# Open LDAP configuration error....

## johnny_martins00

im following this  Howto LDAP but wgen i get to the Import the LDIF files into the database i get the following error...

```

localhost migrationtools # ldapadd -x -D "cn=Manager,dc=example,dc=com" \

>      -W -f /etc/openldap/example.com.ldif

Enter LDAP Password:

ldapadd: attributeDescription "dn": (possible missing newline after line 6 of entry "dc=example,dc=com"?)

adding new entry "dc=example,dc=com"

ldap_add: Type or value exists (20)

        additional info: objectClass: value #1 provided more than once

```

 here is my example.conf.ldif file ,

```

dn: dc=example,dc=com

dc: example

description: Root LDAP entry for example.com

objectClass: dcObject

objectClass: organizationalUnit

ou: rootobject

 

dn: ou=People, dc=example,dc=com

ou: People

description: All people in organisation

objectClass: organizationalUnit

```

anybody know where i did something wrong????

Thk

----------

## vad3r

I think your ldif should look like this:

```
n: dc=example,dc=com

description: Root LDAP entry for example.com

objectClass: dcObject

objectClass: organization

o: rootobject

dc: example

 

dn: ou=People, dc=example,dc=com

description: All people in organisation

objectClass: organizationalUnit 

ou: People
```

----------

## johnny_martins00

thk for the reply but it didnt work out...

```

dn: dc=example,dc=com

dc: example

description: Root LDAP entry for example.com

objectClass: dcObject

objectClass: organizationalUnit

ou: rootobject

 

dn: ou=People, dc=example,dc=com

ou: People

description: All people in organisation

objectClass: organizationalUnit

```

----------

## vad3r

Have you realized that i made changes to your LDIF apart from sorting it differently?? Please try using exactly the LDIf i posted here

----------

## johnny_martins00

sorry but i thougt you forgeted something in your ldif file, the cn and the ou field in sted of n: and o:.

i did that but ... :  :Sad: 

```

localhost migrationtools # ldapadd -x -D "cn=Manager,dc=example,dc=com"      -W -f /etc/openldap/example.com.ldif

Enter LDAP Password:

adding new entry "ou=People, dc=example,dc=com"

ldap_add: No such object (32)

```

my ldif file is like you said

```

n: dc=example,dc=com

description: Root LDAP entry for example.com

objectClass: dcObject

objectClass: organization

o: rootobject

dc: example

 

dn: ou=People, dc=example,dc=com

description: All people in organisation

objectClass: organizationalUnit

ou: People

```

----------

## johnny_martins00

sorry but i think that i allready did s***....

/etc/openldap/example.com.ldif

```

dn: dc=example,dc=com

dc: example

description: Root LDAP entry for example.com

objectClass: dcObject

objectClass: organizationalUnit

ou: rootobject

 

dn: ou=People, dc=example,dc=com

ou: People

description: All people in organisation

objectClass: organizationalUnit

```

here is my /etc/openldap/slapd.conf

```

include      /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/nis.schema

#######################################################################

# BDB database definitions

#######################################################################

database        bdb

suffix          "dc=example,dc=com"

rootdn          "cn=Manager,dc=example,dc=com"

rootpw       {SSHA}PvJXWnFJdA2MxnOLtJOLsRqxA+orrmYQ

directory       /var/lib/openldap-data/example.com

```

 and now when i try the localhost migrationtools # ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f /etc/openldap/example.com.ldif   i got the error :

```

Enter LDAP Password:

ldapadd: attributeDescription "dn": (possible missing newline after line 6 of entry "dc=example,dc=com"?)

adding new entry "dc=example,dc=com"

ldap_add: Type or value exists (20)

        additional info: objectClass: value #1 provided more than once

```

what im doing wrong???where did i put soething wrong??

Thk

----------

## johnny_martins00

does anyone can give a help on this???

