Re: Using NSS

27 Oct 2011


      On 11-10-27 2:05 PM, Braden McDaniel wrote:
...
On Thu, 2011-10-27 at 08:44 -0600, Rich Megginson wrote:
[snip]
...
What is your /etc/openldap/ldap.conf?
That question led me to a bogus setting for TLS_CACERTDIR.  First, I
tried simply commenting the line out, figuring the value of
olcTLSCACertificatePath in cn=config.ldif would be used.  That produced
this:
     # ldapsearch -H ldaps://rail -b dc=endoframe,dc=net -x -d1
     ldap_url_parse_ext(ldaps://rail)
     ldap_create
     ldap_url_parse_ext(ldaps://rail:636/??base)
     ldap_sasl_bind
     ldap_send_initial_request
     ldap_new_connection 1 1 0
     ldap_int_open_connection
     ldap_connect_to_host: TCP rail:636
     ldap_new_socket: 3
     ldap_prepare_socket: 3
     ldap_connect_to_host: Trying ::1 636
     ldap_pvt_connect: fd: 3 tm: -1 async: 0
     TLS: error: tlsm_PR_Recv returned 0 - error 21:Is a directory
     TLS: error: connect - force handshake failure: errno 21 - moznss error -5938
     TLS: can't connect: TLS error -5938:Encountered end of file.
     ldap_err2string
     ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


So, instead, I set the value of TLS_CACERTDIR to match that of
olcTLSCACertificatePath.  ldap.conf now looks like this:
     #
     # LDAP Defaults
     #

     # See ldap.conf(5) for details
     # This file should be world readable but not world writable.

     #BASE	dc=example,dc=com
     #URI	ldap://ldap.example.com ldap://ldap-master.example.com:666

     #SIZELIMIT	12
     #TIMELIMIT	15
     #DEREF		never
     URI ldap://rail.endoframe.net/
     BASE dc=endoframe,dc=net
     TLS_CACERTDIR /etc/pki/nssdb


That still doesn't do the trick; but it did change the error message:
     # ldapsearch -H ldaps://rail -b dc=endoframe,dc=net -x -d1
     ldap_url_parse_ext(ldaps://rail)
     ldap_create
     ldap_url_parse_ext(ldaps://rail:636/??base)
     ldap_sasl_bind
     ldap_send_initial_request
     ldap_new_connection 1 1 0
     ldap_int_open_connection
     ldap_connect_to_host: TCP rail:636
     ldap_new_socket: 3
     ldap_prepare_socket: 3
     ldap_connect_to_host: Trying ::1 636
     ldap_pvt_connect: fd: 3 tm: -1 async: 0
     TLS: using moznss security dir /etc/pki/nssdb prefix .
     TLS: error: tlsm_PR_Recv returned 0 - error 17:File exists
     TLS: error: connect - force handshake failure: errno 17 - moznss error -5938
     TLS: can't connect: TLS error -5938:Encountered end of file.
     ldap_err2string
     ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


why don't you simply try
TLS_CACERT /etc/pki/nssdb/<filename>
instead of
TLS_CACERTDIR /etc/pki/nssdb

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Re: Using NSS