ldap無法啟動ldaps方式
安裝經過
centos6.3 x64
編譯安裝db4.8
../dist/configure --prefix=/data/db-4.8.30
編譯安裝openldap 2.4.31
./configure \
--prefix=/usr/local/openldap-2.4.31A \
--enable-syslog \
--enable-modules \
--enable-overlays=mod \
--with-tls
slapd.conf的內容是
include /usr/local/openldap-2.4.31A/etc/openldap/schema/core.schema
include /usr/local/openldap-2.4.31A/etc/openldap/schema/cosine.schema
include /usr/local/openldap-2.4.31A/etc/openldap/schema/nis.schema
include /usr/local/openldap-2.4.31A/etc/openldap/schema/inetorgperson.schema
loglevel 296
pidfile /usr/local/openldap-2.4.31A/var/run/slapd.pid
argsfile /usr/local/openldap-2.4.31A/var/run/slapd.args
access to attrs=loginShell
by self write
by * auth
access to *
by * read
database bdb
suffix "dc=testdomain1,dc=com,dc=cn"
rootdn "cn=admin,dc=testdomain1,dc=com,dc=cn"
rootpw {SSHA}8MEHz/6gI5jGE6tjoTI4omtuJ2p1bZs9
directory /data/openldap-dataA
TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
TLSCertificateFile /opt/certs/newcert.pem
TLSCertificateKeyFile /opt/certs/newkey.pem
index objectClass eq
啟動命令是
/usr/local/openldap-2.4.31A/libexec/slapd
已經將日誌設置到syslog中,文件名為/var/log/ldap.log
如果沒有設置tls的話,啟動沒有問題。現在是如果設置了tls,則636埠沒有打開。就像沒有設置tls一樣!
我設置密鑰的過程是:
安裝
yum install openssl-perl-0.9.8e-22.el5.x86_64
則有了CA.pl這個工具。利用這個工具來生成伺服器的公鑰和私鑰。
mkdir -p /opt/certs/
cd /opt/certs/
/etc/pki/tls/misc/CA.pl -newcert
Generating a 1024 bit RSA private key
...++++++
....................++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:========================test
Verifying - Enter PEM pass phrase:============test
Verify failure
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN
State or Province Name (full name) :beijing
Locality Name (eg, city) :chaoyang
Organization Name (eg, company) :lc
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:li
Email Address []:yzhkoli@gmail.com
Certificate is in newcert.pem, private key is in newkey.pem
最後一句說明
newcert.pem是公鑰
newkey.pem是私鑰
處理私鑰
# openssl rsa -in newkey.pem -out newkey.pem
Enter pass phrase for newkey.pem:
writing RSA key
而後將slapd.conf改成我如上的。
則636埠無法啟動。
《解決方案》
