On 11-10-27 10:37 AM, Braden McDaniel wrote:
On Wed, 2011-10-26 at 22:28 -0500, Dan White wrote:
On 26/10/11 22:53 -0400, Braden McDaniel wrote:
I am trying to get OpenLDAP (2.4.24) working with NSS on Fedora 15.  In
cn=config.ldif I have:

       olcTLSCACertificatePath: /etc/pki/nssdb
       olcTLSCertificateFile: endoframe
[snip]

Any ideas of what I might be doing wrong, or where I should be looking
to debug this?
slapd was not started with the proper options to listen on ldaps:/// (port
636).
Thank you.  That got me this far:

        # ldapsearch -H ldaps://rail -b dc=endoframe,dc=net -x -d1
        ldap_url_parse_ext(ldaps://rail)
        ldap_create
        ldap_url_parse_ext(ldaps://rail:636/??base)
        ldap_sasl_bind
        ldap_send_initial_request
        ldap_new_connection 1 1 0
        ldap_int_open_connection
        ldap_connect_to_host: TCP rail:636
        ldap_new_socket: 3
        ldap_prepare_socket: 3
        ldap_connect_to_host: Trying ::1 636
        ldap_pvt_connect: fd: 3 tm: -1 async: 0
        TLS: file endoframe.pem does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping.
        TLS: error: connect - force handshake failure: errno 0 - moznss error -5938
        TLS: can't connect: TLS error -5938:Encountered end of file.
        ldap_err2string
        ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I don't understand why it's looking for a file here.  My impression from
reading <http://www.openldap.org/faq/data/cache/1514.html> is that the
cert would be pulled from the database.


I think that error message is from your client side missing CA cert settings. try run 'authconfig-tui' command to see if that fixes it.