Hi,
On Fri, Oct 31, 2008 at 18:32, Steve Thompson smt@vgersoft.com wrote:
Does the common name in the certificate or the x509 v3 extensions match the hostname used in the referral in your slapd.conf? Is the certificate issued by the ldap server you are being referred to signed by a trusted CA?
Yes to both.
Are you sure?
What is the output of this command on your slave LDAP server? # grep ^updateref /etc/openldap/slapd.conf
What is the output of this command on both of them, master and slave? # openssl x509 -text -in $(grep -i ^tlscertificatefile /etc/openldap/slapd.conf | awk '{print$2}') | grep Subject:
What is the issuer of each certificate? # openssl x509 -text -in $(grep -i ^tlscertificatefile /etc/openldap/slapd.conf | awk '{print$2}') | grep Issuer:
Could you also send the /etc/ldap.conf of the client where you are trying to change the password? You can strip the commented and blank lines: # grep -v -e ^# -e ^$ /etc/ldap.conf
Using SSL on OpenLDAP is really tricky, I've been through it recently and the configuration is not easy at all... If you send that info it might be easier to track down the problem.
Filipe