Hello Aaron, I already changed the parameter in the pam_ldap.conf and in the nslcd.conf ssl on instead of ssl start_tls
Anywhere else? Thanks for the advice, I thought I had fixed it... and in fact ldapsearch -x -H ldaps://server does work, the problem is within pam, it seems to be stucked using start_tls...
On 04/14/2011 07:08 PM, Aaron Richton wrote:
On Thu, 14 Apr 2011, Judith Flo Gaya wrote:
Apr 14 18:54:34 curri0 slapd[2010]: conn=1019 fd=12 ACCEPT from IP=[::1]:36208 (IP=[::]:636) Apr 14 18:54:34 curri0 slapd[2010]: conn=1019 fd=12 TLS established tls_ssf=256 ssf=256 Apr 14 18:54:34 curri0 slapd[2010]: conn=1019 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Apr 14 18:54:34 curri0 slapd[2010]: conn=1019 op=0 STARTTLS Apr 14 18:54:34 curri0 slapd[2010]: conn=1019 op=0 RESULT oid= err=1 text=TLS already started Apr 14 18:54:34 curri0 slapd[2010]: conn=1019 op=1 UNBIND Apr 14 18:54:34 curri0 slapd[2010]: conn=1019 fd=12 closed
So you're trying to issue a StartTLS operation over an implicit SSL connection? There's no point to starting encryption on a connection that's already encrypted (hence the error). Either combine:
a cleartext port (i.e. 389) with the StartTLS operation
or
an SSL port (i.e. 636) with NO StartTLS operation.