LDAP and TLS

Hi, I have OpenSUSE 11.2 and I am trying to setup TLS on LDAP using YaST but when I specify the location of the three certificate files and click “OK” I get the following error: “Can not set filesystem acl on the private keysetfacl -m u:ldap:r /etc/ssl/certs/ldap.pem failed. Do you have filesystem acl support disabled?”

What am I doing wrong? Am I missing something? I do not get why this is happening. It is a relatively new/clean installation.

Please help me, thanks.

I didn’t set up LDAP using YaST but that message about ACLs means you have not enabled the acl option on the filesystem so that setup operation failed. Apparently it relies on using POSIX ACLs. In /etc/fstab it would look like this if you had enabled acl:

/dev/md0 / ext4 acl,user_xattr,noatime

The important one is the acl.

Hi thank you very much. I understood that the setting acl was failing, but I did not understand why or how to fix it. My fstab said /dev/sda1 / ext3 defaults 0 0, however, in YaST>Partitioner>fstab Options, the Access Control Lists (ACL) was checked…apparently it was lying to me, go figure. When I modified the fstab to say “acl,defaults” as you suggested and rebooted it resolved my setting up the TLS issue…the configuration saved, but then the LDAP restarted and failed to start :-(, grr. I don’t think I like the configuration being stored in the LDAP database, if the LDAP server won’t start you can’t fix the broken configuration, that is undo your changes. That is no good.

Did a little more research, and I guess the dynamic configuration is not really stored in the database, it is stored in the slapd.d directory, so I guess I should be able to back that up before making changes and if I break something I can just replace it. Still trying to figure out why my certificates are breaking the configuration…

I finally figured out that it was a permission issue to my certificates, which was not obvious from the log files stating the configuration was corrupt :-(, go figure.

I am currently getting an error starting ldap with TLS enabled…what did you set your permissions to in order to correct it?

My problem was I was accessing certificates in a path that was not accessible to the “ldap” user. While the setfacl sets the actual certificate file permissions to ldap, the folder path it was in was not accessible by ldap. I had to move the certificate to a path that was readable by ldap.

Hrmmm…

On mine when I enable TLS in LDAP (Using Yast, 11.3) I get a dialog box saying that the LDAP server failed to start. Then it gives me this:

<quote>YaST got signal 11 at YCP file ldap-server/tree_structure.ycp:246/sbin/yast2: line 399: 8966 Segmentation fault $ybindir/y2base $module “$@” “$SELECTED_GUI” $Y2_GEOMETRY $Y2UI_ARGS</quote>

So far setting LDAP up without TLS enabled seems to work except I always get an authentication failure when trying to login (I have tried the ldap browser as well as trying to setup other services to use it)…I even rebuilt the LDAP server several times looking for something I missed.