[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Client says Can't contact LDAP server, but it can!
On Mon, Jul 28, 2008 at 12:02:44PM -0700, Howard Chu wrote:
> John Oliver wrote:
>
> >On my test client, ldap.conf has:
> >
> >host 10.99.16.7
> >base dc=mydomain,dc=com
> >url ldaps://unix-services2.mydomain.com:636
> >timelimit 120
> >bind_timelimit 120
> >idle_timelimit 3600
> >ssl yes
> >tls_cacertdir /etc/openldap/cacerts
> >tls_checkpeer no
> >pam_password md5
>
> The above is not valid for an OpenLDAP ldap.conf. (See the ldap.conf(5)
> manpage for what's valid.) It appears to be a PADL nss_ldap config file,
> but it's still invalid for that purpose. Make sure you're actually looking
> at the correct config file...
>
> >If I change the "host" and "url" to the other LDAP server, it works
> >perfectly.
I'm looking at that page now. But if that config "isn't valid", why
does it work perfectly if I change it to:
host 10.99.16.5
base dc=mydomain,dc=com
url ldaps://unix-services.mydomain.com:636
timelimit 120
bind_timelimit 120
idle_timelimit 3600
ssl yes
tls_cacertdir /etc/openldap/cacerts
tls_checkpeer no
pam_password md5
That results in perfectly working authentication. Yes, I understand
that that may mean that my working server is borken, and my borken
ldap.conf just happens to be borken in just the right way to work.
I do appreciate all of the help, and apologize if I seem dense. I know
that the root cause is my lack of knowledge here. I'm reading as fast
as I can, but an awful lot of this documentation assumes a lot of
things. I've never worked with SSL before, and my eyes are rolling back
in my head :-) On top of that, I have people breathing down the back of
my neck to make this work on a short deadline. Very frustrating :-(
--
***********************************************************************
* John Oliver http://www.john-oliver.net/ *
* *
***********************************************************************