Hi again,
man, I mixed up a lot of things ...
Hope, I finally understand what I did wrong:
Ubuntu 8.04 creates a huge /etc/ldap.conf as a substitute for libnss_ldap.conf and libpam_ldap.conf. I misunderstood this file to be the LDAP client configuration, which it is obviously not. Instead, it's the configuration for libnss-ldap and libpam-ldap.
In some wiki article, I read that it would be o.k. to softlink /etc/ldap/ldap.conf to /etc/ldap.conf to have a fewer number of configuration files. I did that and forgot to mention in my first mail.
That's why I used keywords like tls_cacertfile and others, because that's just the way those parameters are called in that file.
I hope to be smarter next time ;-)
So, what I did now: I created a new /etc/ldap/ldap.conf with only a few entries:
===== /etc/ldap/ldap.conf =====
BASE dc=... URI ldaps://<fqdn>/ TLS_REQCERT yes TLS_CACERT /usr/lib/ssl/cacerts/<ca>.chain.crt
=== END /etc/ldap/ldap.conf ===
after that, ldapsearch -x was successful.
Then I re-installed libnss/libpam-ldap and set the neccessary nss/pam values in the auto-generated /etc/ldap.conf. Finally, I adapted common-* in /etc/pam.d/ and getent passwd, id <user> and su worked the way I wanted them to.
I still have a problem with TLSVerifyClient demand, but that's something for another thread and only after some more reading and testing ;-)
Thanks again for your help, I learned a lot :-)
Best regards,
Hauke
----- Ursprüngliche Mail ----- Von: "Buchan Milne" bgmilne@staff.telkomsa.net An: openldap-technical@openldap.org CC: hyc@symas.com, "Hauke Coltzau" hauke.coltzau@FernUni-Hagen.de Gesendet: Donnerstag, 28. August 2008 13:31:58 GMT +01:00 Amsterdam/Berlin/Bern/Rom/Stockholm/Wien Betreff: Re: [SOLVED] Re: SLAPD 2.4.9 and OpenSSL 0.9.8g on Ubuntu 8.04 server - client certificate not read
On Thursday 28 August 2008 12:28:25 Hauke Coltzau wrote:
Hi everybody,
thank you all for your immediate replies.
As you correctly pointed out, the options I used were wrong. With following ldap.conf, everything works out fine.
base dc=... URI ldaps://<fqdn of ldap server>/ ldap_version 3 rootbinddn cn=... bind_policy soft pam_password md5
TLS_REQCERT yes TLS_CACERT /usr/lib/ssl/certs/<ca>.chain.crt
The ldap.conf I used before has been created by dpkg-reconfigure and I simply changed the default values there. That was a mistake ;-) Creating a new ldap.conf from scratch with a man-page at hand obviously did the trick.
You still seem to be confused between different ldap.conf files, bind_policy, pam_password etc. are not valid in the OpenLDAP ldap.conf file, most likely one belongs in /etc/libnss_ldap.conf and the the other in /etc/libpam_ldap.conf (on Debian-based systems, or /etc/ldap.conf on distros that use the default config file location for nss_ldap/pam_ldap as shipped upstream).
While you may have a working configuration, it may be more by luck than good judgement.
Regards, Buchan