8><-------- > > So what did I do wrong? ---- probably should only use uri and not host in /etc/openldap/ldap.conf yep, I can take that out.... And it's clear that ldap.vuw.ac.nz != cn=vuwunicvfdsm001.vuw.ac.nz (certificate) Sorry I fail to see it as that clear (until now you explain it anyway!) ....Working through the FDS/RDS documentation I seem to have failed to notice that it clearly (if at all???) explains what cn= should equal or indeed the setting in the ldap.conf needs to be the same....in terms of DNS they do equal as ldap is a CNAME of vuwunicvfdsm001.... The advantage of using a CNAME is I can upgrade the system and to a simple CNAME change to replace the servers.... Thanks, I have changed, #uri ldap://ldap.vuw.ac.nz/ To, uri ldap://vuwunicvfdsm001.vuw.ac.nz/ So I now have for /etc/openldap/ldap.conf, ========== # http://www.padl.com #URI ldap://ldap.vuw.ac.nz base dc=vuw,dc=ac,dc=nz pam_password md5 BASE dc=vuw,dc=ac,dc=nz #tls_cacertfile /etc/openldap/cacerts/ca.crt #TLS_REQCERT allow TLS_REQCERT never #host ldap.vuw.ac.nz #host vuwunicvfdsm001.vuw.ac.nz #ssl start_tls #nss_base_passwd ou=People,dc=vuw,dc=ac,dc=nz #nss_base_shadow ou=People,dc=vuw,dc=ac,dc=nz uri ldap://vuwunicvfdsm001.vuw.ac.nz/ #uri ldap://ldap.vuw.ac.nz/ ssl no tls_cacertdir /etc/openldap/cacerts ========= and a working ldapsearch, ldapsearch -x -ZZ '(uid=jonesst1)' Gives me the correct answer.... Regards Steven -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
