[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS/SSL failover problem

To: openldap-software@OpenLDAP.org
Subject: Re: TLS/SSL failover problem
From: Dieter Kluenter <dieter@dkluenter.de>
Date: Wed, 10 Mar 2004 19:41:46 +0100
In-reply-to: <1078931095.3704.21.camel@rocketeer> (Doug Wilson's message of "Wed, 10 Mar 2004 10:04:55 -0500")
References: <1078871786.3669.131.camel@rocketeer> <m3oer5kyrr.fsf@marin.l4b.de> <1078931095.3704.21.camel@rocketeer>
User-agent: Gnus/5.1001 (Gnus v5.10.1) XEmacs/21.4 (Portable Code, linux)

Hi,

Doug Wilson <dwilson@virtc.com> writes:

> Thanks for the response.  The slapd args are:
[...]
>
> With no failover in place SSL/TLS work just fine ... I can confirm that
> by connecting to the ldap server over SSL with LDAP Browser/Editor and
> by connecting with TLS using GQ.
>
> It's only after switching to the failover server, and trying to switch
> back to the primary ldap server that I run into a problem.

I don't know anything about caching behaviour of pam_ldap, but it
seems that the pam module caches the server certificate. But you
should ask on the pam_ldap mailinglist.

> Maybe I need to use an explicit TLS_CACERT or TLS_CACERTDIR (I'm using
> more than 1 CA since each ldap server uses a self-signed certificate)
> entry?

That might help

> How would I set logging in /etc/openldap/slapd.conf so that I could see
> if it was a certificate problem?

loglevel 2

-Dieter

-- 
Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de
http://www.avci.de

References:
- TLS/SSL failover problem
  - From: Doug Wilson <dwilson@virtc.com>
- Re: TLS/SSL failover problem
  - From: Dieter Kluenter <dieter@dkluenter.de>
- Re: TLS/SSL failover problem
  - From: Doug Wilson <dwilson@virtc.com>

Prev by Date: Re: migrating passwd from NIS to LDAP
Next by Date: RE: ACL questions. Answered (long)
Index(es):
- Chronological
- Thread