I'm only > guessing as to why, but it looks like one of the benefits of changing > the way that the init script works is that you can now disable listening > for non-SSL connections without editing the init script. > > HTH, > > Nalin > > -- > fedora-list mailing list > fedora-list@xxxxxxxxxx > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list > Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines > -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
