[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: I don't want to use GSSAPI !?
Le 22/10/2015 19:44, Olivier a écrit :
Hi Clément,
yep, I know that and it works. But the problem is that this is the
only client where I get this behaviour with ldapsearch and I'd like to
uderstand why.
The real problem I have behind, is that I saw that to have user
authentication over ldap working, I have DESACTIVATE TLS for ldap
queries : even
for a very internal machine, I really don't want to leave the
configuration like that.
Here is what makes it work :
nsswitch.conf :
passwd: files ldap
/etc/ldap.conf
...
#ssl start_tls
#tls_cacertdir /etc/openldap/cacerts
...
I can't leave things like this.
There should be no link between you GSSAPI problem and the StartTLS
option. You can indeed try to use StartTLS in ldapsearch to see if your
SSL configuration is correct, in this case, use -x to bypass the SASL
authentication.
Then you need to import the CA which signed your LDAP server certificate
on your clients to let them verify the certificate when requesting the
LDAP with StartTLS.
--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux