[CentOS] LDAP and expired passwords

Sat Nov 1 00:11:49 UTC 2008
Filipe Brandenburger <filbranden at gmail.com>

Hi,

On Fri, Oct 31, 2008 at 18:32, Steve Thompson <smt at vgersoft.com> wrote:
>> Does the common name in the certificate or the x509 v3 extensions match
>> the hostname used in the referral in your slapd.conf?  Is the
>> certificate issued by the ldap server you are being referred to signed
>> by a trusted CA?
>
> Yes to both.

Are you sure?

What is the output of this command on your slave LDAP server?
# grep ^updateref /etc/openldap/slapd.conf

What is the output of this command on both of them, master and slave?
# openssl x509 -text -in $(grep -i ^tlscertificatefile
/etc/openldap/slapd.conf | awk '{print$2}') | grep Subject:

What is the issuer of each certificate?
# openssl x509 -text -in $(grep -i ^tlscertificatefile
/etc/openldap/slapd.conf | awk '{print$2}') | grep Issuer:

Could you also send the /etc/ldap.conf of the client where you are
trying to change the password? You can strip the commented and blank
lines:
# grep -v -e ^# -e ^$ /etc/ldap.conf

Using SSL on OpenLDAP is really tricky, I've been through it recently
and the configuration is not easy at all... If you send that info it
might be easier to track down the problem.

Filipe