Sandor Szalina sszalina@yahoo.com writes:
--- On Wed, 8/9/10, Marc Patermann hans.moser@ofd-z.niedersachsen.de wrote:
From: Marc Patermann hans.moser@ofd-z.niedersachsen.de
[...]
Sandor Szalina schrieb am 08.09.2010 12:16 Uhr:
I have installed the openldap 2.2.13 with rpm on Red
Hat Enterprise
Linux ES release 4 (Nahant Update 8) I have set the
TLS setting too. Man, 2.2.13 is ancient: http://www.openldap.org/lists/openldap-announce/200406/msg00002.html You really should try a /newer/ release.
With the user root I can start the ldapsearch and I
receive the
result successfully, the ldap client can connect to
the ldap server.
However if I login with another user I receive
the following
message: ldap_bind: Can't contact LDAP server (-1)
What can be the problem? Thanks for the help in
advance, You did not provide any details
- on how to uses ldapsearch and
- about the server and client side config
Thanks for your mail. Here is the information:
The running slapd process is: ldap 21697 1 0 07:14 ? 00:00:00 /usr/sbin/slapd -u ldap -h ldaps://*:8108 -f /etc/openldap/slapd.conf
The slapd.conf is:
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/local.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/servercrt.pem TLSCertificateKeyFile /etc/openldap/serverkey.pem
database bdb suffix "dc=test" rootdn "cn=Admin,dc=test"
rootpw mypasswd
directory /var/lib/ldap
index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub
The port 8108 is opened in the firewall.
On the client side there is .ldaprc in the home directory with the following content:
TLS_REQCERT allow
The client needs to have knowledge of the certificate authority in order to verify the server certificate, thus specify TLS_CACERT or let the client not have to verify the server certificate, which is not advisable.
-Dieter