[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Setting up syncrepl, replicated LDAP doesn't work
Hi,
John Oliver a Ãcrit :
> [root@localhost ~]# ldapsearch -H
> ldaps://ldap2.mydomain.com -b
> "dc=mydomain,dc=com" uid=joliver sn givenName cn
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
> additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
This is a SSL error message: your LDAP client can not identify the
certificate authority that emitted the certificate presented by your
server. Configure your ldap.conf file to include appropriate files
(TLS_CACERT or TLS_CACERTDIR, etc).
> [root@localhost ~]# ldapsearch -H
> ldap://ldap2.mydomain.com -b
> "dc=mydomain,dc=com" uid=joliver sn givenName cn
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> additional info: SASL(-13): user not found: no secret in
> database
>
>
> When using just ldap:// with ldapsearch, I don't know what password it's
> asking for. My LDAP password doesn't work, the LDAP admin password
> doesn't work, the local root password doesn't work...
This is because ldapsearch is trying to authenticate using SASL
authentication layer. Add the "-x" option to your ldapsearch command,
and you can use your LDAP password.
> Here's the odd thing. When I started setting this up, the machine
> that's the primary (and working) LDAP server now was running fedora-ds.
> I set up OpenLDAP on what is now the slave server, and it worked
> perfectly. I slapcat'ed it, installed OpenLDAP on the primary server,
> and slapadded the db. I never generated any certificates on it at all,
> and it works perfectly. I just regenerated the cert on the slave
> server, but no joy.
I believe OpenSSL defaults have become more strict in certificate
checking, over some recent (maybe up to 6 months ago) upgrade.
Jonathan
--
Jonathan Clarke
Open Source Software Assurance (OSSA) - Groupe LINAGORA
27 rue de Berri, 75008 Paris
TÃl: 01 58 18 68 28, fax: 01 58 18 68 29
http://www.linagora.com - http://www.08000linux.com