[CentOS] LDAP Server Access Problem

Mon Feb 22 15:44:34 UTC 2010
Paul R. Ganci <ganci at nurdog.com>

> > 
> > Note that ldap 'client' applications like ldapsearch
> > use /etc/openldap/ldap.conf so I would suspect that the 'certificates'
> > used by the 2 machines are different.
>>
This might be the missing piece. 

The certificates were generated from a signing request to CAcert.
However, while the certificate is installed on the server machine it is
not installed on the remote machine. I didn't think that was necessary
especially given that the certificate was generated explicitly for
example.mydomain.com. I can try this.

I do know that the CAcert root certificate is not accepted by LDAP as
coming from a valid certificate root authority. I manage to get around
this by explicitly adding CAcert's root certificate
to /etc/pki/tls/certs/ca-bundle.crt and adding that path to
the /etc/openldap/ldap.conf config. I will try installing the
certificate and then adding the path in /etc/openldap/ldap.conf. I
probably should have shown the /etc/openldap/ldap.conf file. For the
record here it is:

HOST example.mydomain.com
BASE dc=mydomain,dc=com
URI ldaps://example.mydomain.com:636/
tls_cacertfile /etc/pki/tls/certs/ca-bundle.crt
TLS_CACERTDIR /etc/openldap/cacerts

Have to go to work now so will try later. Thanks.

> > 
> > add -d 256 (or even higher debug level) to the ldapsearch command for
> > debugging - I'm not going to hazard any actual guesses.

Thanks for this suggestion ... should have thought of it myself.

-- 
Paul (ganci at nurdog.com)