Hello,
I have a central repository of users/groups based on OpenLDAP which is working on a remote LAN (servers share users credentials and mount their home directories via NFS). They use non-encrypted ldap restricted to the local network.
Now, I have a few servers in our local office and I would like them to authenticate from the remote LDAP server using encryption via ldaps://. (at this stage, without using client-side certificate)
I have run a similar command as I did on the remote servers, replacing ldap://localldapserver by ldaps://ldap.mycompany.com: authconfig --enableldap --enableldapauth --enablecache --enablemkhomedir --ldapserver=ldaps://ldap.mycompany.com --enableldaptls --ldapbasedn=dc=mycompany,dc=com --passalgo=sha256 --updateall
and I put the CA certificate at the right place. (either explicitly pointing to it TLS_CACERT or downloading it to /etc/openldap/cacerts vi system-configuration-authentication)
In all my various tests, ldapsearch -x returns the content of the remote LDAP, so I guess that at least openldap clients are properly configured.
But when I try: getent passwd the command hangs.
Same when I try to: su - myuser
(I also tried configuring with the system-configuration-authentication UI from a box with GNOME, and also tried authconfig without --enableldaptls)
So is there anything specific to authentication ldaps: that I should have done? (as I said, this approach systematically works with plain ldap on this same LDAP server)
Thanks in advance for your help!
Mathieu
Note: all systems involved are running up to date CentOS 5.5