> Date: Wed, 5 Dec 2007 15:37:53 +1300
> From: "Steven Jones" <Steven.Jones(a)vuw.ac.nz>
> Is there a way to search the list archives for topics?
> Such as say,
> "ldap_start_tls: Connect error (-11)
> additional info: TLS: hostname does not match CN in peer
Since the above message comes from the OpenLDAP tools/library, you'd have
better luck searching the OpenLDAP archives. www.openldap.org.
>> So what did I do wrong?
> probably should only use uri and not host in /etc/openldap/ldap.conf
> yep, I can take that out....
> And it's clear that
> ldap.vuw.ac.nz != cn=vuwunicvfdsm001.vuw.ac.nz (certificate)
> Sorry I fail to see it as that clear (until now you explain it anyway!)
> ....Working through the FDS/RDS documentation I seem to have failed to
> notice that it clearly (if at all???) explains what cn= should equal or
> indeed the setting in the ldap.conf needs to be the same....in terms of
> DNS they do equal as ldap is a CNAME of vuwunicvfdsm001....
This is explained in the OpenLDAP Admin Guide.
> The advantage of using a CNAME is I can upgrade the system and to a
> simple CNAME change to replace the servers....
RFC2830 explicitly forbid clients from talking to a DNS server to verify the
server name. Therefore most clients would be unable to dereference a CNAME.
RFC4513 relaxes this constraint, and permits a client to use secure hostname
services (e.g. DNSSEC), but in practice there's no standard APIs to select or
control these services, so the RFC2830 constraint is still in force - the
hostname provided by the client must be used directly, without any other
mapping, in comparisons to the names in the server certificate. But as already
mentioned, you can include arbitrarily many subjectAltName extensions in the
certificate to provide aliases and domain wildcards.
> Date: Tue, 04 Dec 2007 20:42:25 -0700
> From: Craig White <craigwhite(a)azapple.com>
> Lastly, you probably can add to both /etc/ldap.conf
> and /etc/openldap/ldap.conf
> ssl start_tls
> and it should automatically use tls...
No. That's only legal for PADL's pam_ldap and nss_ldap. There is no equivalent
option for OpenLDAP's libldap because that is not a library-level issue, it's
application level. /etc/openldap/ldap.conf is only for library default
settings. There is no configuration file for client tool defaults.
> Date: Tue, 04 Dec 2007 20:05:25 -0800
> From: Satish Chetty <satish(a)suburbia.org.au>
>> I am trying to do a ldapsearch with ssl enabled....and I get this error,
> You can also try ldapsearch that comes with FDS (without -x option)
> Also, if you want only encryption and not host identification, use
> 'tls_checkpeer no' in your ldap.conf
That is also only valid for pam_ldap and nss_ldap. In OpenLDAP that's what the
"TLS_REQCERT never" option is for, but in the versions of OpenLDAP that RedHat
ships, that are typically 3-5 years obsolete, that option doesn't quite work
as expected. I.e., the hostname check is performed regardless of the setting
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
The Red Hat Directory Server 8.0 docs are now available at
Among the changes:
* Refers to the new packaging formats and FHS pathnames
* Command line replication management is fully documented
* Updated SSL and SASL configuration
* New configuration entries and attributes documented
These docs are applicable to Fedora Directory Server 1.1.
The problem is the following, in our organization we have a master servant and other in mode Hub, we have some classrooms of objects created with his attributes, example classroom of object CBSPERSONAL, with attributes apellido1, apellido2, name, mail, telephone.
When reply brings into existence a user in the teacher itself perfectly and in the hub I can modify his attributes, the problem comes when in the teacher I create a classroom's object CBSPERSONAL, and one answers back well in the hub, but when I attempt modifying this object in the hub he gives me the following message:
LDAP server is unwilling to perform; Cannot update referral.
If in the hub I modify any object that he not come from a classroom of object created it works correctly.
The two servants share the same card index 99user.ldif
In my organization I have 2 multi-teachers brought into existence with the scritp mmr.pl, I have the need to add another, as I can accomplish it.
Can the mmr.pl bring into existence with the script 4 multi-teachers itself?
Does he eat is able to to him crar 4 multi-teachers?
We want to migrate users from Netscape LDAP to RedHat DS. On RedHat we have created a similar schema (as existing on netscape) and now plan to export LDIF from Netscape and import that into RedHat DS. This should work fine but what will happen to the user passwords since in the export they will be hashed. Will they get successfully imported into RedHat or will they get rehashed during the import thus sopiling the migration.
Please advise how should we plan user migration using some simple mechanism.
Looking for last minute shopping deals? Find them fast with Yahoo! Search.
Is it mandatory to install Fedora DS 1.1 via RPM on Fedora 8? Does the RPM
install it in /opt/fedora-ds? I attempted to use an older version for
Fedora Core 6 and although it would install, it was unusable as it wouldn't
work with Apache HTTPD 2.2.6. What are your suggestions?
At this point I have three working multi-master'ed servers (the original
7.1, an ES5.1/64bit and a EWS3/32bit), and am already using them as
fallbacks for authentication, so I don't really want to reinstall again
just to the error message again. Sorry.
Suffice it to say that while installing 1.0.4-1 on any of my systems,
answering "yes" to either question (register admin to the 7.1 Admin
Server or storing configs in the 7.1 DS) causes an early and complete
failure to config the Admin on the 1.0.4-1 system. Since I am sure this
works for others, I must have a "poison pill" in my 7.1 DS somewhere.
> Did you try just using
Yes, i tried. Same error at startup.
It doesn't work, and can't work, because the board doesn't provide access to
the certificate store if you don't pass the couple username:password.
Like i can do in the GUI...