From owner-freebsd-questions@FreeBSD.ORG  Tue Jun  8 11:26:15 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8827416A4CE
	for <freebsd-questions@FreeBSD.org>;
	Tue,  8 Jun 2004 11:26:15 +0000 (GMT)
Received: from raclesmtp01.ra.rockwell.com (mkedef2.rockwellautomation.com
	[63.161.86.254])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BF20B43D53
	for <freebsd-questions@FreeBSD.org>;
	Tue,  8 Jun 2004 11:26:14 +0000 (GMT)
	(envelope-from mkes@ra.rockwell.com)
Sensitivity: 
To: freebsd-questions@FreeBSD.org
X-Mailer: Lotus Notes Release 5.0.2c (France) 2 February 2000
From: mkes@ra.rockwell.com
Message-ID: <OF5D751513.CDC52A44-ONC1256EAD.003B47C5@ra.rockwell.com>
Date: Tue, 8 Jun 2004 13:26:58 +0200
X-MIMETrack: Serialize by Router on RACleSMTP01/Cleveland/RA/Rockwell(Release
	5.0.11  |July 24, 2002) at 06/08/2004 07:25:03 AM,
	Serialize complete at 06/08/2004 07:25:03 AM
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Content-Filtered-By: Mailman/MimeDel 2.1.1
Subject: problems with LDAP TLS and nss_ldap on 5.2.1
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jun 2004 11:26:15 -0000

I have upgraded our LDAP server to 5.2.1Release running openldap-2.1.30 
server/client + pam_ldap-1.6.9 + nss_ldap-1.204_5.  The previous 
configuration (openldap20-2.0.25_4 + nss_ldap-1.204_1 + pam_ldap-1.6.1) 
was runing OK on FreeBSD 5.1R 

After the upgrade I have 2 major problems. 

1) I'm not able to make the ldap server to work with TLS. 
The previous installation worked fine but I haven't properly backed up TLS 
certificates and I had to generate them again using the approach described 
at http://www.openldap.org/faq/data/cache/185.html 
As soon as I add these TLS options to the slapd.conf:

# TLS options for slapd
TLSCipherSuite         HIGH:MEDIUM:+SSLv2
TLSCACertificateFile   /usr/local/etc/openldap/cacert.pem
TLSCertificateFile     /usr/local/etc/openldap/servercrt.pem
TLSCertificateKeyFile  /usr/local/etc/openldap/servercrt.pem

... running "/etc/rc.d/slapd start" doesn't  even start the server but 
doesn't complain either. So I have no clue what's going wrong and right 
now I have to run the server without TLS.


2) The second problem is with nss_ldap. 
I have installed the server first, loaded data to the directory, tried 
some searches etc. Everything worked OK (except for the TLS). Nomaly, the 
startup of the server takes about 1 second. As soon as I install nss_ldap 
(in the very moment I run make install on that port) the startup time of 
the ldap server slows down to 30+ seconds and I also experienced cases 
when it didn't start at all. If I deinstall the nss_ldap the server 
startup is quick again.


Any ideas of what can be wrong in either case would be really welcome. 

Thanks

Mira