# openldap issues

## spyder

I followed the guide to installing ldap and I am getting this error.....

can anyone give me a hand??

enterprise openldap # /etc/init.d/slapd start

 * Starting ldap-server...                                                                                       [ !! ]

enterprise openldap # tail -f /var/log/messages

Jan 24 17:27:25 enterprise slapd[6594]: main: TLS init def ctx failed: 0

Jan 24 17:27:25 enterprise slapd[6594]: slapd stopped.

Jan 24 17:27:25 enterprise slapd[6594]: connections_destroy: nothing to destroy.

______

ldap.conf

---------

BASE    dc=sitename, dc=org

URI     ldaps://server.sitename.org:636

TLS_REQCERT  allow

#SIZELIMIT      12

#TIMELIMIT      15

#DEREF          never

______

slapd.conf

--------

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 kurt Exp $

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include		/etc/openldap/schema/core.schema

# Include the needed data schemes

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/nis.schema

# Use crypt to hash the passwords

password-hash {crypt}

# Define SSL and TLS properties (optional)

TLSCertificateFile /etc/ssl/ldap.pem

TLSCertificateKeyFile /etc/ssl/ldap.pem

TLSCACertificateFile /etc/ssl/ldap.pem

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral	ldap://root.openldap.org

pidfile		/var/run/openldap/slapd.pid

argsfile	/var/run/openldap/slapd.args

# Load dynamic backend modules:

# modulepath	/usr/lib/openldap/openldap

# moduleload	back_ldap.la

# moduleload	back_ldbm.la

# moduleload	back_passwd.la

# moduleload	back_shell.la

#

# Sample Access Control

#	Allow read access of root DSE

#	Allow self write access

#	Allow authenticated users read access

#	Allow anonymous users to authenticate

#

#access to dn="" by * read

#access to *

#	by self write

#	by users read

#	by anonymous auth

#

# if no access controls are present, the default is:

#	Allow read by all

#

# rootdn can always write!

#######################################################################

# ldbm database definitions

#######################################################################

database	ldbm

suffix		"dc=sitename,dc=org"

rootdn		"cn=Manager,dc=sitename,dc=org"

# Cleartext passwords, especially for the rootdn, should

# be avoid.  See slappasswd( :Cool:  and slapd.conf(5) for details.

# Use of strong authentication encouraged.

rootpw		{MD5}BaZxxmrv6hJMwIt26m0wuw==

# The database directory MUST exist prior to running slapd AND 

# should only be accessible by the slapd/tools. Mode 700 recommended.

directory	/var/lib/openldap-ldbm

# Indices to maintain

index	objectClass	eq

----------

## spyder

# Define SSL and TLS properties (optional) 

TLSCertificateFile /etc/ssl/ldap.pem 

TLSCertificateKeyFile /etc/ssl/ldap.pem 

TLSCACertificateFile /etc/ssl/ldap.pem 

i changed this part i noticed i typed it wrong to....

# Define SSL and TLS properties (optional) 

TLSCertificateFile /etc/ssl/ldap.pem 

TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem 

TLSCACertificateFile /etc/ssl/ldap.pem 

the server starts now.... but i still cannot connect to it

enterprise openldap # ldapsearch -D "cn=Manager,dc=sitename,dc=org" -W

Enter LDAP Password:

ldap_bind: Can't contact LDAP server

----------

## dreamer

try to remove cn=Manager from your command

----------

## spyder

enterprise etc # ldapsearch -D "dc=sitename,dc=org" -W

Enter LDAP Password:

ldap_bind: Can't contact LDAP server

----------

## dreamer

My friend had the same problems a couple of days ago. I helped him fixing it, but i can't remember how  :Wink: 

He wrote a minihowto, maybe it'll help you.

If it doesn't, let me know.

----------

## spyder

that doesn't help with the problem i am having...

anyone else have any ideas?

----------

## Chris W

Was it working before you started playing with SSL/TLS?

----------

## spyder

it never worked.. i followed the steps in the howoto guide... and it didn;t work

http://www.gentoo.org/doc/en/ldap-howto.xml

----------

## Chris W

 *spyder wrote:*   

> ______
> 
> ldap.conf
> 
> ---------
> ...

   Are you missing a trailing slash from the URI (per the guide) or has the forum removed it?

Have you edited /etc/conf.d/slapd to reflect the options in Code listing 2.5?  Have you restarted the server since?  

Is the server listening on port 636? 

```
# netstat -pan --inet | grep LISTEN
```

----------

## spyder

what trailing slash?

tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN      13475/slapd

_______________

/etc/conf.d/slapd

-------------------

# conf.d file for the openldap-2.1 series

#

# To enable both the standard unciphered server and the ssl encrypted

# one uncomment this line or set any other server starting options

# you may desire.

#

# OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"

OPTS="-h 'ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"

----------

## spyder

anyone... i added sasl to my make.conf..

and the configure didn't fail, but it said something about not working with sasl

i have cyrus-sasl 2.x.x installled.... i was trying to install the 1.x.x series but the ebuild doesn't work....

could all this be causing the problems mentioned?

----------

## Chris W

 *spyder wrote:*   

> what trailing slash?

 

Code listing 2.3 in Gentoo Guide to OpenLDAP Authentication shows a trailing slash on the URI.  The content of your file, posted here, doesn't show the slash.  It might be the forum software auto-mangling the URI, or you might not have the trailing slash in your file.

----------

## waverider202

first, start the start, and run ps and netstat to verify that the server is actually running.  If its not, then something is wrong with slapd.conf.  Run 'slapd -d 256' to see a better error message of why the server doesn't start.  Next, when running ldapsearch, make sure you specify a -H ldap://localhost.  If that works, then your ldap.conf is wrong.  Also, specify a -x with ldapsearch.  The default search machanism is usually SASL.  -x makes a simple bind.

----------

## spyder

it is running..

enterprise root # ldapsearch -H ldap://localhost -x -D "cn=admin,dc=sitename,dc=org" -W

Enter LDAP Password:

ldap_bind: Can't contact LDAP server

enterprise root #

----------

## mariourk

It seems that the LDAP-servar can't be connected.

Maybe you have a firewall running that blocks everything that comes to lacalhost? (had that problem with 'portmap' once...)

In my ldap.conf, everything is commented out. Actualy, I never edited the file. Maybe you should do the same.

If this isn't the case I recommend that you disable all ssl options and put a plain-text password in you slapd.conf. You can always deal with security later, after you have OpenLDAP working.

----------

## spyder

how do i disabled all the ssl in openldap?

and i am not running a firewall on this box

----------

## mariourk

ldap.conf 

Comment out everything.

ldap.conf 

Make it look like this:

```

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 kurt Exp $

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include /etc/openldap/schema/core.schema

# Include the needed data schemes

include /etc/openldap/schema/cosine.schema

include /etc/openldap/schema/inetorgperson.schema

include /etc/openldap/schema/nis.schema

# Use crypt to hash the passwords

#password-hash {crypt}

# Define SSL and TLS properties (optional)

#TLSCertificateFile /etc/ssl/ldap.pem

#TLSCertificateKeyFile /etc/ssl/ldap.pem

#TLSCACertificateFile /etc/ssl/ldap.pem

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral ldap://root.openldap.org

pidfile /var/run/openldap/slapd.pid

argsfile /var/run/openldap/slapd.args

# Load dynamic backend modules:

# modulepath /usr/lib/openldap/openldap

# moduleload back_ldap.la

# moduleload back_ldbm.la

# moduleload back_passwd.la

# moduleload back_shell.la

#

# Sample Access Control

# Allow read access of root DSE

# Allow self write access

# Allow authenticated users read access

# Allow anonymous users to authenticate

#

#access to dn="" by * read

#access to *

# by self write

# by users read

# by anonymous auth

#

# if no access controls are present, the default is:

# Allow read by all

#

# rootdn can always write!

#######################################################################

# ldbm database definitions

#######################################################################

database ldbm

suffix "dc=sitename,dc=org"

rootdn "cn=Manager,dc=sitename,dc=org"

# Cleartext passwords, especially for the rootdn, should

# be avoid. See slappasswd( and slapd.conf(5) for details.

# Use of strong authentication encouraged.

rootpw secret

# The database directory MUST exist prior to running slapd AND

# should only be accessible by the slapd/tools. Mode 700 recommended.

directory /var/lib/openldap-ldbm

# Indices to maintain

index objectClass eq

```

Note that I commented out several otions en changed the root passwd to ''secret' (plain text)

----------

## spyder

still nothing.... i did exactly what you said

----------

## mariourk

Do

```

emerge openldap -vp

```

How is your openldap emerged?

