Paul R. Ganci wrote:
Note that ldap 'client' applications like ldapsearch use /etc/openldap/ldap.conf so I would suspect that the 'certificates' used by the 2 machines are different.
This might be the missing piece.
The certificates were generated from a signing request to CAcert. However, while the certificate is installed on the server machine it is not installed on the remote machine. I didn't think that was necessary especially given that the certificate was generated explicitly for example.mydomain.com. I can try this.
I do know that the CAcert root certificate is not accepted by LDAP as coming from a valid certificate root authority. I manage to get around this by explicitly adding CAcert's root certificate to /etc/pki/tls/certs/ca-bundle.crt and adding that path to the /etc/openldap/ldap.conf config. I will try installing the certificate and then adding the path in /etc/openldap/ldap.conf. I probably should have shown the /etc/openldap/ldap.conf file. For the record here it is:
HOST example.mydomain.com BASE dc=mydomain,dc=com URI ldaps://example.mydomain.com:636/ tls_cacertfile /etc/pki/tls/certs/ca-bundle.crt TLS_CACERTDIR /etc/openldap/cacerts
Have to go to work now so will try later. Thanks.
add -d 256 (or even higher debug level) to the ldapsearch command for debugging - I'm not going to hazard any actual guesses.
Thanks for this suggestion ... should have thought of it myself.
It occurs to me that you can turn off certificate validation by setting the TLS_REQCERT entry in either /etc/openldap/ldap.conf or ${HOME}/.ldaprc. Here's part of my .ldaprc:
TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt TLS_REQCERT never
If you run ldapsearch in with "-d 1" you will see that it is indeed using the server's certificate but is not checking it for validity. I usually use this for testing purposes.
Also, you generally don't want to use both HOST and URI at the same time. It can sometimes confuse issues.