[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldaps and Active Directory



Add
TLS_REQCERT try
(or "allow" or "never") in your ldap.conf. The default is "demand" (or "hard"), then you are trying to verify server certificate. See ldap.conf (5)


Grant Sturgis wrote:

Greetings List,

I am attempting to get ldap authentication to Active Directory working from our RHEL 4 systems. I have read the several articles and howto documents out there and am very close to getting everything working.

pam_ldap and nss_ldap is working well with unencrypted ldap, as is ldapsearch queries. The next step is getting ldaps to work, and I am hoping for some suggestions from the list to get me over the hump.

RHEL ES 4 fully patched (up2date)
W2K SP4

This works fine:

ldapsearch -x -H ldap://server.domain.com/ -D cn=ldap,ou=Users-OU,dc=domain,dc=com -W ""

but changing ldap to ldaps results in this error:

ldap_bind: Can't contact LDAP server (-1)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed



I have installed Certificate Services on the W2K domain controller and exported the CA Cert and copied the file to the linux box:/etc/openldap/cacerts. In /etc/openldap/ldap.conf I have tried:


TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/openldap/cacerts/cacert.pem

Any suggestions would be greatly appreciated.

Grant
------------------




Ing. Marco D?Ettorre
Consultant


SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------
Office:   +39.0382.573859 (102)
Mobile:   +39.348.1510674
Email:    marco.dettorre@sys-net.it
------------------------------------