[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: backend-meta usage



I'm going to try these things shortly.

Quick question on how back-meta works, does it use the configuration in ldap.conf to do the backend proxying to the external LDAP server? My slapd.conf has a self signed ca/cert and stuff, but I have no visibility into the configuration of the external LDAP server that I have configured in the meta stanza in my slapd.conf. Do I need their cacert.pem file? Does the one I use in slapd.conf need to match the one on the external server? Does the one in my ldap.conf need to match theirs? Do I need to configure something in the "meta" stanza in my slapd.conf to tell it not to verify the external servers certificate?

The thing that confuses me the most if the fact that ldapwhoami works over ldaps:// to that external server, but the meta piece in my slapd.conf won't work over ldaps, only over straight ldap.

--stephen

On 1/24/07, Aaron Richton <richton@nbcs.rutgers.edu > wrote:
OK, a couple long shots (I don't really believe these, but they should be
quick to try and since you're not working anyway they shouldn't hurt)...

Do TLSCACertificateFile and/or TLSCACertificatePath match TLS_CACERT
and/or TLS_CACERTDIR? Can you make them that way?

Can you verify somehow that the ldap.conf you expect to be read is indeed
being read? That there's no ~/.ldaprc in the way?

"TLS_REQCERT never" should set the library to its most liberal; it's
somewhat surprising that it's still complaining about CA in that case.

On Wed, 24 Jan 2007, Stephen Agar wrote:

> I appreciate everyone's advice, I have verified that as the same uid "user
> ldap", i CAN connect to the external LDAP server via "ldapwhoami over
> ldaps://" but when connecting to localhost and attempting to use the "meta"
> definition, it doesn't work.
>
> I don't have a copy of the cacert on the external server, i just have a self
> signed setup on my own openldap box. Do I need to get a copy of their
> cacert.pem and configure that in my ldap.conf ?
>
> I haven't had a chance to look at the strace/truss output yet, but will post
> when I do.
>
> --stephen