Does an ldapsearch -d -1 -ZZ successfully connect?
If so, then that should rule out a problem with your slapd configuration and ldap client library configuration (the options within your ldap.conf used by the OpenLDAP client library). In that case, you might focus on your ldap nss configuration.
Hi Dan,
Thanks for your input! I just noticed this interesting tidbit in the output of that command.
TLS: hostname (ldap.summitnjhome.com) does not match common name in certificate (bsd2.summitnjhome.com). ldap_perror ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate
Which is interesting because I caught that earlier, and genertated a new CSR and downloaded the cert once more. When I regenerated the csr I made sure to copy-paste the output into the common name field of the generation process.
I'm enclosing the full output of that command as an attachment but I think my next step is to call godaddy... heh :)
On Sun, Nov 21, 2010 at 6:16 PM, Dan White dwhite@olp.net wrote:
On 21/11/10 17:24 -0500, bluethundr wrote:
I am attempting to setup SSL/TLS support on my openLDAP 2.4 server on FreeBSD.
LBSD2# pkg_info | grep openldap openldap-sasl-client-2.4.23 Open source LDAP client implementation with SASL2 support openldap-sasl-server-2.4.23 Open source LDAP server implementation
LBSD2# cat slapd.conf | grep -i tls ## TLS options for slapd TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /usr/local/etc/openldap/cacerts/bsd2.summitnjhome.com.crt TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_issuing.crt
Connection closed by 127.0.0.1
[root@VIRTCENT08:/etc/openldap/cacerts]#getent passwd | grep ldapAccount [same interminable wait as above]
This is what my /etc/ldap.conf file looks like on the client:
[root@VIRTCENT08:/etc/openldap/cacerts]#cat /etc/ldap.conf base dc=summitnjhome,dc=com timelimit 120 bind_timelimit 120 idle_timelimit 3600 uri ldap://ldap.summitnjhome.com/ ssl start_tls tls_cacertdir /etc/openldap/cacerts pam_password crypt
<commented out lines removed>
Does an ldapsearch -d -1 -ZZ successfully connect?
If so, then that should rule out a problem with your slapd configuration and ldap client library configuration (the options within your ldap.conf used by the OpenLDAP client library). In that case, you might focus on your ldap nss configuration.
-- Dan White