----------

## marens

1. Set 

```

loglevel 256

```

and add

```

include         /etc/openldap/schema/misc.schema

include         /etc/openldap/schema/openldap.schema

```

(don't really know if the additional schemata are needed ... just try it)

 in your /etc/openldap/slapd.conf and restart your ldap-server

2. view the output of  (as user root)

```

slapcat

```

and clean out the db of the ldap if anything is already stored in it

3. view the output of 

```

tail -f /var/log/messages

```

when you try to import the ldif-date, so you get more details of what is happening

use this ldif data  like  vad3r already said!!

```

dn: dc=example,dc=com

description: Root LDAP entry for example.com

objectClass: dcObject

objectClass: organization

o: rootobject

dc: example

 

dn: ou=People, dc=example,dc=com

description: All people in organisation

objectClass: organizationalUnit

ou: People

```

4. net-nds/phpldapadmin can be a help, too  :Smile: 

----------

## johnny_martins00

 *Quote:*   

> 
> 
> 2. view the output of (as user root)
> 
> slapcat
> ...

  How can i clean the db??? when i try the slapcat it gives a lot of thingd, i think its the db data

----------

## vad3r

Throw away the contents form your ldap data directory. After that the DB will be clear   :Very Happy: 

----------

## johnny_martins00

i dont know if you allready seen the openldap gentoo-wiki howto, i allready unmerged everything that i had from openldap and im trying to restart a new server configuration but dont know if it worth it that howto. Can you tell me if its a good howto , you that more experience in Ldap.

Thk, Regards

----------

## vad3r

All i can say to you is the following:

- Emerge openldap

- Keep everything as it is and start with a small setup

- Create a ldif with just the root object and maybe a small o or ou

Here's my root object from my ldap. Please test it out:

```
dn: dc=mycomp,dc=com

o: My Company

objectClass: dcObject

objectClass: organization

dn: c=de,dc=mycomp,dc=com

c: de

description: Germany

objectClass: country

dn: c=ch,dc=mycomp,dc=com

c: ch

objectClass: country
```

----------

## johnny_martins00

oki, but im going very slow, step by step   :Smile: 

i've notice that using the TLS i need to have 2 certs, one for the CA and one certificate signed by the CA. The howto that im following uses a self signed certificate, and i wanted a certificate signed by the CA. I know howto create the CA and sign a cert by that CA but if i change the TLS directories on the sladp.conf when i try to restart the ldap server it gives me an error, i dont unsderstand why. Thus it only allow to use self signed certs??? or can i do like i want to ?

Thk, Regards

----------

## vad3r

You will need 3 things to use TLS:

1. The CA Certificate (or the Chain if you use more than one CA)

2. The Certificate for the Server

3. The Key for the Server

Please post your slapd.conf and a "ls" inside your certificate directory.

----------

## johnny_martins00

my sldap.conf

```

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include      /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/nis.schema

# Use sha1 to hash the passwords

password-hash {md5}

# Define SSL and TLS properties (optional)

#TLSCertificateFile /etc/ssl/ldap.pem

#TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem

#TLSCACertificateFile /etc/ssl/ldap.pem

TLSCACertificateFile /etc/ssl/demoCA/cacert.pem

TLSCertificateFile /etc/openldap/ssl/newcert.pem

TLSCertificateKeyFile /etc/ssl/privkey.pem

loglevel 255

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral   ldap://root.openldap.org

pidfile      /var/run/openldap/slapd.pid

argsfile   /var/run/openldap/slapd.args

# Load dynamic backend modules:

# modulepath   /usr/lib/openldap/openldap

# moduleload   back_bdb.la

# moduleload   back_ldap.la

# moduleload   back_ldbm.la

# moduleload   back_passwd.la

# moduleload   back_shell.la

# Sample security restrictions

#   Require integrity protection (prevent hijacking)

#   Require 112-bit (3DES or better) encryption for updates

#   Require 63-bit encryption for simple bind

# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:

#   Root DSE: allow anyone to read it

#   Subschema (sub)entry DSE: allow anyone to read it

#   Other DSEs:

#      Allow self write access

#      Allow authenticated users read access

#      Allow anonymous users to authenticate

#   Directives needed to implement policy:

# access to dn.base="" by * read

# access to dn.base="cn=Subschema" by * read

# access to *

#   by self write

#   by users read

#   by anonymous auth

#

# if no access controls are present, the default policy

# allows anyone and everyone to read anything but restricts

# updates to rootdn.  (e.g., "access to * by * read")

#

# rootdn can always read and write EVERYTHING!

#######################################################################

# BDB database definitions

#######################################################################

database        ldbm

suffix          "dc=mydomain,dc=org"

directory       /var/lib/openldap-data/

index           objectClass     eq

rootdn          "cn=root,dc=mydomain,dc=org"

rootpw          {MD5}0PWbqtrdM0nkqbJnS8zq6A==

