Talk:OpenLDAP
From Gentoo Linux Wiki
If you are here, you probably have noticed that the official gentoo ldap howto doesn't work for you. This is due to a version upgrade in openldap to v3.
2005/02/07: this guide does not appear to be accurate. Following these instructions will not result in a working OpenLDAP configuration. The problem seems to be with self-signed OpenSSL certificates.)
2006/03/30: this gentoo-based guide resulted in a working configuration; note that you will have to use "bind_policy soft" in your /etc/ldap.conf file to prevent udev from hanging on startup
2006/07/11: if you use the "bind_policy soft" your system will not hang but nonlocal users cannot login to your system using ssh. For more details see: nss_ldap undocumented nss_reconnect_tries!
2006/11/07: I've followed this guide with Ubuntu server and Gentoo client, and updated accordingly. ruxpin
--
Q&A:
What use flags do you use when emerging these packages?
Need:
Extra Schemas - misc.schema, kerberosobject.schema Migration tools help
While not yet discussing possible problems on issuing
/etc/init.d/slapd start
it'd be interesting to provide where to find error messages. The two red exclamation points aren't in any way elucidative. Thanks.
You could backup and edit your /etc/init.d/slapd. Add -d 2 just before -u ldap -g ldap to give debugging info. You can change the debugging level, see the manpage for slapd. I did notice that I had to remove the -d 2 from /etc/init.d/slapd otherwise the init script would hang when I tried to start it.
-- To the person that added that this is not a good way of creating certs - check out http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#4.1 - the output of the two commands are the same on my system - for a self signed cert.
Note that TLS_REQCERT allow in /etc/openldap/ldap.conf permits the client to *not* authenticate the server certificate, making a valid server certificate pointless. If you want security, turn on TLS_REQCERT demand (which is the default so you can remove that entry, and add TLS_CACERT /path/to/mycacert.pem. Which should be a copy of your server's cacert.pem file.
[edit] Tutorial Is Not In Order
The tutorial tells us to import base.ldif before it tells us to start the server. There is no trouble shooting provided for the situation that I face now, where I've started the server but always get ldap_bind: Can't contact LDAP server (-1).
[edit] Active Directory Is Not LDAP
The tutorial mentions Active Directory frequently, but Active Directory is a Microsoft product, not a general term for LDAP directories.
