Re: [389-users] Start TLS request accepted. Server willing to negotiate SSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I knew I should have mentioned that.  The /etc/openldap/ldap.conf has the same entry

 

TLS_CACERTDIR /etc/openldap/cacerts/cacert.asc

TLS_REQCERT allow

 

However I did notice that I was using CACERTDIR instead of CACERT to point at the file…

Now I have

TLS_CACERT /etc/openldap/cacerts/cacert.asc

 

I now get this message which seems to be progress but still failing. That the hostname did not match the cert name and was giving ip as hostname.  Changed host line in /etc/ldap.conf and /etc/openldap/ldap.conf to read fqdn instead of ip addresses and now no more problems.

 

Thanks for making me look at it again so I noticed my error

 

 

 

From: 389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx [mailto:389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Angel Bosch Mora
Sent: Tuesday, October 04, 2011 10:12 AM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Start TLS request accepted. Server willing to negotiate SSL

 

is not the same

    /etc/ldap.conf

than

    /etc/openldap/ldap.conf

seems that you're missing second one.

While attempting to change a directory password I keep getting this message…

 

[root@xxx ~]# ldappasswd -x -ZZ -D "cn=directory manager" -w “mypass” uid=se253264,ou=people,dc=xxx,dc=cle=dc=us" -a "oldpass" -s "newpass"

ldap_start_tls: Connect error (-11)

        additional info: Start TLS request accepted.Server willing to negotiate SSL.

 

In researching this I found to add –d1 for additional debugging information and found this probably relevant

 

TLS: could not load client CA list (file:`',dir:`/etc/openldap/cacerts/cacert.asc').

TLS: error:0200A014:system library:opendir:Not a directory ssl_cert.c:816

TLS: error:140D7002:SSL routines:SSL_add_dir_cert_subjects_to_stack:system lib ssl_cert.c:818

ldap_perror

 

I do have the following in my /etc/ldap.conf file

ssl yes

tls_cacertdir /etc/openldap/cacerts

TLS_REQCERT allow

pam_password exop

 

And the cacert.asc does exist in that directory.  This is the cacert.asc that was created during setup of this machine using the setupssl.sh script and I copied it to the requested directory.  I am not seeing anything additional on the HowtoSSL page and realize that TLS is necessary for the password change function.

 

Thanks for any help you may have.  I am also under the impression I am supposed to copy the cacert.asc to each client machine so they can authenticate against the cert. is this true also?

David Hoskinson | DATATRAK International
Systems Engineer
Mayfield Heights, Ohio, USA 
+1.440.443.0082 x 124 (p) | +1.216.280.5457 (m)
david.hoskinson@xxxxxxxxxxxx | www.datatrak.net

 


--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

 

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux