On Mon, Jul 28, 2008 at 12:02:44PM -0700, Howard Chu wrote:
John Oliver wrote:
On my test client, ldap.conf has:
host 10.99.16.7 base dc=mydomain,dc=com url ldaps://unix-services2.mydomain.com:636 timelimit 120 bind_timelimit 120 idle_timelimit 3600 ssl yes tls_cacertdir /etc/openldap/cacerts tls_checkpeer no pam_password md5
The above is not valid for an OpenLDAP ldap.conf. (See the ldap.conf(5) manpage for what's valid.) It appears to be a PADL nss_ldap config file, but it's still invalid for that purpose. Make sure you're actually looking at the correct config file...
If I change the "host" and "url" to the other LDAP server, it works perfectly.
I'm looking at that page now. But if that config "isn't valid", why does it work perfectly if I change it to:
host 10.99.16.5 base dc=mydomain,dc=com url ldaps://unix-services.mydomain.com:636 timelimit 120 bind_timelimit 120 idle_timelimit 3600 ssl yes tls_cacertdir /etc/openldap/cacerts tls_checkpeer no pam_password md5
That results in perfectly working authentication. Yes, I understand that that may mean that my working server is borken, and my borken ldap.conf just happens to be borken in just the right way to work.
I do appreciate all of the help, and apologize if I seem dense. I know that the root cause is my lack of knowledge here. I'm reading as fast as I can, but an awful lot of this documentation assumes a lot of things. I've never worked with SSL before, and my eyes are rolling back in my head :-) On top of that, I have people breathing down the back of my neck to make this work on a short deadline. Very frustrating :-(