https://bugzilla.novell.com/show_bug.cgi?id=689456
https://bugzilla.novell.com/show_bug.cgi?id=689456#c6
Peter Martinovic changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |ASSIGNED
CC| |peter@martinovic.sk
InfoProvider|wolfgang@rosenauer.org |
--- Comment #6 from Peter Martinovic 2011-05-15 15:04:26 UTC ---
Hello,
it seems that the problem is that the server certificate key file generated by
yast (/etc/ssl/servercerts/serverkey.pem) is not readable by the ldap user
account.
To fix it I copied the files
/etc/ssl/certs/YaST-CA.pem
/etc/ssl/servercerts/servercert.pem
/etc/ssl/servercerts/serverkey.pem
to
/etc/openldap/certs/ca.pem
/etc/openldap/certs/servercert.pem
/etc/openldap/certs/serverkey.pem
and made them owned by root.ldap
chown root.ldap /etc/openldap/certs/*
and made them readable by ldap group
chmod g+r /etc/openldap/certs/*
I edited the following config files
(according to http://www.openldap.org/doc/admin23/tls.html#TLS Certificates)
/etc/openldap/ldap.conf:
tls_cacert /etc/openldap/certs/ca.pem
/etc/openldap/slapd.conf:
TLSCACertificateFile /etc/openldap/certs/ca.pem
TLSCertificateFile /etc/openldap/certs/servercert.pem
TLSCertificateKeyFile /etc/openldap/certs/serverkey.pem
I also edited /etc/ldap.conf (is this necessary?):
tls_cacertfile /etc/openldap/certs/ca.cert
The LDAP TLS seems to work fine now (verified by Yast Ldap Browser).
Other possibility would be to set the user rights directly on
/etc/ssl/servercerts/serverkey.pem but I did not consider it to be a cleaner
solution.
Cheers,
Peter
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.