```

My ls -l to the dir where the certs are

 CA Dir

```

localhost johnny # ls -l /etc/ssl/demoCA/

total 52

-rw-r--r-- 1 root root 3181 Oct  3 18:15 cacert.pem

-rw-r--r-- 1 root root  704 Oct  3 18:15 careq.pem

drwxr-xr-x 2 root root 4096 Oct  3 18:13 certs

drwxr-xr-x 2 root root 4096 Oct  3 18:13 crl

-rw-r--r-- 1 root root    3 Oct  3 18:13 crlnumber

-rw-r--r-- 1 root root  185 Oct  3 18:17 index.txt

-rw-r--r-- 1 root root   20 Oct  3 18:17 index.txt.attr

-rw-r--r-- 1 root root   21 Oct  3 18:15 index.txt.attr.old

-rw-r--r-- 1 root root   88 Oct  3 18:15 index.txt.old

drwxr-xr-x 2 root root 4096 Oct  3 18:17 newcerts

drwxr-xr-x 2 root root 4096 Oct  3 18:13 private

-rw-r--r-- 1 root root   17 Oct  3 18:17 serial

-rw-r--r-- 1 root root   17 Oct  3 18:15 serial.old

```

/etc/openldap/ssl

```

localhost johnny # ls -l /etc/openldap/ssl/

total 12

-rwxr-xr-x 1 root root 3505 Oct  9 17:22 gencert.sh

-rw-r----- 1 ldap ldap  887 Oct  3 18:47 ldap.pem

-rw-r----- 1 ldap ldap  887 Oct  3 19:05 privkey.pem

```

/etc/ssl/

```

localhost johnny # ls -l /etc/ssl/

total 88

lrwxrwxrwx 1 root root   10 Oct  3 18:59 86887720.0 -> cacert.pem

-rwxr-xr-x 1 root root 3583 Sep  5 17:53 CA.sh

-rw-r--r-- 1 root root 3181 Oct  3 18:19 cacert.pem

drwxr-xr-x 2 root root 8192 Sep 19 17:27 certs

lrwxrwxrwx 1 root root   13 Sep  5 18:01 client.pem -> localhost.pem

drwxr-xr-x 6 root root 4096 Oct  3 18:17 demoCA

-rw-r--r-- 1 root root  245 Sep  5 18:02 dh1024.pem

-rw-r--r-- 1 root root 1127 Oct  3 18:47 ldap.pem

-rw-r--r-- 1 root root 4968 Sep  5 18:01 localhost.pem

drwxr-xr-x 2 root root 4096 Sep 11 18:29 misc

drwxr-xr-x 3 root root 4096 Sep  5 18:00 newca

-rw-r--r-- 1 ldap ldap 3095 Oct  3 18:17 newcert.pem

-rw-r--r-- 1 root root  704 Oct  3 18:17 newreq.pem

-rw-r--r-- 1 root root 9374 Sep 25 13:28 openssl.cnf

-rw-r--r-- 1 root root 9374 Sep 11 18:33 openssl.cnf~

drwx------ 2 root root 4096 Sep 11 18:28 private

-rw-r--r-- 1 ldap ldap  887 Oct  3 18:17 privkey.pem

-rw-r--r-- 1 root root 1090 Sep  5 17:54 root.pem

lrwxrwxrwx 1 root root   13 Sep  5 18:01 server.pem -> localhost.pem

```

Hope it helps, thk 

Regards

----------

## marens

Please paste the errors that occour so we may be able to help you   :Very Happy: 

First try to build a minimalistic LDAP-Setup like vad3r already told you

For a quick start use http://www.openldap.org/doc/admin23/quickstart.html

After that minimalistic server is running have fun with the docu below

For LDAP with SSL/TLS use (read it carefully ... helped me a lot)

http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.0

For detailed documentation use

http://www.openldap.org/doc/admin23/

----------

## vad3r

Could you please post the error you get:

