Re: fedora and openldap

[Judith Flo Gaya <jflo@imppc.org>]

Hello Aaron,
I already changed the parameter in the pam_ldap.conf and in the nslcd.conf
ssl on
instead of
ssl start_tls

Anywhere else?
Thanks for the advice, I thought I had fixed it... and in fact 
ldapsearch -x -H ldaps://server does work, the problem is within pam, it 
seems to be stucked using start_tls...



On 04/14/2011 07:08 PM, Aaron Richton wrote:
> On Thu, 14 Apr 2011, Judith Flo Gaya wrote:
>
> > Apr 14 18:54:34 curri0 slapd[2010]: conn=1019 fd=12 ACCEPT from
> > IP=[::1]:36208 (IP=[::]:636)
> > Apr 14 18:54:34 curri0 slapd[2010]: conn=1019 fd=12 TLS established
> > tls_ssf=256 ssf=256
> > Apr 14 18:54:34 curri0 slapd[2010]: conn=1019 op=0 EXT
> > oid=1.3.6.1.4.1.1466.20037
> > Apr 14 18:54:34 curri0 slapd[2010]: conn=1019 op=0 STARTTLS
> > Apr 14 18:54:34 curri0 slapd[2010]: conn=1019 op=0 RESULT oid= err=1 text=TLS
> > already started
> > Apr 14 18:54:34 curri0 slapd[2010]: conn=1019 op=1 UNBIND
> > Apr 14 18:54:34 curri0 slapd[2010]: conn=1019 fd=12 closed
>
> So you're trying to issue a StartTLS operation over an implicit SSL
> connection? There's no point to starting encryption on a connection that's
> already encrypted (hence the error). Either combine:
>
> a cleartext port (i.e. 389) with the StartTLS operation
>
> or
>
> an SSL port (i.e. 636) with NO StartTLS operation.