Thank you Johannes, > Can you try again without ignoring the certificate, but specify the server'sFQDN > instead of localhost? I have done as you suggest (see dsrc contents below), restarted the instance, then (note: ldaps://ent-a.aeho.lan): LDAPTLS_CACERT=/etc/dirsrv/slapd-localhost/ca.crt ldapwhoami -v -H ldaps://ent-a.aeho.lan -D uid=huncl01,ou=people,dc=aeho,dc=lan -W -x and the results remains: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) If that worked, I would be very concerned as the whole idea is not *not* be tied to a specific hostname (unless running multiple LDAP servers, no?) I've put everything back the way it should (?!) be... but here's my .dsrc file to test your theory: [localhost] uri = ldapi://%%2fvar%%2frun%%2fslapd-localhost.socket basedn = dc=aeho,dc=lan binddn = cn=Directory Manager [localhost-ldaps] #uri = ldaps://localhost uri = ldaps://ent-a.aeho.lan basedn = dc=aeho,dc=lan binddn = cn=Directory Manager tls_cacertdir = /389 _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