- messages

- Return from start

- lines in slapd.log

----------

## johnny_martins00

i only have yhe messages log, dont know why dont have a  slap.log, hope it helps, i allready tried to get something from this but ...

```

Oct  9 18:51:31 localhost slapd[7729]: @(#) $OpenLDAP: slapd 2.3.24 (Oct  9 2006 17:19:58) $    johnny@localhost:/var/tmp/portage/openldap-2.3.24-r1/work/openldap-2.3.24/servers/slapd

Oct  9 18:51:31 localhost slapd[7729]: line 32 (pidfile      /var/run/openldap/slapd.pid)

Oct  9 18:51:31 localhost slapd[7729]: line 33 (argsfile   /var/run/openldap/slapd.args)

Oct  9 18:51:31 localhost slapd[7729]: line 83 (database        ldbm)

Oct  9 18:51:31 localhost slapd[7729]: line 84 (suffix          "dc=mydomain,dc=org")

Oct  9 18:51:31 localhost slapd[7729]: >>> dnPrettyNormal: <dc=mydomain,dc=org>

Oct  9 18:51:31 localhost slapd[7729]: <<< dnPrettyNormal: <dc=mydomain,dc=org>, <dc=mydomain,dc=org>

Oct  9 18:51:31 localhost slapd[7729]: line 85 (directory       /var/lib/openldap-data/)

Oct  9 18:51:31 localhost slapd[7729]: line 86 (index           objectClass     eq)

Oct  9 18:51:31 localhost slapd[7729]: index objectClass 0x0004

Oct  9 18:51:31 localhost slapd[7729]: line 87 (rootdn          "cn=root,dc=mydomain,dc=org")

Oct  9 18:51:31 localhost slapd[7729]: >>> dnPrettyNormal: <cn=root,dc=mydomain,dc=org>

Oct  9 18:51:31 localhost slapd[7729]: <<< dnPrettyNormal: <cn=root,dc=mydomain,dc=org>, <cn=root,dc=mydomain,dc=org>

Oct  9 18:51:31 localhost slapd[7729]: line 88 (rootpw ***)

Oct  9 18:51:31 localhost slapd[7729]: >>> dnNormalize: <cn=Subschema>

Oct  9 18:51:31 localhost slapd[7729]: <<< dnNormalize: <cn=subschema>

Oct  9 18:51:31 localhost slapd[7729]: matching_rule_use_init

Oct  9 18:51:31 localhost slapd[7729]:     1.2.840.113556.1.4.804 (integerBitOrMatch): 

Oct  9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES ( supportedLDAPVersion $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbIDLcacheSize $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ olcDbProtocolVersion $ olcProxyCacheQueries $ olcSpSessionlog $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber ) )

Oct  9 18:51:31 localhost slapd[7729]:     1.2.840.113556.1.4.803 (integerBitAndMatch): 

Oct  9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES ( supportedLDAPVersion $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbIDLcacheSize $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ olcDbProtocolVersion $ olcProxyCacheQueries $ olcSpSessionlog $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber ) )

Oct  9 18:51:31 localhost slapd[7729]:     1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match): 

Oct  9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES ( altServer $ mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $ janetMailbox $ gecos $ homeDirectory $ loginShell $ memberUid $ memberNisNetgroup $ ipHostNumber $ ipNetworkNumber $ ipNetmaskNumber $ macAddress $ bootFile $ nisMapEntry ) )

Oct  9 18:51:31 localhost slapd[7729]:     1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): 

Oct  9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES ( altServer $ mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $ janetMailbox $ gecos $ homeDirectory $ loginShell $ memberUid $ memberNisNetgroup $ ipHostNumber $ ipNetworkNumber $ ipNetmaskNumber $ macAddress $ bootFile $ nisMapEntry ) )

Oct  9 18:51:31 localhost slapd[7729]:     2.5.13.35 (certificateMatch): 

Oct  9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.35 NAME 'certificateMatch' APPLIES ( userCertificate $ cACertificate ) )

Oct  9 18:51:31 localhost slapd[7729]:     2.5.13.34 (certificateExactMatch): 

Oct  9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.34 NAME 'certificateExactMatch' APPLIES ( userCertificate $ cACertificate ) )

Oct  9 18:51:31 localhost slapd[7729]:     2.5.13.30 (objectIdentifierFirstComponentMatch): 

