[CentOS] LDAP Server Access Problem
Paul R. Ganci
ganci at nurdog.com
Mon Feb 22 15:44:34 UTC 2010
> >
> > Note that ldap 'client' applications like ldapsearch
> > use /etc/openldap/ldap.conf so I would suspect that the 'certificates'
> > used by the 2 machines are different.
>>
This might be the missing piece.
The certificates were generated from a signing request to CAcert.
However, while the certificate is installed on the server machine it is
not installed on the remote machine. I didn't think that was necessary
especially given that the certificate was generated explicitly for
example.mydomain.com. I can try this.
I do know that the CAcert root certificate is not accepted by LDAP as
coming from a valid certificate root authority. I manage to get around
this by explicitly adding CAcert's root certificate
to /etc/pki/tls/certs/ca-bundle.crt and adding that path to
the /etc/openldap/ldap.conf config. I will try installing the
certificate and then adding the path in /etc/openldap/ldap.conf. I
probably should have shown the /etc/openldap/ldap.conf file. For the
record here it is:
HOST example.mydomain.com
BASE dc=mydomain,dc=com
URI ldaps://example.mydomain.com:636/
tls_cacertfile /etc/pki/tls/certs/ca-bundle.crt
TLS_CACERTDIR /etc/openldap/cacerts
Have to go to work now so will try later. Thanks.
> >
> > add -d 256 (or even higher debug level) to the ldapsearch command for
> > debugging - I'm not going to hazard any actual guesses.
Thanks for this suggestion ... should have thought of it myself.
--
Paul (ganci at nurdog.com)
More information about the CentOS
mailing list