Re: Client says Can't contact LDAP server, but it can!

[John Oliver <joliver@john-oliver.net>]

On Fri, Jul 25, 2008 at 10:20:55AM +0200, Buchan Milne wrote:
> On Friday 25 July 2008 01:13:37 John Oliver wrote:
> > On Thu, Jul 24, 2008 at 04:04:10PM -0700, Quanah Gibson-Mount wrote:
> > > Any client will need to know about the CA that signed your self-signed
> > > cert.
> >
> > I created my certificate with:
> >
> > openssl req -new -x509 -nodes -out /etc/ssl/ldap.pem -keyout
> > /etc/openldap/ssl/ldap.pem -days 3650
> >
> > In slapd.conf I have:
> >
> > TLSCertificateFile /etc/ssl/ldap.pem
> > TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem
> > TLSCACertificateFile /etc/ssl/ldap.pem
> >
> > What do I need to do differently?
> 
> Configure the *client* ???

The clients work perfectly with the working server.  Why would they have
to have a different configuration to talk to the backup LDAP server?
That would pretty much defeat the purpose of having multiple LDAP
servers ;-)

> Now, unless you've split the cert out separately, you're most likely going to 
> be exposing the private key as well, which means there's pretty much no point 
> to your encryption ....

To be honest, I have no idea about "splitting the cert".  I know nothing
about OpenSSL.  At the moment, I'm far more interested in getting the
second LDAP server working than I am in having perfect security.  None
of these systems are on a public network.

-- 
***********************************************************************
* John Oliver                             http://www.john-oliver.net/ *
*                                                                     *
***********************************************************************