RE: client can StartTLS from ldapsearch but not getent/pam_ldap

["Howard Chu" <hyc@highlandsun.com>]

>>>
-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Fran Fabrizio

Now, if I comment out everything TLS-related from slapd.conf and ldap.conf on
the server and client, I see the accounts just fine, so the pam_filter and
such is all working just fine.  But I can't get the client to negotiate a TLS
connection when using getent, whereas it negotiates one fine when I run
ldapsearch.  Thoughts of things to look at?  nsswitch is set "passwd files
ldap" and as mentioned works fine when I comment out TLS-related settings in
ldap.conf and slapd.conf.

My client ldap.conf contains (relevant to TLS):

ssl start_tls
TLS_CACERT /tmp/demoCA/cacert.pem
TLS_REQCERT demand
<<<

"ssl start_tls" is not a valid directive in the OpenLDAP ldap.conf file. It
may be valid in PADL's ldap.conf file. "TLS_CACERT" is an OpenLDAP directive,
and probably not a PADL directive. As is often the case, you have confused
the two packages. Your problem is most likely due to your PADL nss/pam
configuration, and this question belongs on the nssldap@padl.com or
pamldap@padl.com mailing list, not here.

We (Symas) always recommend that when building PADL's pam and nss modules,
you configure them to use (e.g.) "/etc/nsspam.conf" for their configuration,
instead of the default name "ldap.conf", to help reduce some of this
confusion.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support