[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS/SSL failover problem



Hi,

Doug Wilson <dwilson@virtc.com> writes:

> Thanks for the response.  The slapd args are:
[...]
>
> With no failover in place SSL/TLS work just fine ... I can confirm that
> by connecting to the ldap server over SSL with LDAP Browser/Editor and
> by connecting with TLS using GQ.
>
> It's only after switching to the failover server, and trying to switch
> back to the primary ldap server that I run into a problem.

I don't know anything about caching behaviour of pam_ldap, but it
seems that the pam module caches the server certificate. But you
should ask on the pam_ldap mailinglist.

> Maybe I need to use an explicit TLS_CACERT or TLS_CACERTDIR (I'm using
> more than 1 CA since each ldap server uses a self-signed certificate)
> entry?

That might help

> How would I set logging in /etc/openldap/slapd.conf so that I could see
> if it was a certificate problem?

loglevel 2

-Dieter

-- 
Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de
http://www.avci.de