I had tried that as well. You seem to be going down the line of thought
I had last night. :-) Not sure why, but I can't get it to work at all
with LDAPNOINIT=true whether the ~/.ldaprc file exists or not.
Regardless of whatever other options I throw at it, I always get:
$ LDAPNOINIT=true LDAPTLS_REQCERT=allow ldapsearch -LLL -x -H
ldaps://server.domain.com -D "<SNIP>" -w <SNIP> -b dc=domain,dc=com uid=user
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
$ LDAPNOINIT=true LDAPRC=.ldaprc-server ldapsearch -LLL -x -H
ldaps://server.domain.com -D "<SNIP>" -w <SNIP> -b dc=domain,dc=com uid=user
but, LDAPNOINIT prevents the custom file from being sourced as well
(which, in this case, is probably to be expected).
--
Jared
On 10/09/2013 02:01 PM, Chad Scott wrote:
> Try:
>
> LDAPNOINIT=true LDAPTLS_REQCERT=allow ldapsearch ...
>
>
> On Wed, Oct 9, 2013 at 11:52 AM, Jared <list-389@legroom.net
>
mailto:list-389@legroom.net> wrote:
>
> Hi, Chad. Thanks for the suggestions.
>
> I actually did try your LDAPTLS_REQCERT=allow suggestion, but when the
> existing ~/.ldaprc is in place (with the TLS_REQCERT=demand line), that
> option seems to be ignored for some reason. I don't know why.
>
> To illustrate:
>
> $ cat ~/.ldaprc
> TLS_CERT /home/ldap/certs/admin.crt
> TLS_KEY /home/ldap/certs/admin.key
> TLS_REQCERT demand
> SASL_MECH external
>
> $ LDAPTLS_REQCERT=allow ldapsearch -LLL -x -H
> ldaps://server.autozone.com
http://server.autozone.com -D "<SNIP>"
> -w <SNIP> -b dc=domain,dc=com
> uid=user
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>
> $ mv ~/.ldaprc ~/.ldaprc-old
>
> $ LDAPTLS_REQCERT=allow ldapsearch -LLL -x -H
> ldaps://server.autozone.com
http://server.autozone.com -D "<SNIP>"
> -w <SNIP> -b dc=domain,dc=com
> uid=user
> dn: uid=user,ou=people,dc=domain,dc=com
> uid: user
> <SNIP>
>
> It seems like the ~/.ldaprc file is overriding what I specify on the
> command line, but as I mentioned before, I *have* to have that global
> configuration there for all of the other LDAP server this account
> interacts with.
>
> Likewise, I did try messing with the LDAPRC variable. I actually
> mentioned that in my original post:
>
> * Creating a separate ~/.ldaprc-server file and exporting
> LDAPRC=.ldaprc-server - in this case, both ~/.ldaprc AND
> ~/.ldaprc-server are sourced (found using strace), so again my
> host-specific settings are ignored.
>
> I'd consider that a bug in ldapsearch - if I'm explicitly defining
> LDAPRC, I'd expect it to ready that file *instead* of ~/.ldaprc, but it
> actually reads it *in addition* to ~/.ldaprc, which I discovered by
> examining strace output. There may be some cases where this behavior is
> desired, but in this case, it causes my global configuration to
> (apparently) again take precedence, overriding the TLS_REQCERT=allow
> setting.
>
> Any other suggestions?
>
> --
> Jared
>
> On 10/09/2013 01:26 PM, Chad Scott wrote:
> > Set environment variables.
> >
> > export LDAPTLS_REQCERT=allow
> >
> > or
> >
> > LDAPTLS_REQCERT=allow ldapsearch ...
> >
> > If neither of those work, specify a specific LDAPRC with:
> >
> > export LDAPRC=somefile.conf
> >
> > or
> >
> > LDAPRC=somefile.conf ldapsearch ...
> >
> >
> > On Wed, Oct 9, 2013 at 11:12 AM, Jared <list-389@legroom.net
>
mailto:list-389@legroom.net
> > <mailto:list-389@legroom.net
mailto:list-389@legroom.net>> wrote:
> >
> > but I can. As I mentioned in my original post, adding this to
> ~/.ldaprc
> > or /etc/openldap/ldap.conf makes ldapsearch work perfectly fine:
> >
> > HOST server.domain.com
http://server.domain.com
>
http://server.domain.com
> > PORT 636
> > TLS_REQCERT allow
> >
> > The problem is with applying this configuration to the one
> host while
> > still setting my default configuration for SASL certificate-based
> > authentication to everything else. How do I do that?
> >
> > or, to ask the question differently, forget the fact that I'm
> dealing
> > with an invalid cert. There's no need to to get hung up on
> that detail.
> > I have one ldaprc configuration that I need to define for a
> host, and a
> > default ldaprc configuration I need to define for all other
> hosts. How
> > do I make them work together?
> >
> > --
> > Jared
> >
> > On 10/09/2013 01:06 PM, Michael Ströder wrote:
> > > Jared wrote:
> > >> expired and self-signed.
> > >
> > > You cannot work around expired certs. But in case of self-signed
> > certs you can
> > > put them into trusted CA certs file.
> > >
> > > Ciao, Michael.
> > >
> >
> >
>
>