[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: client can StartTLS from ldapsearch but not getent/pam_ldap
>>>
-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Fran Fabrizio
Now, if I comment out everything TLS-related from slapd.conf and ldap.conf on
the server and client, I see the accounts just fine, so the pam_filter and
such is all working just fine. But I can't get the client to negotiate a TLS
connection when using getent, whereas it negotiates one fine when I run
ldapsearch. Thoughts of things to look at? nsswitch is set "passwd files
ldap" and as mentioned works fine when I comment out TLS-related settings in
ldap.conf and slapd.conf.
My client ldap.conf contains (relevant to TLS):
ssl start_tls
TLS_CACERT /tmp/demoCA/cacert.pem
TLS_REQCERT demand
<<<
"ssl start_tls" is not a valid directive in the OpenLDAP ldap.conf file. It
may be valid in PADL's ldap.conf file. "TLS_CACERT" is an OpenLDAP directive,
and probably not a PADL directive. As is often the case, you have confused
the two packages. Your problem is most likely due to your PADL nss/pam
configuration, and this question belongs on the nssldap@padl.com or
pamldap@padl.com mailing list, not here.
We (Symas) always recommend that when building PADL's pam and nss modules,
you configure them to use (e.g.) "/etc/nsspam.conf" for their configuration,
instead of the default name "ldap.conf", to help reduce some of this
confusion.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support