[CentOS] LDAP and expired passwords

Fri Oct 31 22:23:04 UTC 2008
Scott McClanahan <smcclanahan at forterrainc.com>

On Fri, 2008-10-31 at 16:32 -0400, Steve Thompson wrote:
> CentOS 5.2 with OpenLDAP 2.3.27, nss_ldap_253.13, using TLS, i686 and 
> x86_64.
> 
>  	LDAP password information update failed: Referral
> 
> If I comment out "ssl start_tls", the referral to the master is followed 
> and the password change operation succeeds. I've found references to 
> problems with earlier releases of pam_ldap when referrals were not 
> properly followed when using TLS, and these are supposed to be fixed; 
> apparently not in my case. Can anyone hit me with the clue stick?

Does the common name in the certificate or the x509 v3 extensions match
the hostname used in the referral in your slapd.conf?  Is the
certificate issued by the ldap server you are being referred to signed
by a trusted CA?  Following referrals using start_tls works just fine
for me.