I have it emerged with the following options:

```

[ebuild   R   ] net-nds/openldap-2.0.27-r4  +ssl +tcpd +readline -ipv6 -berkdb +gdbm -kerberos -odbc

```

----------

## waverider202

if it says it can't be connected, that sounds like either a firewall issue or its not running.  If your database enviroment is not set correctly, openldap will start, gentoo will say its running, then slapd will stop, and gentoo's init script system, which is not stateful, will have issues with it.

----------

## spyder

no firewall... 

it's running....

ldap      9137  0.0  1.9  8304 2432 ?        S    Jan26   0:00 /usr/lib/openldap/slapd -u ldap -g ldap -h ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.soc

ldap     12542  0.0  1.9  8304 2432 ?        S    Jan26   0:00 /usr/lib/openldap/slapd -u ldap -g ldap -h ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.soc

ldap     25811  0.0  1.9  8304 2432 ?        S    Jan26   0:00 /usr/lib/openldap/slapd -u ldap -g ldap -h ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.soc

but i can't connect

----------

## spyder

 *mariourk wrote:*   

> Do
> 
> ```
> 
> emerge openldap -vp
> ...

 

this is mine 

```

enterprise root # emerge openldap -vp

These are the packages that I would merge, in order:

Calculating dependencies ...done!

[ebuild   R   ] net-nds/openldap-2.0.27-r4  +ssl +tcpd +readline -ipv6 +berkdb +gdbm -kerberos -odbc
```

----------

## spyder

do i have to build it with sasl... or emerge sasl... i tried and sasl 1.x doesn't build it gets errors and 2.x doesn't seem to be compatible

----------

## spyder

anyone?

----------

## fazer-ekky

IMHO you have to compile openldap with sasl (USE-Flag) , also you have to emerge the cyrus-sasl-2.x package. The Gentoo Ldap-Authent.HOWTO seems to be not complete. See the Authentication-Section in the LDAP-Howto. 

and the Section 10 in the LDAP-Administration-Guide. It has something to do with the sasl user database(saslpasswd2)  But til now it's not so clear for me, what to do. Must study some howtos.

----------

## flowctrl

 *spyder wrote:*   

> no firewall... 
> 
> it's running....
> 
> ldap      9137  0.0  1.9  8304 2432 ?        S    Jan26   0:00 /usr/lib/openldap/slapd -u ldap -g ldap -h ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.soc
> ...

 

By starting with "ldap -h ldaps://" (should be three '/'s, btw), you are specifiying to listen only on the the ldaps port, 636.  Use "-h ldap:///" in your slapd startup command.  Then you should be able to connect to the normal ldap port 389, and be able to do in-the-clear binds, or StartTLS instead of ldaps. i.e., for the former:

ldapsearch -v -x -D "cn=Manager,dc=mydomain,dc=ca" -W *

Also, be aware that there are two ldap.conf files, /etc/ldap.conf for pam_ldap and nss_ldap, and /etc/openldap/ldap.conf for slapd.  If you want to connect with StartTLS, then your /etc/openldap/ldap.conf file should have a TLS_CACERT line in it.  Try using "TLS_REQCERT never" until you have it working properly, or better yet, get it working properly without any SSL first.

Here is an example /etc/openldap/ldap.conf:

```

# See ldap.conf(5) for details

# This file should be world readable but not world writable.

BASE    dc=mydomain,dc=ca

HOST    127.0.0.1

URI     ldap://127.0.0.1:389

#SIZELIMIT      12

#TIMELIMIT      15

#DEREF          never

TLS_REQCERT never

TLS_CACERT /etc/ssl/certs/cacert.pem

```

----------

## kitana_ann

I am having the exact same problem that Spyder is having. But this thread did not help me much at all. I still get the problem where it says 

```

ldap_bind:Can't contact LDAP server

```

I have followed everbodies advice in here but still dont get no good result. 

