[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Client says Can't contact LDAP server, but it can!

To: openldap-technical@openldap.org
Subject: Re: Client says Can't contact LDAP server, but it can!
From: John Oliver <joliver@john-oliver.net>
Date: Mon, 28 Jul 2008 12:44:26 -0700
Content-disposition: inline
In-reply-to: <488E17D4.1080001@symas.com>
References: <20080721153002.GA12884@ns.sdsitehosting.net> <200807251021.05245.bgmilne@staff.telkomsa.net> <20080725151612.GC29344@ns.sdsitehosting.net> <200807280920.33142.bgmilne@staff.telkomsa.net> <20080728183054.GA23107@ns.sdsitehosting.net> <488E17D4.1080001@symas.com>
User-agent: Mutt/1.4.2.2i

On Mon, Jul 28, 2008 at 12:02:44PM -0700, Howard Chu wrote:
> John Oliver wrote:
> 
> >On my test client, ldap.conf has:
> >
> >host 10.99.16.7
> >base dc=mydomain,dc=com
> >url ldaps://unix-services2.mydomain.com:636
> >timelimit 120
> >bind_timelimit 120
> >idle_timelimit 3600
> >ssl yes
> >tls_cacertdir /etc/openldap/cacerts
> >tls_checkpeer no
> >pam_password md5
> 
> The above is not valid for an OpenLDAP ldap.conf. (See the ldap.conf(5) 
> manpage for what's valid.) It appears to be a PADL nss_ldap config file, 
> but it's still invalid for that purpose. Make sure you're actually looking 
> at the correct config file...
> 
> >If I change the "host" and "url" to the other LDAP server, it works
> >perfectly.

I'm looking at that page now.  But if that config "isn't valid", why
does it work perfectly if I change it to:

host 10.99.16.5
base dc=mydomain,dc=com
url ldaps://unix-services.mydomain.com:636
timelimit 120
bind_timelimit 120
idle_timelimit 3600
ssl yes
tls_cacertdir /etc/openldap/cacerts
tls_checkpeer no
pam_password md5

That results in perfectly working authentication.  Yes, I understand
that that may mean that my working server is borken, and my borken
ldap.conf just happens to be borken in just the right way to work.

I do appreciate all of the help, and apologize if I seem dense.  I know
that the root cause is my lack of knowledge here.  I'm reading as fast
as I can, but an awful lot of this documentation assumes a lot of
things.  I've never worked with SSL before, and my eyes are rolling back
in my head :-)  On top of that, I have people breathing down the back of
my neck to make this work on a short deadline.  Very frustrating :-(

-- 
***********************************************************************
* John Oliver                             http://www.john-oliver.net/ *
*                                                                     *
***********************************************************************

Follow-Ups:
- Re: Client says Can't contact LDAP server, but it can!
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

References:
- Client says Can't contact LDAP server, but it can!
  - From: John Oliver <joliver@john-oliver.net>
- Re: Client says Can't contact LDAP server, but it can!
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>
- Re: Client says Can't contact LDAP server, but it can!
  - From: John Oliver <joliver@john-oliver.net>
- Re: Client says Can't contact LDAP server, but it can!
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>
- Re: Client says Can't contact LDAP server, but it can!
  - From: John Oliver <joliver@john-oliver.net>
- Re: Client says Can't contact LDAP server, but it can!
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: Client says Can't contact LDAP server, but it can!
Next by Date: Re: ACL Help Please
Index(es):
- Chronological
- Thread