Authentication Server / LDAP / Directory Server

This seems incurably broken! It looks like openldap has been replaced by directory server, but the documentation has not been updated. I have tried repeatedly, but cannot seem to make this work, and I am particularly struggling to find enough documentation about the TLS certificate side of things, which is where it seems to trip up.
Has anybody got this working at all? If so can you give me some pointers?
Many thanks.

AFAIK there hasn’t been many significant changes from LEAP 15.0 to 15.1 regarding this topic, but is an enormous change from what existed before.

Current documentation which should work…

Overall Security docs

LDAP related starts with section 4 in the above, link below

For setting up TLS specifically,
See step 4 in the “Procedure 4.2” section at the following link
And assumes you have your certificate created and ready to use (noting that the YaST CA module may be missing or not functional)

If you think that the docs really don’t make sense, post some specifics for people to take a look at…


I have tried both 15.0 and 15.1, with the same results. This is my first experience of SUSE in about 15 years - have been in the debian / Ubuntu world in that time, so not entirely sure of all the details and how things work!!

I believe the docs show all the old style yast interface to openldap, wheres the new option in yast looks entirely different.

It insists on having TLS certificates before it will continue, and when it does go it creates the database but fails with the following message:

[13/Jun/2019:20:43:41.488638314 +0100] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requestsYour new directory server has been started.
Your new DS instance ‘SWORD_LDAP’ was successfully created.
Exiting . . .
Log file is ‘/tmp/setupQB_L_H.log’

2019-06-13 20:43:41 +0100
2019-06-13 20:43:41 +0100
pk12util: PKCS12 decode not verified: SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect.
pk12util: PKCS12 decode validate bags failed: SEC_ERROR_INVALID_ARGS: security library: invalid arguments.

So, it downloads and installs ds-389 server (not openldap) and tries to configure it, but fails.
If I go back into the create option in yast, it fails again, this time because the server already exists.
I cannot communicate with the server because the authentication does not work, and there is NO documentation that I can find that relates to DS-389 and opensuse, so I can’t even figure out what to do from the command line - which I am trying to avoid by moving to opensuse !! :slight_smile:
There is no option within yast to edit the configuration of the server anywhere, and if I try to connect to it in the user and group management option, that fails too - the server is running but is not contactable. It’s configuration is stored internally (no config files) so I cannot see how to move forwards with this.

Any help is much appreciated, as I am keen to make the move rather than go back to the ubuntu world.

How was your certificate created, where did it come from and how is it managed?
Your error suggests that you may have problems using the certificate.

xca was recommended to manage your Domain certificates in this thread, after a brief skim of documentation I support it, too.

Tom make console results more legible, it’s recommended to enclose them in the CODE tags which is the hash button in the web text editor for this Forum software, results in the following

Console commands and output


I used command line tools to create the certificates - the setup tool does not ever ask for the password for the certificate (don’t know if it should?)
I also tried it with TinyCA, and got the same result.

I think you perhaps meant to put in a link to a thread, but it doesn’t appear to have worked. I will have a look at xca.

At the time TinyCA did not work (it’s news to me if it’s working now)
The discussion when this was discussed

See if the certificate used by YaST to set up your Authentication Server can be opened by a normal, non-root User (as a public cert, should be possible and not a security risk).


I have tried with xca several times and always end up with a message

2019-06-18 12:39:38 +0100
certutil: could not decode certificate: SEC_ERROR_BAD_DER: security library: improperly formatted DER-encoded message.

As far as I can tell the certificates can be opened ok, although the above message suggests something wrong in how the certificate is formatted - maybe it is something specific that xca and tinyca cannot handle?
I have found some redhat instructions using certutil - I will try that when I get a chance, and see if it works any better.

I don’t know if DER has changed over time…
But on the chance it has,
Is your CA server running on the same machine as your LDAP authentication server, or the same distro and version?