RE: SSL/TLS Ughh

["Howard Chu" <hyc@symas.com>]

> -----Original Message-----
> From: Lee Hoffman [mailto:lee_hoffman@brown.edu]

> That was it! I added the line to /export/openldap/etc/ldap.conf and now
> ldapsearch works!

Yes, it always helps to make sure you're editing the correct config file.
Which means you have to pay attention to how you configured the build, and
where you told it to put the config files in the first place.

> I'm still having a problem on clients on other servers though. I have
> another server with pam_ldap (compiled against openldap 2.0.23-4) that
> authenticates fine against this directory when "ssl starttls" is not
> enabled in ldap.conf. When I enable "ssl starttls" in pam_ldap's
> ldap.conf though it stops working. I ran slapd with -d -1 and no real
> errors poped up (see attached debug info). Do I have to copy the
> CAcertificate from the ldap server to the pam_ldap server? I haven't
> created a CA certs or anything like that on the pam_ldap server. Do I
> have to?

You also have to pay attention to the distinctions between separate software
packages. pam_ldap may make use of OpenLDAP but it is a separate, distinct
software package with its own rules and behaviors. It also has its own
distinct, separate support resources. I suggest you try the pamldap@padl.com
mailing list.

> I don't know if this has anything to do with it, but ldapsearch -Z -p
> 636 doesnt work (ssl not working? )

You also need to pay attention to the difference between ldaps and StartTLS.
They are two separate, incompatible mechanisms for establishing an SSL/TLS
session. After session establishment is completed, they are handled pretty
much identically, but you cannot mix the two.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support