[Date Prev][Date Next]
Re: Problem with ldapsearch and TLS
Vsevolod (Simon) Ilyushchenko wrote:
I am trying to get ldapseach to work over TLS. I tried to use
in /etc/ldap.conf to circumvent the problem of self-signed certificate,
but then I get this (ldapsearch -d 9 -Z):
ber_scanf fmt ([v]) ber:
ldap_interactive_sasl_bind_s: server supports: GSSAPI PLAIN LOGIN
ldap_int_sasl_bind: GSSAPI PLAIN LOGIN DIGEST-MD5 CRAM-MD5
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (82)
additional info: SASL(-1): generic failure: GSSAPI Error:
Miscellaneous failure (No credentials cache found)
It looks like it's trying to use Kerberos authentication, which is not
available. Is there a way to force ldapsearch to use TLS authentication?
P.S. I know that the right way to do it is to sign certificates
properly, but I'd like to figure out what happens with TLS_REQCERT never.
Use the -x option with ldapsearch - no SASL
Use the -ZZ option to force TLS.
This should all work with self-signed certs.
Note the gotcha: ldapsearch (and other openldap *clients*) make use of
/etc/openldap/ldap.conf by default. /etc/ldap.conf is used by the PADL
Principal Systems Programmer, IT Services
University of Sussex, Brighton BN1 9QJ. Tel: 01273 678354 Fax: 01273 271956