Oct  9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ ldapSyntaxes $ supportedApplicationContext ) )

Oct  9 18:51:31 localhost slapd[7729]:     2.5.13.29 (integerFirstComponentMatch): 

Oct  9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.29 NAME 'integerFirstComponentMatch' APPLIES ( supportedLDAPVersion $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbIDLcacheSize $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ olcDbProtocolVersion $ olcProxyCacheQueries $ olcSpSessionlog $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber ) )

Oct  9 18:51:31 localhost slapd[7729]:     2.5.13.27 (generalizedTimeMatch): 

Oct  9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.27 NAME 'generalizedTimeMatch' APPLIES ( createTimestamp $ modifyTimestamp ) )

Oct  9 18:51:31 localhost slapd[7729]:     2.5.13.24 (protocolInformationMatch): 

Oct  9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.24 NAME 'protocolInformationMatch' APPLIES protocolInformation )

Oct  9 18:51:31 localhost slapd[7729]:     2.5.13.23 (uniqueMemberMatch): 

Oct  9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.23 NAME 'uniqueMemberMatch' APPLIES uniqueMember )

Oct  9 18:51:31 localhost slapd[7729]:     2.5.13.22 (presentationAddressMatch): 

Oct  9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.22 NAME 'presentationAddressMatch' APPLIES presentationAddress )

Oct  9 18:51:31 localhost slapd[7729]:     2.5.13.20 (telephoneNumberMatch): 

Oct  9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.20 NAME 'telephoneNumberMatch' APPLIES ( telephoneNumber $ homePhone $ mobile $ pager ) )

Oct  9 18:51:31 localhost slapd[7729]:     2.5.13.17 (octetStringMatch): 

Oct  9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.17 NAME 'octetStringMatch' APPLIES ( userPassword $ queryid ) )

Oct  9 18:51:31 localhost slapd[7729]:     2.5.13.16 (bitStringMatch): 

Oct  9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.16 NAME 'bitStringMatch' APPLIES x500UniqueIdentifier )

Oct  9 18:51:31 localhost slapd[7729]:     2.5.13.14 (integerMatch): 

Oct  9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.14 NAME 'integerMatch' APPLIES ( supportedLDAPVersion $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbIDLcacheSize $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ olcDbProtocolVersion $ olcProxyCacheQueries $ olcSpSessionlog $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber ) )

Oct  9 18:51:31 localhost slapd[7729]:     2.5.13.13 (booleanMatch): 

Oct  9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.13 NAME 'booleanMatch' APPLIES ( hasSubordinates $ olcGentleHUP $ olcLastMod $ olcReadOnly $ olcReverseLookup $ olcDbNoSync $ olcDbDirtyRead $ olcDbLinearIndex $ olcCacheURI $ olcDbRebindAsUser $ olcDbChaseReferrals $ olcDbProxyWhoAmI $ olcSpNoPresent $ olcSpReloadHint ) )

Oct  9 18:51:31 localhost slapd[7729]:     2.5.13.11 (caseIgnoreListMatch): 

Oct  9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.11 NAME 'caseIgnoreListMatch' APPLIES ( postalAddress $ registeredAddress $ homePostalAddress ) )

Oct  9 18:51:31 localhost slapd[7729]:     2.5.13.8 (numericStringMatch): 

Oct  9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.8 NAME 'numericStringMatch' APPLIES ( x121Address $ internationaliSDNNumber ) )

Oct  9 18:51:31 localhost slapd[7729]:     2.5.13.7 (caseExactSubstringsMatch): 

Oct  9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.7 NAME 'caseExactSubstringsMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) )

Oct  9 18:51:31 localhost slapd[7729]:     2.5.13.6 (caseExactOrderingMatch): 

Oct  9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.6 NAME 'caseExactOrderingMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) )

Oct  9 18:51:31 localhost slapd[7729]:     2.5.13.5 (caseExactMatch): 

Oct  9 18:51:31 localhost syslog-ng[3817]: Message length overflow, line is split, log_msg_size=2048

