[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldapsearch ignoring ldap.conf?


I am just arriving at this list and I am messing for the first time with LDAP/OpenLDAP.

I am testing my server and I have configured it to use SSL all the time. My problem is that ldapsearch seems to be ignoring my /usr/local/etc/openldap/ldap.conf file. Why do I say that?

If I create a .ldaprc file with the following content:

TLS_CACERT /etc/ssl/certs/cr_aa.pem
TLS_CERT /etc/ssl/certs/fellini.cert
TLS_KEY /etc/ssl/private/fellini.key
ldapsearch works fine. If I remove it ldapsearch gives me the following error:

TLS trace: SSL_connect:SSLv3 flush data
tls_read: want=5, got=5
0000: 15 03 01 00 02 .....
tls_read: want=2, got=2
0000: 02 28 .(
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.
ldap_bind: Can't contact LDAP server (81)
additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

The point is: my /usr/local/etc/openldap/ldap.conf file already has exactly this same info in it:

# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $
# LDAP Defaults

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example, dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

URI ldaps://fellini.fabricadeideias.com
base dc=fabricadeideias,dc=com
rootbinddn cn=root,dc=fabricadeideias,dc=com
scope one
pam_filter objectclass=posixaccount
pam_login_attribute uid
pam_member_attribute gid
pam_password md5
nss_base_passwd         ou=People,dc=fabricadeideias,dc=com?one
nss_base_shadow         ou=People,dc=fabricadeideias,dc=com?one
nss_base_group          ou=Group,dc=fabricadeideias,dc=com?one
nss_base_hosts          ou=Hosts,dc=fabricadeideias,dc=com?one
SSL on

#TLS_CACERTDIR  /etc/ssl/certs
TLS_CACERT      /etc/ssl/certs/cr_aa.pem
TLS_CERT        /etc/ssl/certs/fellini.cert
TLS_KEY /etc/ssl/private/fellini.key

BTW, I am using openldap 2.1.22 over Concetiva Linux 9.

One more thing, I already straced ldapsearch. It does read my /usr/local/etc/openldap/ldap.conf file ok. It just ignores it's contents AFAICT.


Rodrigo Severo