Le 22/10/2015 19:44, Olivier a écrit :
Hi Clément,
yep, I know that and it works. But the problem is that this is the only client where I get this behaviour with ldapsearch and I'd like to uderstand why.
The real problem I have behind, is that I saw that to have user authentication over ldap working, I have DESACTIVATE TLS for ldap queries : even for a very internal machine, I really don't want to leave the configuration like that.
Here is what makes it work :
nsswitch.conf : passwd: files ldap
/etc/ldap.conf ... #ssl start_tls #tls_cacertdir /etc/openldap/cacerts ...
I can't leave things like this.
There should be no link between you GSSAPI problem and the StartTLS option. You can indeed try to use StartTLS in ldapsearch to see if your SSL configuration is correct, in this case, use -x to bypass the SASL authentication.
Then you need to import the CA which signed your LDAP server certificate on your clients to let them verify the certificate when requesting the LDAP with StartTLS.