Re: LDAP Server Access Problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Paul R. Ganci wrote:

Note that ldap 'client' applications like ldapsearch
use /etc/openldap/ldap.conf so I would suspect that the 'certificates'
used by the 2 machines are different.
This might be the missing piece. 
The certificates were generated from a signing request to CAcert.
However, while the certificate is installed on the server machine it is
not installed on the remote machine. I didn't think that was necessary
especially given that the certificate was generated explicitly for
example.mydomain.com. I can try this.

I do know that the CAcert root certificate is not accepted by LDAP as
coming from a valid certificate root authority. I manage to get around
this by explicitly adding CAcert's root certificate
to /etc/pki/tls/certs/ca-bundle.crt and adding that path to
the /etc/openldap/ldap.conf config. I will try installing the
certificate and then adding the path in /etc/openldap/ldap.conf. I
probably should have shown the /etc/openldap/ldap.conf file. For the
record here it is:

HOST example.mydomain.com
BASE dc=mydomain,dc=com
URI ldaps://example.mydomain.com:636/
tls_cacertfile /etc/pki/tls/certs/ca-bundle.crt
TLS_CACERTDIR /etc/openldap/cacerts

Have to go to work now so will try later. Thanks.


add -d 256 (or even higher debug level) to the ldapsearch command for
debugging - I'm not going to hazard any actual guesses.


Thanks for this suggestion ... should have thought of it myself.
It occurs to me that you can turn off certificate validation by setting the TLS_REQCERT entry in either /etc/openldap/ldap.conf or ${HOME}/.ldaprc. Here's part of my .ldaprc: 


TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt
TLS_REQCERT     never
If you run ldapsearch in with "-d 1" you will see that it is indeed using the server's certificate but is not checking it for validity. I usually use this for testing purposes.
Also, you generally don't want to use both HOST and URI at the same time. It can sometimes confuse issues. 
--
Jay Leafey - Memphis, TN
jay.leafey@xxxxxxxxxxxx

<<attachment: smime.p7s>>

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux