Re: Stumped - SSL works for auth, sudo, etc, but fails for ldap user cronjobs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

what kind of certificate do you use, selfsigned? Are the certificates signed by the same CA?



Am 18.07.12, schrieb David Nguyen <d_k_nguyen@xxxxxxxxx>:
Hi all,

I have a strange one.  My current setup is working perfectly.  client1
is able to connect to ldap-server1 via SSL and everything is working
correctly. I then had a need to add another ldap server (ldap-server2)
as a multi-master replica and everything is working (user auth, sudo
via ldap users, ldapsearch, openssl, etc) except cronjobs for users
served out of ldap fail to run.

I can see this in the error log on ldap-server2:

[18/Jul/2012:11:18:00 -0700] - PR_Recv for connection 467 returns
-12195 (Peer does not recognize and trust the CA that issued your
certificate.)

If I set /etc/ldap.conf to not use SSL (URI ldap://fqdn vs URI
ldaps://fqdn:636), the cronjobs fire just fine.

So it appears as though there is an SSL cert issue, but I'm stumped
because all of the other services that use ldap on client1 work except
cron jobs (root cron fires fine as expected since nsswitch is set to
files then ldap).

If I replace the URI string in /etc/ldap.conf to point at
ldap-server1, cron starts working.

Both ldap-server1 and ldap-server2 are using running the same OS and
kernel version (RHEL5) as well as the same version of 389 DS
(389-ds-1.2.1-1.el5).

Any ideas as to what could be causing this problem?   Here is the
/etc/ldap.conf on client1 if it matters:

====== begin /etc/ldap.conf =======
URI ldaps://ops-ldap006.svale.netledger.com:636
base dc=netsuite,dc=com

timelimit 10
bind_policy soft
nss_reconnect_tries 3
bind_timelimit 6
idle_timelimit 30
sudoers_base   ou=SUDOers,dc=netsuite,dc=com
sudoers_debug 0

##ssl start_tls
TLS_CACERT      /etc/openldap/cacerts/ca.crt
TLS_CACERTFILE  /etc/openldap/cacerts/ca.crt
TLS_REQCERT     demand
pam_lookup_policy yes
pam_password exop

nss_initgroups_ignoreusers root,named,avahi,haldaemon,dbus,gdm,postfix,puppet

====== end /etc/ldap.conf =======




Thanks in advance,
David
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
Carsten Grzemba
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux