RE: Last attempt at TLS/SSL

["Howard Chu" <hyc@highlandsun.com>]

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Lawrence, Mike

> Hi Kent - doesn't look like a permissions issue to me
> as the CA cert (and all the directories above it, in my
> case /var/tmp/certs) are all world readable.
>
> Here is some extra info, all the lines I have turned on
> in my slapd.conf file and also ldap.conf:

> ldap.conf:
>
> host wp-app-3.webtech.com
> base dc=webtech,dc=com
> uri ldaps://wp-app-3.webtech.com
> binddn cn=Authenticator,dc=webtech,dc=com
> bindpw admin123
> port 636
> scope sub
> pam_password crypt
> nss_base_passwd         ou=People,dc=webtech,dc=com?one
> nss_base_shadow         ou=People,dc=webtech,dc=com?one
> ssl yes
> TLS_CACERT /var/tmp/certs/demoCA/cacert.pem

You have PADL directives and OpenLDAP directives mixed together in the same
file. This sometimes works, but I recommend keeping them separate, to
eliminate ambiguities.

Don't use "host" and "port" directives with "uri" - just use one or the
other. It's preferable to only use the "uri" directive. That also removes the
need for the "ssl" directive, since all of this information is present in the
LDAPURL.

> And I actually have a copy of your how to printed out sitting
> on my desk right now that I have been using it as a reference
> and am wondering why openldap hates me so much because this
> seems like it should be fairly easy to make work.

It's not OpenLDAP's fault that you're mixing config info for two separate
packages together and getting poor results.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support