[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: RE : SSL + openldap

Broussard Philippe wrote:


I made the modifications in ldap.conf :
I have deleted the host line I have used the second line of uri

I can contact now the ldap server but the pam_ldap always don't work,
I'm always the same error andd I don't know why


PS : thanks for the answer

AUTH.LOG ******** Aug 19 12:01:30 squid login[907]: pam_ldap: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT): Unknown error Aug 19 12:01:30 squid login[907]: pam_ldap: _set_ssl_default_options failed

conn=0 fd=13 ACCEPT from IP= (IP=
conn=0 op=0 BIND dn="cn=Root,dc=e-qual,dc=fr" method=128

The dash could be a problem.  Perhaps you need to escape it?
Try removeing it as a test.

conn=0 op=0 BIND dn="cn=Root,dc=e-qual,dc=fr" mech=simple ssf=0
conn=0 op=0 RESULT tag=97 err=0 text=
conn=0 op=1 SRCH base="ou=People,dc=e-qual,dc=fr" scope=2
<= bdb_equality_candidates: (uid) index_param failed (18)
conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=0 op=2 BIND anonymous mech=implicit ssf=0conn=0 op=2 BIND
dn="uid=root,ou=People,dc=e-qual,dc=fr" method=128
conn=0 op=2 BIND dn="uid=root,ou=People,dc=e-qual,dc=fr" mech=simple
conn=0 op=2 RESULT tag=97 err=0 text=
conn=0 op=3 BIND anonymous mech=implicit ssf=0conn=0 op=3 BIND
dn="cn=Root,dc=e-qual,dc=fr" method=128
conn=0 op=3 BIND dn="cn=Root,dc=e-qual,dc=fr" mech=simple ssf=0
conn=0 op=3 RESULT tag=97 err=0 text=
conn=0 fd=13 closed

-----Message d'origine----- De : owner-openldap-software@OpenLDAP.org [mailto:owner-openldap-software@OpenLDAP.org] De la part de Bernard Massot Envoyé : mardi 19 août 2003 10:59 À : openldap-software@OpenLDAP.org Objet : Re: SSL + openldap

On Mon, Aug 18, 2003 at 11:03:14AM +0200, Broussard Philippe wrote:

I use pam_ldap (tarball) for unix authentification and SSL for secure

Have you an idea about why it don't work ???

PS : the ldap server log gave nothing and I start slapd with tis


line : slapd -d 256 -h "ldap:// ldaps://"

uri ldap://
uri ldaps://

I think the problem is here. First I think you can't use both "host" and
"uri". You should use only "uri" ("host" is deprecated). Then I don't
know if you can use 2 "uri" statements (maybe only the 2nd one is used),
the normal "uri" usage is "uri ldap://foo/ ldaps://bar/ ...".
When using LDAPS, the hostname part of the uri must match the CN of the
certificate, which must be the FQDN of the host. So be sure to have a
right certificate and correct your URIs.