On 11-10-27 10:37 AM, Braden McDaniel wrote:
On Wed, 2011-10-26 at 22:28 -0500, Dan White wrote:
On 26/10/11 22:53 -0400, Braden McDaniel wrote:
I am trying to get OpenLDAP (2.4.24) working with NSS on Fedora 15. In cn=config.ldif I have:
olcTLSCACertificatePath: /etc/pki/nssdb olcTLSCertificateFile: endoframe
[snip]
Any ideas of what I might be doing wrong, or where I should be looking to debug this?
slapd was not started with the proper options to listen on ldaps:/// (port 636).
Thank you. That got me this far:
# ldapsearch -H ldaps://rail -b dc=endoframe,dc=net -x -d1 ldap_url_parse_ext(ldaps://rail) ldap_create ldap_url_parse_ext(ldaps://rail:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP rail:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying ::1 636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: file endoframe.pem does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping. TLS: error: connect - force handshake failure: errno 0 - moznss error -5938 TLS: can't connect: TLS error -5938:Encountered end of file. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
I don't understand why it's looking for a file here. My impression from readinghttp://www.openldap.org/faq/data/cache/1514.html is that the cert would be pulled from the database.
I think that error message is from your client side missing CA cert settings. try run 'authconfig-tui' command to see if that fixes it.