[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS config question



Thanks for your reply ...

I tried your suggestion, and now get:
$  ldapsearch -H "ldaps://localhost:636" -b "cn=Manager,dc=mydomain,dc=com"
ldap_sasl_interactive_bind_s: Can't contact LDAP server
and this in the log:
Jun 10 22:53:09 hotdog slapd[16865]: slapd starting 
Jun 10 22:53:41 hotdog slapd[16867]: daemon: conn=0 fd=9 connection from IP=127.0.0.1:33573 (IP=127.0.0.1:31746) accepted. 
Jun 10 22:53:41 hotdog slapd[16867]: conn=-1 fd=9 closed 

Couldn't locate TLS_CACERT in the ldap.conf man page. Can you point me
toward some doc?

-Mark

On 06/10/02, I received this from kervin@blueprint-tech.com:
> 
> Did you specify your cert CA in your ldap.conf on the client?  2.1 is 
> finicky { I love that word :) } about that.
> 
> eg.
> TLS_CACERT /ssl/slapdca.crt
> 
> You don't need to break up the PEM file ( I think ), but you do need 
> have have the CA cert on the client side, so that the client can test 
> the validity of the cert.
> 
> 
> --Kervin
> 
> Mark Johnson wrote:
> >I've installed cyrus-sasl-2.1.2 and openldap-2.0.23, set up a simple
> >slapd.conf and test database.
> >
> >When I run slapd with defaults,
> >$ ldapsearch -x -H "ldap://localhost:389"; -b 
> >"cn=Manager,dc=mydomain,dc=com"
> >produces the expected result.
> >
> >Now I add these two lines to slapd.conf:
> >TLSCertificateFile /usr/local/etc/httpd/ssl.crt/snakeoil-rsa.crt
> >TLSCertificateKeyFile /usr/local/etc/httpd/ssl.key/snakeoil-rsa.key
> >and run:
> ># /usr/local/libexec/slapd -h ldaps://localhost:636
> >
> >But:
> >$ ldapsearch -x -H "ldaps://localhost:636" -b 
> >"cn=Manager,dc=mydomain,dc=com"
> >ldap_bind: Can't contact LDAP server
> >
> >The log shows this:
> >Jun 10 19:16:41 hotdog slapd[16217]: slapd starting 
> >Jun 10 19:17:05 hotdog slapd[16219]: daemon: conn=0 fd=9 connection from 
> >IP=127.0.0.1:33538 (IP=127.0.0.1:31746) accepted. Jun 10 19:17:05 hotdog 
> >slapd[16219]: conn=-1 fd=9 closed 
> >What does it mean?
> >
> >TIA,
> >
> 
> 
> 
> 
> 

-- 

Mark Johnson
markj@gilanet.com