[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ldapsearch TLS error



You can avoid this problem by using an explicit hostname on your ldapsearch
command, e.g. "ldapsearch -H ldap://host.domain/"; ...

The error is not so strange; the TLS certificate verification code was
updated in release 2.0.13 to fully conform with the requirements in RFC
2830. Prior to then the client did very little validation of the server's
certificate, which is why your falling back to 2.0.11 works for you.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of John Green
> Sent: Monday, April 22, 2002 10:15 AM
> To: openldap-software (E-mail)
> Subject: RE: ldapsearch TLS error
>
>
> Sorry, I was not explaining myself well. I have the host and dn
> specified in
> my /etc/ldap.conf, although not the URI. That shouldn't matter, should it?
>
> The strange thing about the error is that the same install procedure and
> files work great with the earlier version of the rpms. I saved all the
> config files from a functional LDAP system on a separate
> partition (/data),
> reloaded RH, upgraded SASL and LDAP from rpm, restored files, no luck.
> Reloaded RH, upgraded SASL, restored files, works perfect.
>
> > > -----Original Message-----
> > > From: owner-openldap-software@OpenLDAP.org
> > > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of John Green
> >
> > > Thanks for the input, but I modified the /etc/ldap.conf file to
> > > match my dn
> > > before I first started ldap on the machine. When I first
> > got the error, I
> > > tried adjusting the TLS settings in the same file and still no
> > > luck. I think
> > > this is an issue with upgrading the OpenLDAP version on
> > RH72 and somehow
> > > breaking the dependencies with OpenSSL.
> >
> > I think you misunderstood my point. You need to set the
> > default host, or the
> > default URI, to the fully qualified domain name of your
> > server. I wasn't
> > talking about matching the DN, though obviously doing that
> > makes things more
> > convenient.
> >
> > Use either
> > 	HOST	server.sub.domain
> > or
> > 	URI	ldap://server.sub.domain
> >
> > to set your default search host.
> >
> > > But, on a brighter note, I think I will just stick with the
> > > version of RH's
> > > OpenLDAP rpm that I know works (2.0.11), and eventually get
> > around to
> > > testing a more recent version.
> >
> >   -- Howard Chu
> >   Chief Architect, Symas Corp.       Director, Highland Sun
> >   http://www.symas.com               http://highlandsun.com/hyc
> >   Symas: Premier OpenSource Development and Support
> > ldap_start_tls: Connect error