/etc/ldap.conf
than
/etc/openldap/ldap.conf
seems that you're missing second one.
While attempting to change a directory password I keep getting this message…
[root@xxx ~]# ldappasswd -x -ZZ -D "cn=directory manager" -w “mypass” uid=se253264,ou=people,dc=xxx,dc=cle=dc=us" -a "oldpass" -s "newpass"
ldap_start_tls: Connect error (-11)
additional info: Start TLS request accepted.Server willing to negotiate SSL.
In researching this I found to add –d1 for additional debugging information and found this probably relevant
TLS: could not load client CA list (file:`',dir:`/etc/openldap/cacerts/cacert.asc').
TLS: error:0200A014:system library:opendir:Not a directory ssl_cert.c:816
TLS: error:140D7002:SSL routines:SSL_add_dir_cert_subjects_to_stack:system lib ssl_cert.c:818
ldap_perror
I do have the following in my /etc/ldap.conf file
ssl yes
tls_cacertdir /etc/openldap/cacerts
TLS_REQCERT allow
pam_password exop
And the cacert.asc does exist in that directory. This is the cacert.asc that was created during setup of this machine using the setupssl.sh script and I copied it to the requested directory. I am not seeing anything additional on the HowtoSSL page and realize that TLS is necessary for the password change function.
Thanks for any help you may have. I am also under the impression I am supposed to copy the cacert.asc to each client machine so they can authenticate against the cert. is this true also?
David Hoskinson | DATATRAK International
Systems Engineer
Mayfield Heights, Ohio, USA
+1.440.443.0082 x 124 (p) | +1.216.280.5457 (m)
david.hoskinson@xxxxxxxxxxxx | www.datatrak.net
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