Oct  9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.5 NAME 'caseExactMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcInclude $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcSizeLimit $ olcSrvtab $ olcSubordinate $ olcSyncrepl $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbConfig $ olcDbIndex $ olcDbLockDetect $ olcDbURI $ olcDbStartTLS $ olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $ olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $ olcDbTimeout $ olcDbIdleTimeout $ olcDbConnTtl $ olcDbNetworkTimeout $ olcProxyCache $ olcProxyAttrset $ olcProxyTemplate $ olcProxyResponseCB $ olcSpCheckpoint $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ destinationIndicator $ givenName $ initials $ generationQualifier $ dnQualifier $ houseIdentifier $ dmdName $ pseudonym $ textEncodedORAddress $ info $ drink $ roomNumber $ userClass $ host $ documentIdentifier $ documentTitle $ documentVersion $ documentLocation $ personalTitle $ co $ uniqueIdentifier $ organizationalStatus $ buildingName $

Oct  9 18:51:31 localhost documentPublisher $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ preferredLanguage $ ipServiceProtocol $ nisMapName ) )

Oct  9 18:51:31 localhost slapd[7729]:     2.5.13.4 (caseIgnoreSubstringsMatch): 

Oct  9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.4 NAME 'caseIgnoreSubstringsMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) )

Oct  9 18:51:31 localhost slapd[7729]:     2.5.13.3 (caseIgnoreOrderingMatch): 

Oct  9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.3 NAME 'caseIgnoreOrderingMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) )

Oct  9 18:51:31 localhost slapd[7729]:     2.5.13.2 (caseIgnoreMatch): 

Oct  9 18:51:31 localhost syslog-ng[3817]: Message length overflow, line is split, log_msg_size=2048

Oct  9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.2 NAME 'caseIgnoreMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcInclude $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcSizeLimit $ olcSrvtab $ olcSubordinate $ olcSyncrepl $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbConfig $ olcDbIndex $ olcDbLockDetect $ olcDbURI $ olcDbStartTLS $ olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $ olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $ olcDbTimeout $ olcDbIdleTimeout $ olcDbConnTtl $ olcDbNetworkTimeout $ olcProxyCache $ olcProxyAttrset $ olcProxyTemplate $ olcProxyResponseCB $ olcSpCheckpoint $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ destinationIndicator $ givenName $ initials $ generationQualifier $ dnQualifier $ houseIdentifier $ dmdName $ pseudonym $ textEncodedORAddress $ info $ drink $ roomNumber $ userClass $ host $ documentIdentifier $ documentTitle $ documentVersion $ documentLocation $ personalTitle $ co $ uniqueIdentifier $ organizationalStatus $ buildingName 

Oct  9 18:51:31 localhost $ documentPublisher $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ preferredLanguage $ ipServiceProtocol $ nisMapName ) )

Oct  9 18:51:31 localhost slapd[7729]:     1.2.36.79672281.1.13.3 (rdnMatch): 

Oct  9 18:51:31 localhost slapd[7729]:     2.5.13.1 (distinguishedNameMatch): 

Oct  9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedNameMatch' APPLIES ( creatorsName $ modifiersName $ subschemaSubentry $ namingContexts $ aliasedObjectName $ distinguishedName $ seeAlso $ olcDefaultSearchBase $ olcRootDN $ olcSchemaDN $ olcSuffix $ olcUpdateDN $ olcDbACLAuthcDn $ olcDbIDAssertAuthcDn $ member $ owner $ roleOccupant $ manager $ documentAuthor $ secretary $ associatedName $ dITRedirect ) )

Oct  9 18:51:31 localhost slapd[7729]:     2.5.13.0 (objectIdentifierMatch): 

Oct  9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.0 NAME 'objectIdentifierMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ supportedApplicationContext ) )

Oct  9 18:51:31 localhost slapd[7729]: main: TLS init def ctx failed: -1

Oct  9 18:51:31 localhost slapd[7729]: slapd destroy: freeing system resources.

Oct  9 18:51:31 localhost slapd[7729]: slapd stopped.

```

Is there anyway to configure Openldap to have his own log file?

Thk

----------

## marens

From your slapd.conf

```

TLSCertificateFile /etc/openldap/ssl/newcert.pem

```

but ist's missing in your /etc/openldap/ssl folder 

according to 

 *Quote:*   

> 
> 
> ocalhost johnny # ls -l /etc/openldap/ssl/
> 
> total 12
> ...

 

that causes the error

 *Quote:*   

> 
> 
> Oct  9 18:51:31 localhost slapd[7729]: main: TLS init def ctx failed: -1
> 
> 

 

----------

## marens

I think it's much more convenient to store cacert, clientcert and clientkey in one place     :Wink: 

```

[19:26:10] marenz /etc/openldap/ssl $ ll

total 20

-rw-r--r-- 1 ldap ldap 1212 2005-12-19 01:34 cacert.pem

-rwxr-xr-x 1 root root 3505 2006-10-06 00:42 gencert.sh

-rw-r----- 1 root ldap 1709 2006-05-24 14:12 ldap.pem

-rw-r--r-- 1 ldap ldap 3559 2005-12-19 01:31 servercrt.pem

-rw-r--r-- 1 ldap ldap 1591 2005-12-19 01:29 serverkey.pem

[19:26:25] marenz /etc/openldap/ssl $ 

```

----------

## johnny_martins00

oki the certs phase was passed, i think it looks fine, at least it doesnt gives me no error. how can i test if the certs are ok?

another thing its that teh howto that im following its say to check my config, 

```

Code: check config

slaptest

```

 and this is the result, 

```

WARNING: No dynamic config support for database ldbm.

config file testing succeeded

```

 i think its allright but when i try the 

ldapsearch -x -D "cn=root,dc=mydomain,dc=org" -W it shows me no results, and it says in the howto page  that he has 77 entries!?!?!?!?!?!? i think its because my db its empty but i dont now howto import to the db...

Thk 

Regards

----------

## marens

 *johnny_martins00 wrote:*   

> oki the certs phase was passed, i think it looks fine, at least it doesnt gives me no error. how can i test if the certs are ok?
> 
> 

 

why do i paste usefull links regarding exactly this point if you don't follow/read them at all?

Again http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.0

 *Quote:*   

> 
> 
> another thing its that teh howto that im following its say to check my config, 
> 
> ```
> ...

 

And Mr. www.google.com told me "It's harmless, as soon as you do not intend to run-time modify

the configuration of slapd." 

Perhaps you should consider using a Berkeley DB as backend (bdb instead of ldbm) anyway.

 *Quote:*   

> 
> 
> i think its allright but when i try the 
> 
> ldapsearch -x -D "cn=root,dc=mydomain,dc=org" -W it shows me no results, and it says in the howto page  that he has 77 entries!?!?!?!?!?!? i think its because my db its empty 
> ...

 

have a look at man ldapsearch ... or use slapcat for first steps ..that's way easier

If you don't how to import sth to the db the db must still be empty.  slapcat (as root) would show the content of the LDAP-Server / underlying DB

we told you several times how to build a minimal LDAP-Server with the commandline ...

But again: have a look at http://www.openldap.org/doc/admin23/quickstart.html

and there are many graphical tools that make it even easier for you

```

* net-nds/directoryadministrator 

     Available versions:  1.4 1.5.1 1.7.1

     Installed:           none

     Homepage:            http://diradmin.open-it.org

     Description:         GUI to manage users and groups in a LDAP directory

* net-nds/jxplorer 

     Available versions:  3.1_rc4 3.1

     Installed:           none

     Homepage:            http://jxplorer.org/

     Description:         A fully functional ldap browser written in java.

* net-nds/ldapvi 

     Available versions:  1.5

     Installed:           none

     Homepage:            http://www.lichteblau.com/src.html

     Description:         Manage LDAP entries with a text editor

* net-nds/led 

     Available versions:  ~1.79.4

     Installed:           none

     Homepage:            http://led.sourceforge.net/

     Description:         led is a general purpose LDAP editor

* net-nds/luma 

     Available versions:  2.1.3 ~2.2.1 ~2.3

     Installed:           none

     Homepage:            http://luma.sourceforge.net/

     Description:         Luma is a graphical utility for accessing and managing data stored on LDAP servers.

* net-nds/phpldapadmin 

     Available versions:  0.9.8.2:0.9.8.2 0.9.8.3:0.9.8.3 1.0.1:1.0.1

     Installed:           1.0.1

     Homepage:            http://phpldapadmin.sourceforge.net

     Description:         phpLDAPadmin is a web-based tool for managing all aspects of your LDAP server.

```

----------

## johnny_martins00

sorry man, but im no expert in linux, and my english its not the best language that i speak. i think i allready migrated to the db, i followed the gentoo oficial openldap howto. it worked , no errors were found but can you tell me what is the best software to use??? the ones that u mencioned??

Thk

----------

