I have followed the instructions of the SSL Howto, but I am still stick at the SSL activation.
From a clean installation, I try to launch the setupssl.sh script, but at the end, I have
ldapmodify: invalid format (line 11) entry: "cn=encryption,cn=config"
There is not specific configuration except that I use the port 9831 for my DS instead of 389 (I already use the standard LDAP port for OpenLDAP and I do not want to migrate (it is for testing)). I have modified the setupssl script to execute on this port.
If I just try the end of the script, you can see the error :
ldapmodify -x -h localhost -p 9831 -D "cn=Directory Manager" -W <<EOFdn: cn=encryption,cn=configchangetype: modifyreplace: nsSSL3nsSSL3: on-replace: nsSSLClientAuthnsSSLClientAuth: allowed-add: nsSSL3CiphersnsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_qshadn: cn=configchangetype: modifyadd: nsslapd-securitynsslapd-security: on-replace: nsslapd-ssl-check-hostnamensslapd-ssl-check-hostname: off-replace: nsslapd-secureportnsslapd-secureport: 636dn: cn=RSA,cn=encryption,cn=configchangetype: addobjectclass: topobjectclass: nsEncryptionModulecn: RSAnsSSLPersonalitySSL: Server-CertnsSSLToken: internal (software)nsSSLActivation: onEOFEnter LDAP Password:ldapmodify: invalid format (line 11) entry: "cn=encryption,cn=config"
I have checked every part of these ldif data. The error is here :
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_qsha
But if I do the modifications except this piece of code, ldaps can be started on the port 636, but the cert files could not be loaded from dirsrv, so I can not do any request in SSL... I also try to :
Â- edit dse.ldif file in the dirsrv DS configuration directory and delete the line corresponding to the cert files as Red Hat documentation tells (after stoping dirsrv service). We can see that dirsrv reload the cert files in the dse.ldif file, but it changed nothing.
Â- delete every *.db and *.txt files and cacert.csa. Then, if I reexecute setupssl.sh, it generates the cert files, but (again), there is no changes...
Obviously, if I open 389-console, I could see this string in the properties of "cn=encryption,cn=config".
I have checked my real hostname and other stuffs specified in the documentation... I know that I do not use the standard LDAP port but I do not see why this section could not work... Other ldap request on this port work.
Sorry for my bad english...
Any help would be gracefull !
Regards;
RÃmy
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users