[Date Prev][Date Next] [Chronological] [Thread] [Top]

Question about /etc/openldap/ldap.conf

To: openldap-software@openldap.org
Subject: Question about /etc/openldap/ldap.conf
From: Rogov Stepan <rogov@promo.ru>
Date: Fri, 05 Mar 2010 18:39:09 +0300
User-agent: Thunderbird 2.0.0.23 (X11/20100216)

Hi there!

I have openldap 2.4.21. I configured it with ssl(ldaps) and
"TLSVerifyClient demand".

On the client side file /etc/openldap/ldap.conf contains the following:
TLS_CACERT /etc/ssl/servercert.ca.crt
TLS_CERT /etc/openldap/client.crt
TLS_KEY /etc/openldap/client.key

But samba and ldap-standard tools (eg ldapsearch) don't connect to
ldap-server:
TLS trace: SSL3 alert read: fatal: handshake failure
TLS trace: SSL_connect: failed in SSLv3 read finished A
TLS: can't connect: error: 14094410: SSL routines: SSL3_READ_BYTES:
sslv3 alert handshake failure.
ldap_err2string
ldap_sasl_bind (SIMPLE): Can't contact LDAP server (-1)

If you save the content of /etc/openldap/ldap.conf in ~ /.ldaprc or use
variables $LDAP<uppercase option name>, then everything works fine.
I assume that options TLS_CERT and TLS_KEY aren't read from
/etc/openldap/ldap.conf. Correspondingly the server can not verify
client certificates.
But the manual says:
"Thus the following files and variables are read, in order:
variable $LDAPNOINIT, and if that is not set:
system file /etc/openldap/ldap.conf,
user files $HOME/ldaprc, $HOME/.ldaprc, ./ldaprc,
system file $LDAPCONF,
user files $HOME/$LDAPRC, $HOME/.$LDAPRC, ./$LDAPRC,
variables $LDAP<uppercase option name>.
Settings late in the list override earlier ones."

Could you explain me what wrong is?

Follow-Ups:
- Re: Question about /etc/openldap/ldap.conf
  - From: Bjørn Ruberg <bjorn@ruberg.no>
- Re: Question about /etc/openldap/ldap.conf
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

Prev by Date: operations_error on simple bind with ruby ffi
Next by Date: need help with syncrepl on 2.3.39
Index(es):
- Chronological
- Thread