[CentOS] LDAP Server Access Problem

Mon Feb 22 18:41:15 UTC 2010
Jay Leafey <jay.leafey at mindless.com>

Paul R. Ganci wrote:
>>> Note that ldap 'client' applications like ldapsearch
>>> use /etc/openldap/ldap.conf so I would suspect that the 'certificates'
>>> used by the 2 machines are different.
>>>
> This might be the missing piece. 
> 
> The certificates were generated from a signing request to CAcert.
> However, while the certificate is installed on the server machine it is
> not installed on the remote machine. I didn't think that was necessary
> especially given that the certificate was generated explicitly for
> example.mydomain.com. I can try this.
> 
> I do know that the CAcert root certificate is not accepted by LDAP as
> coming from a valid certificate root authority. I manage to get around
> this by explicitly adding CAcert's root certificate
> to /etc/pki/tls/certs/ca-bundle.crt and adding that path to
> the /etc/openldap/ldap.conf config. I will try installing the
> certificate and then adding the path in /etc/openldap/ldap.conf. I
> probably should have shown the /etc/openldap/ldap.conf file. For the
> record here it is:
> 
> HOST example.mydomain.com
> BASE dc=mydomain,dc=com
> URI ldaps://example.mydomain.com:636/
> tls_cacertfile /etc/pki/tls/certs/ca-bundle.crt
> TLS_CACERTDIR /etc/openldap/cacerts
> 
> Have to go to work now so will try later. Thanks.
> 
>>> add -d 256 (or even higher debug level) to the ldapsearch command for
>>> debugging - I'm not going to hazard any actual guesses.
> 
> Thanks for this suggestion ... should have thought of it myself.
> 

It occurs to me that you can turn off certificate validation by setting 
the TLS_REQCERT entry in either /etc/openldap/ldap.conf or 
${HOME}/.ldaprc.  Here's part of my .ldaprc:

> TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt
> TLS_REQCERT     never

If you run ldapsearch in with "-d 1" you will see that it is indeed 
using the server's certificate but is not checking it for validity.  I 
usually use this for testing purposes.

Also, you generally don't want to use both HOST and URI at the same 
time.  It can sometimes confuse issues.
-- 
Jay Leafey - Memphis, TN
jay.leafey at mindless.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3274 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20100222/b6cc3012/attachment-0005.bin>