Openldap服务器配置错误解决。

实验环境。virtualbox虚拟机。rhel5.5的系统。

 

[root@mail ~]# yum -y install openldap*

[root@mail ~]# chkconfig ldap on

[root@mail ~]# slappasswd -h {md5} > kl
New password:
Re-enter new password:
[root@mail ~]# cat kl
{MD5}4nmK8Sp6D09wtNae+8JfTQ==
[root@mail ~]# vim /etc/openldap/slapd.conf
[root@mail ~]# cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@mail ~]# chown ldap.ldap /var/lib/ldap/DB_CONFIG

[root@mail ~]# chown -R ldap.ldap /var/lib/ldap/  后来针对目录改变所有者和所属组解决了签署证书报错的问题

[root@mail ~]# cd /usr/share/openldap/migration/
[root@mail migration]# vim migrate_common.ph

[root@mail migration]# ./migrate_base.pl > base.ldif
[root@mail migration]# ldapadd -x -D "cn=root,dc=rhel5,dc=com" -W -f base.ldif

[root@mail migration]# ./migrate_passwd.pl /etc/passwd passwd.ldif
[root@mail migration]# ldapadd -x -D "cn=root,dc=rhel5,dc=com" -W -f passwd.ldif

[root@mail migration]# ./migrate_group.pl /etc/group group.ldif
[root@mail migration]# ldapadd -x -D "cn=root,dc=rhel5,dc=com" -W -f group.ldif
 

[root@mail migration]# openssl req -new -nodes -subj '/CN=mail.rhel5.com/O=hd/C=CN/ST=sh/L=yp'
Generating a 1024 bit RSA private key
.............++++++
....................++++++
writing new private key to 'privkey.pem'
-----
-----BEGIN CERTIFICATE REQUEST-----
MIIBjDCB9gIBADBNMRcwFQYDVQQDEw5tYWlsLnJoZWw1LmNvbTEL

MAkGA1UEChMC
aGQxCzAJBgNVBAYTAkNOMQswCQYDVQQIEwJzaDELMAkGA1UEBx

MCeXAwgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAJfCZ

+x44gnNVvdkl30zLWSO2yG7lGR9IKE7
xrwm/PERSyaT+Qod669VsKNrJ0AKXPajfmdwFFdkOov/TL3Kb0+eQn

+FYrHesz/N
GSeNOfhW/IiyHJw7JdKsCrClU4Kofj

+8gQHJhVEjy8WM58hmZgp6p5G1tUXPv14i
+0xljVhTAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQBuP4/

+Hz4WLceNpGK5bDEG
goRHvIq

+zvUe5M29/ER21G3pQSVOiSDUyOlulSYlXTP4/fYS8FWv0fnR54phiaX0
yBXmZlRTS2ftW2r4a

+bhvtqGUd0QYQZusILnxrYQwOuTWNnQBhKmnwgNaIB46gwJ
SE3DBaKnhAxOeU6oPiOJRg==

[root@mail migration]# openssl ca -out newcert.pem -infiles

privkey.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
Error reading certificate request in privkey.pem
3598:error:0906D06C:PEM routines:PEM_read_bio:no start

line:pem_lib.c:647:Expecting: CERTIFICATE REQUEST
-----END CERTIFICATE REQUEST-----

问题出现了。解决办法:

[root@mail ~]# chown ldap.ldap /var/lib/ldap/DB_CONFIG

[root@mail ~]# chown -R ldap.ldap /var/lib/ldap/ 针对目录改变所有者和所属组解决了签署证书报错的问题。

上面建立user和group数据库的步骤一样不变。

还有目录要切换到/etc/pki来创建新证书。

[root@mail pki]# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
....++++++
.................++++++
writing new private key to '../../CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:sh
Locality Name (eg, city) [Newbury]:yp
Organization Name (eg, company) [My Company Ltd]:hd
Organizational Unit Name (eg, section) []:500
Common Name (eg, your name or your server's hostname) []:mail.rhel5.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:redhat
An optional company name []:redhat
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Apr 19 05:18:05 2012 GMT
            Not After : Apr 19 05:18:06 2015 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = sh
            organizationName          = hd
            organizationalUnitName    = 500
            commonName                = mail.rhel5.com
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                91:CD:B8:9B:E6:A4:82:59:5B:EC:49:9E:98:A2:E3:20:CF:B6:E2:D6
            X509v3 Authority Key Identifier:
                keyid:91:CD:B8:9B:E6:A4:82:59:5B:EC:49:9E:98:A2:E3:20:CF:B6:E2:D6

Certificate is to be certified until Apr 19 05:18:06 2015 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated
[root@mail pki]# openssl req -new -nodes -subj '/CN=mail.rhel5.com/O=hd/C=CN/ST=sh/L=yp' -keyout newreq.pem -out newreq.pem -days 365
Generating a 1024 bit RSA private key
..............++++++
.........++++++
writing new private key to 'newreq.pem'
-----
[root@mail pki]#
[root@mail pki]# openssl ca -out newcert.pem -infiles newreq.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Apr 19 05:20:21 2012 GMT
            Not After : Apr 19 05:20:21 2013 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = sh
            organizationName          = hd
            commonName                = mail.rhel5.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                FF:C7:37:39:29:CD:B8:93:C8:7C:C2:88:76:7E:C4:5B:BA:31:D1:1C
            X509v3 Authority Key Identifier:
                keyid:91:CD:B8:9B:E6:A4:82:59:5B:EC:49:9E:98:A2:E3:20:CF:B6:E2:D6

Certificate is to be certified until Apr 19 05:20:21 2013 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

 

你可能感兴趣的:(系统,star,pem,No,openldap服务器,3598:error,routines)