Anyone who can help more futhure?

Thanks for any reply

----------

## Diezel

Im having the same problem

```
main: TLS init def ctx failed: -1
```

The server worked just fine untill I tried the Gentoo LDAP howto. What I need to know is how to undo the SSL part?

----------

## flipy

( just to keep the thread on the recent list  :Wink:  )

the same problem here!

btw, I followed the gentoo ldap how-to, without succed.

I've to say that I've enabled SASL and SSL in the USE flags, and I had ldap working before.

After following the how-to I've got:

```
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
```

Before I was using this how-to I've found in the wiki page: http://gentoo-wiki.com/HOWTO_LDAP_SAMBA_PDC_Security_Upgrade

And what I've got was 

```
main: TLS init def ctx failed: -1
```

 in the syslog.

My goal is to have everything under the server with SASL and SSL (postfix, courier-imap, apache, ldap, ...).

Can I use a default certificate for the whole server?

Any advise?

Thank you in advance!!!

/etc/openldap/slapd.conf

```
#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/samba.schema

include         /etc/openldap/schema/qmail.schema

include         /etc/openldap/schema/openldap.schema

#include                /etc/openldap/schema/authldap.schema

pidfile         /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args

#loglevel 256

TLSCertificateFile /etc/ssl/ldap.pem

TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem

TLSCACertificateFile /etc/ssl/ldap.pem

### ou=DSA Permissions ###

access to attrs=userPassword,sambaLMPassword,sambaNTPassword

        by self write

        by anonymous auth

        by dn="cn=administrador,o=esci,c=es" write

        by dn="uid=root,ou=users,o=esci,c=es" write

        by * none

access to attrs=accountStatus

        by dn="cn=administrador,o=esci,c=es" write

        by dn="uid=root,ou=users,o=esci,c=es" read

        by * none

access to *

        by dn="cn=administrador,o=esci,c=es" write

        by dn="uid=root,ou=users,o=esci,c=es" read

        by users read

        by self write

        by * read

#######################################################################

# BDB database definitions

#######################################################################

database        ldbm

suffix          "o=esci,c=es"

rootdn          "cn=Administrador,o=esci,c=es"

checkpoint      32      30 # <kbyte> <min>

# Cleartext passwords, especially for the rootdn, should

# be avoid.  See slappasswd(8) and slapd.conf(5) for details.

# Use of strong authentication encouraged.

rootpw          secret

# The database directory MUST exist prior to running slapd AND 

# should only be accessible by the slapd and slap tools.

# Mode 700 recommended.

directory       /var/lib/openldap-data

# Indices to maintain

index    sambaSID,sambaPrimaryGroupSID,sambaDomainName    eq

index objectClass,uid,uidNumber,gidNumber,memberUid eq

index cn,mail,surname,givenname   eq,subinitial

sizelimit 3000
```

/etc/openldap/ldap.conf

```
#

# LDAP Defaults

#

# See ldap.conf(5) for details

# This file should be world readable but not world writable.

#HOST   127.0.0.1

BASE    o=esci,c=es

URI     ldaps://test.esci.es:636

TLS_REQCERT allow

#BASE   dc=example, dc=com

#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

SIZELIMIT       3000

#TIMELIMIT      15

#DEREF          never

TLS_CACERT /etc/ssl/ldap.pem
```

/etc/ldap.conf

```
 @(#)$Id: ldap.conf,v 2.45 2006/01/13 16:15:34 lukeh Exp $

#

# This is the configuration file for the LDAP nameservice

# switch library and the LDAP PAM module.

#

# PADL Software

# http://www.padl.com

#

host 127.0.0.1

base o=esci,c=es

ldap_version 3

#rootbinddn cn=nssldap,ou=DSA,o=esci,c=es

#scope sub

scope one

#scope base

pam_password exop

nss_base_passwd ou=Users,o=esci,c=es?one

nss_base_passwd ou=Computers,o=esci,c=es?one

nss_base_shadow ou=Users,o=esci,c=es?one

nss_base_group  ou=Group,o=esci,c=es?one

ssl no

nss_reconnect_tries 2

# Debug

#debug 255

#logdir /var/log/nss_ldap
```

