Monday, April 22, 2013

Things I Wish I'd Known Before Installed slapd on Ubuntu 12.04

slapd is OpenLDAP server.

This post is my experiences from install slapd on Ubuntu 12.04

0. x86 and x64
Please do use x86 instead of x64 machine for openldap. As I experiment with Ubuntu 12.04 x64 version, I got some annoying bugs relate to TLS. At least, I can sure that for package from Ubuntu repo, use x86 will save you from many headache.

1. Logging / Debug
olcLogFile is not easy to use (I don't know how to use it), if you want logging to a separate file, change rsyslog config (/etc/rsyslog.d/50-....).
Let local4.* outputs to a dedicated file.

Debug server:
Change your config :  olcLogLevel : none
to 256, 16383 to get more verbose output
or run :
slapd --debug

Debug client:
add -d 1 -d 2 ... or -d 5 after your command


2. GNUTLS vs openssl
On Ubuntu 12.04, slapd / ldap-utils is compiled with GNUTLS. You should know this and use certificates/key created by gnutls-bin (certtool) when add SSL/TLS to it.

Or if you use openssl cert/key, do compile your own a slapd / ldap-utils with openssl.

Use mix slapd (built with gnutls) with openssl cert wil cause endless headache to you. DON'T DO THAT!

3. Certificate/ Key
Certificate MUST be created which cn = your hostname FQDN.

To check that, use:
hostname --fqdn

If you wan to change it to example.com, add example.com into /etc/hosts, before the result you've got.

No comments: