Results 1 to 8 of 8

Thread: LDAP and TLS

  1. #1

    Question LDAP and TLS

    Hi, I have OpenSUSE 11.2 and I am trying to setup TLS on LDAP using YaST but when I specify the location of the three certificate files and click "OK" I get the following error: "Can not set filesystem acl on the private keysetfacl -m u:ldap:r /etc/ssl/certs/ldap.pem failed. Do you have filesystem acl support disabled?"

    What am I doing wrong? Am I missing something? I do not get why this is happening. It is a relatively new/clean installation.

    Please help me, thanks.

  2. #2
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: LDAP and TLS

    I didn't set up LDAP using YaST but that message about ACLs means you have not enabled the acl option on the filesystem so that setup operation failed. Apparently it relies on using POSIX ACLs. In /etc/fstab it would look like this if you had enabled acl:

    /dev/md0 / ext4 acl,user_xattr,noatime

    The important one is the acl.

  3. #3

    Default Re: LDAP and TLS

    Hi thank you very much. I understood that the setting acl was failing, but I did not understand why or how to fix it. My fstab said /dev/sda1 / ext3 defaults 0 0, however, in YaST>Partitioner>fstab Options, the Access Control Lists (ACL) was checked...apparently it was lying to me, go figure. When I modified the fstab to say "acl,defaults" as you suggested and rebooted it resolved my setting up the TLS issue...the configuration saved, but then the LDAP restarted and failed to start :-(, grr. I don't think I like the configuration being stored in the LDAP database, if the LDAP server won't start you can't fix the broken configuration, that is undo your changes. That is no good.

  4. #4

    Default Re: LDAP and TLS

    Did a little more research, and I guess the dynamic configuration is not really stored in the database, it is stored in the slapd.d directory, so I guess I should be able to back that up before making changes and if I break something I can just replace it. Still trying to figure out why my certificates are breaking the configuration...

  5. #5

    Lightbulb Re: LDAP and TLS

    I finally figured out that it was a permission issue to my certificates, which was not obvious from the log files stating the configuration was corrupt :-(, go figure.

  6. #6
    Join Date
    Jul 2010
    Location
    Florida
    Posts
    22

    Default Re: LDAP and TLS

    Quote Originally Posted by wslyhbb View Post
    I finally figured out that it was a permission issue to my certificates, which was not obvious from the log files stating the configuration was corrupt :-(, go figure.
    I am currently getting an error starting ldap with TLS enabled....what did you set your permissions to in order to correct it?

  7. #7

    Default Re: LDAP and TLS

    My problem was I was accessing certificates in a path that was not accessible to the "ldap" user. While the setfacl sets the actual certificate file permissions to ldap, the folder path it was in was not accessible by ldap. I had to move the certificate to a path that was readable by ldap.

  8. #8
    Join Date
    Jul 2010
    Location
    Florida
    Posts
    22

    Default Re: LDAP and TLS

    Hrmmm.....

    On mine when I enable TLS in LDAP (Using Yast, 11.3) I get a dialog box saying that the LDAP server failed to start. Then it gives me this:

    <quote>YaST got signal 11 at YCP file ldap-server/tree_structure.ycp:246/sbin/yast2: line 399: 8966 Segmentation fault $ybindir/y2base $module "$@" "$SELECTED_GUI" $Y2_GEOMETRY $Y2UI_ARGS</quote>

    So far setting LDAP up without TLS enabled seems to work except I always get an authentication failure when trying to login (I have tried the ldap browser as well as trying to setup other services to use it)...I even rebuilt the LDAP server several times looking for something I missed.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •