[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Trying to get TLS Working

On Sep 27, 2004, at 4:59 PM, David Wheeler wrote:

Also, you didn't mention whether you've configured your ldap.conf properly. I will assume since you didn't mention it that you haven't configured it, and this obviously must be done first.

Quite so. I hadn't even noticed it. I only saw instructions for editing an ldap.conf used by pam and nis, neither of which I'm using at this point. I'll take a look at its man page and see what it says.

This did the trick. I added a pointer to my CA cert to ldap.conf, and then it said:

additional info: TLS: hostname does not match CN in peer certificate

Well, I'm used to that from creating self-signed certs for Apache. So I created a new server cert with the CN set to the hostname of my LDAP server, and now ldapsearch -ZZ works beautifully!

I did notice that it tends to have this complaint:

ldap_start_tls: Operations error (1)
        additional info: TLS already started

When I specify "ldaps://ldap.ecample.com/" for the URL in ldap.conf. That seems rather odd, but it goes away when I change it to "ldap://";.

Oh, and mod_auth_ldap seems to be working over SSL now, though there I *do* specify ldaps://.

Anyway, thanks for the hint about ldap.conf. That was exactly what I needed!