/etc/conf.d/slapd

```
# conf.d file for openldap

#

# To enable both the standard unciphered server and the ssl encrypted

# one uncomment this line or set any other server starting options

# you may desire.

#

OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"

# Uncomment the below to use the new slapd configuration for openldap 2.3

#OPTS="-f /etc/openldap/slapd.conf -F /etc/openldap/sldap.d -h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock' -d 255"
```

----------

## icecube

Openldap is compiled with tcpwrappers by default. Ensure your /etc/hosts.allow looks something like this:

ALL: 127.0.0.1

sshd: 192.168.7.

sshd: 172.16.129.

sshd: 55.124.4.

syslog-ng: 192.168.7.

slapd: 192.168.7.

# Dynamic DNS hosts.

sshd:   68.114.44.31

sshd:   12.77.45.131

Note the slapd line. Even if you say all for 127.0.0.1 and you are on the same box when executing queries, tcpwrappers will not allow you to connect if the host does not resolve to 127.0.0.1 which it probably doesn't because you want to offer the service outside of the local machine.

I have gotten past that problem but am still having startup problems. I have followed the guide. I also followed the openssl instructions on creating certs with CA.pl. Using CA.pl slapd errors out on start with 

main: TLS init def ctx failed: -1

Using the method from http://www.gentoo.org/doc/en/ldap-howto.xml allowed slapd to start, but attempting the query, I end up with the following error:

TLS certificate verification: Error, self signed certificate

tls_write: want=7, written=7

  0000:  15 03 01 00 02 02 30                               ......0

TLS trace: SSL3 alert write:fatal:unknown CA

TLS trace: SSL_connect:error in SSLv3 read server certificate B

TLS trace: SSL_connect:error in SSLv3 read server certificate B

TLS: can't connect.

ldap_perror

ldap_bind: Can't contact LDAP server (-1)

        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Any assistance would be greatly appreciated. I know someone has to have this working with SSL.

TIA

----------

## icecube

First, follow this guide and most everything will be setup correctly. 

http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.0  (credit for this link goes to another poster - thanks!!!!)

It is a little dated as some things in the ldap.conf file are deprecated (the still work though). I will post all of my files below. The most important thing is following the guide above to create the keys. The next most important thing is to change the owner and group for the keys. Using the guide above I could get slapd to start without incident and I happened to be root. But if you look at /etc/init.d/slapd, it shows slapd started as ldap:ldap. 

If you start it as root from the command line like this:

/usr/lib64/openldap/slapd -d255 -u ldap -g ldap -h "ldaps:///"

and your results end like this:

TLS: could not use key file `/etc/openldap/ssl/serverkey.pem'.

TLS: error:0200100D:system library:fopen:Permission denied bss_file.c:352

TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:354

TLS: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib ssl_rsa.c:648

main: TLS init def ctx failed: -1

slapd destroy: freeing system resources.

slapd stopped.

connections_destroy: nothing to destroy.

then you can see that there is a permission problem. Once I fixed the permissions on the file, all was well. That was two days of work so I figured I would save others my agony by posting my results. Also read my post above and make sure you have the appropriate settings in your /etc/hosts.allow file.

My configs are below. If you are using BDB, you will probably want to have a DB_CONFIG file as noted below. Otherwise when you start, your logs will show a complaint about possible slow performance. I just used the default in the /var/lib/openldap-data/ directory. 

Happy ldapping.

cayman openldap # ls -al ssl

total 16

drwxr-xr-x 2 root root  176 May  8 13:32 .

drwxr-xr-x 4 root root  280 May  8 12:50 ..

