Chris Jacobs wrote:
/etc/ldap.conf is used by nss tools and the ilk.
/etc/openldap/ldap.conf would be used by openldap tools - like ldapsearch.
Actually it's used by libldap, which means everything that uses libldap (including nss_ldap). But of course the converse is not true, /etc/ldap.conf only affects nss_ldap and pam_ldap, not anything else.
I have the same setting there for tls_checkpeer - but in the latter ldap.conf (under openldap).
tls_checkpeer is not a valid OpenLDAP ldap.conf keyword.
FWIW: there's apparently no real different format for the two files; while one would only be setup on ldap servers, mine are identical and things work with a
If they are identical and things work, it's by sheer luck. Read the ldap.conf(5) manpage. Relying on anything not documented there would be a mistake.
To the original poster: use the ldapsearch debug flag. OpenSSL s_client is not a reliable indicator of anything.
mirror master, both setup behind a VIP (fail over, not load balanced) and a plethora of slaves in different subdomains.
- chris
PS: I'd forgotten to 'reply-to-all' earlier. :)
Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jacobs@apollogrp.edu
*From*: Lynn York *To*: Chris Jacobs *Sent*: Mon Apr 12 10:29:19 2010 *Subject*: RE: Problem with SSL/TLS
Here is my /etc/ldap.conf:
#host 127.0.0.1
base cn=users,dc=testing,dc=com
uri ldap://localhost:636
binddn cn=manager,dc=testing,dc=com
bindpw password
scope sub
timelimit 120
bind_policy soft
bind_timelimit 120
idle_timelimit 3600
ssl on
tls_cacert /etc/openldap/cacerts/servercrt.pem
tls_cacertdir /etc/openldap/cacerts
tls_checkpeer no
nss_base_group cn=groups,dc=testing,dc=com?sub
pam_password md5
I have tried it with and without “tls_checkpeer”…. I am sort of at a loss as to what it can be. I also tested it using openssl client.. and here is the output:
*From*: openldap-technical-bounces+chris.jacobs=apollogrp.edu http://apollogrp.edu@OpenLDAP.org *To*: openldap-technical@openldap.org mailto:openldap-technical@openldap.org *Sent*: Mon Apr 12 08:13:39 2010 *Subject*: Problem with SSL/TLS
I have created a cert. on the server and openldap starts without any issues, however when I attempt to connect via ldaps I keep getting the following error:
??
??
ldapsearch -x -H ldaps://localhost:636 -D "cn=Manager,dc=testing,dc=com" -W -b "dc=testing,dc=com" "(objectClass=top)"
Enter LDAP Password:
ldap_bind: Can't contact LDAP server (-1)
?????????????? additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
??
I can???t quite pin point what the problem might be.??