On Fri, 31 Oct 2008, Filipe Brandenburger wrote:
Hi Felipe; many thanks for your reply.
# grep ^updateref /etc/openldap/slapd.conf
updateref ldaps://ldap1.cbe.cornell.edu
# openssl x509 -text -in $(grep -i ^tlscertificatefile /etc/openldap/slapd.conf | awk '{print$2}') | grep Subject:
master (line continuations added): Subject: C=US, ST=New York, O=Cornell School of Chemical and \ Biomolecular Engineering/emailAddress=certs@cbe.cornell.edu, \ CN=ldap1.cbe.cornell.edu
slave: Subject: C=US, ST=New York, O=Cornell School of Chemical and \ Biomolecular Engineering/emailAddress=certs@cbe.cornell.edu, \ CN=asimov.cbe.cornell.edu
What is the issuer of each certificate?
Same on master and all slaves: Issuer: O=Cornell School of Chemical and Biomolecular Engineering, L=Ithaca, ST=New York, C=US, CN=cbe.cornell.edu/emailAddress=certs@cbe.cornell.edu
Could you also send the /etc/ldap.conf of the client where you are trying to change the password?
host asimov.cbe.cornell.edu referrals yes base dc=cbe,dc=cornell,dc=edu ldap_version 3 binddn cn=kelvin.cbe.cornell.edu,ou=Binddn,dc=cbe,dc=cornell,dc=edu bindpw XXXXXXXXX timelimit 120 bind_timelimit 5 bind_policy soft idle_timelimit 3600 pam_password exop nss_base_passwd ou=People,dc=cbe,dc=cornell,dc=edu?one nss_base_shadow ou=People,dc=cbe,dc=cornell,dc=edu?one nss_base_group ou=Group,dc=cbe,dc=cornell,dc=edu?one nss_base_hosts ou=Hosts,dc=cbe,dc=cornell,dc=edu?one nss_base_services ou=Services,dc=cbe,dc=cornell,dc=edu?one nss_base_networks ou=Networks,dc=cbe,dc=cornell,dc=edu?one nss_base_protocols ou=Protocols,dc=cbe,dc=cornell,dc=edu?one nss_base_rpc ou=Rpc,dc=cbe,dc=cornell,dc=edu?one nss_base_ethers ou=Ethers,dc=cbe,dc=cornell,dc=edu?one nss_base_netmasks ou=Networks,dc=cbe,dc=cornell,dc=edu?ne nss_base_bootparams ou=Ethers,dc=cbe,dc=cornell,dc=edu?one nss_base_aliases ou=Aliases,dc=cbe,dc=cornell,dc=edu?one nss_base_netgroup ou=Netgroup,dc=cbe,dc=cornell,dc=edu?one ssl start_tls tls_checkpeer yes tls_cacertdir /etc/openldap/cacerts tls_ciphers TLSv1
-Steve