-rw-r--r-- 1 root root 3312 May  8 13:43 cacert.pem

-rwxr-xr-x 1 root root 3505 Dec 15 01:06 gencert.sh

-rw-r--r-- 1 root root 3273 May  8 13:44 servercrt.pem

-rw------- 1 ldap ldap 1612 May  8 13:45 serverkey.pem

cayman openldap # cat /etc/openldap/slapd.conf

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/openldap.schema

# Use md5 to hash the passwords

#password-hash {md5}

# Define SSL and TLS properties (optional)

TLSCipherSuite          HIGH:MEDIUM:+SSLv2

TLSCertificateFile      /etc/openldap/ssl/servercrt.pem

TLSCertificateKeyFile   /etc/openldap/ssl/serverkey.pem

TLSCACertificateFile    /etc/openldap/ssl/cacert.pem

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args

# Load dynamic backend modules:

# modulepath    /usr/lib64/openldap/openldap

# moduleload    back_bdb.la

# moduleload    back_ldap.la

# moduleload    back_ldbm.la

# moduleload    back_passwd.la

# moduleload    back_shell.la

# Sample security restrictions

#       Require integrity protection (prevent hijacking)

#       Require 112-bit (3DES or better) encryption for updates

#       Require 63-bit encryption for simple bind

# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:

#       Root DSE: allow anyone to read it

#       Subschema (sub)entry DSE: allow anyone to read it

#       Other DSEs:

#               Allow self write access

#               Allow authenticated users read access

#               Allow anonymous users to authenticate

#       Directives needed to implement policy:

# access to dn.base="" by * read

# access to dn.base="cn=Subschema" by * read

access to *

        by self write

        by users read

        by anonymous auth

#

# if no access controls are present, the default policy

# allows anyone and everyone to read anything but restricts

# updates to rootdn.  (e.g., "access to * by * read")

#

# rootdn can always read and write EVERYTHING!

#######################################################################

# BDB database definitions

#######################################################################

database        bdb

suffix          "dc=your-domain,dc=your-suffic"

rootdn          "cn=Manager,dc=your-domain,dc=your-suffix"

checkpoint      32      30 # <kbyte> <min>

# Cleartext passwords, especially for the rootdn, should

# be avoid.  See slappasswd( :Cool:  and slapd.conf(5) for details.

# Use of strong authentication encouraged.

rootpw          {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# The database directory MUST exist prior to running slapd AND

# should only be accessible by the slapd and slap tools.

# Mode 700 recommended.

directory       /var/lib/openldap-data

# Indices to maintain

index           objectClass     eq

cayman openldap # cat ldap.conf

#

# LDAP Defaults

#

# See ldap.conf(5) for details

# This file should be world readable but not world writable.

BASE            dc=your-domain, dc=your-suffix

URI             ldaps://your-host.your-domain.your-suffix:636/

TLS_REQUEST     demand

TLS_CACERT      /etc/openldap/ssl/cacert.pem

#SIZELIMIT      12

#TIMELIMIT      15

#DEREF          never

cayman openldap # cat /var/lib/openldap-data/DB_CONFIG

# $OpenLDAP: pkg/ldap/servers/slapd/DB_CONFIG,v 1.1.2.3 2006/08/17 17:36:19 kurt Exp $

# Example DB_CONFIG file for use with slapd( :Cool:  BDB/HDB databases.

#

# See Sleepycat Berkeley DB documentation

#   <http://www.sleepycat.com/docs/ref/env/db_config.html>

# for detail description of DB_CONFIG syntax and semantics.

#

# Hints can also be found in the OpenLDAP Software FAQ

#       <http://www.openldap.org/faq/index.cgi?file=2>

# in particular:

#   <http://www.openldap.org/faq/index.cgi?file=1075>

# Note: most DB_CONFIG settings will take effect only upon rebuilding

# the DB environment.

# one 0.25 GB cache

set_cachesize 0 268435456 1

# Data Directory

#set_data_dir db

# Transaction Log settings

set_lg_regionmax 262144

set_lg_bsize 2097152

#set_lg_dir logs

# Note: special DB_CONFIG flags are no longer needed for "quick"

# slapadd( :Cool:  or slapindex( :Cool:  access (see their -q option).

----------

