[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OL2.3.11 ldapsearch can bind as root but not as user

> TLS_CERT    /etc/pki/tls/certs/slapd.pem
> TLS_CACERT  /etc/pki/tls/certs/slapd.pem
> However, trying the secure access as a normal user
> TLS: could not load verify locations (file:`/etc/pki/tls/certs/slapd.pem',dir:`').
> TLS: error:0200100D:system library:fopen:Permission denied bss_file.c:104
> -rw-rw----  1 root ldap 2316 Oct 28 16:01 /etc/pki/tls/certs/slapd.pem

Files related to a TLS client, such as the CA certificate and the
client's certificate, must be readable by the TLS client. I imagine that
your "normal user" does not have permission to the
"/etc/pki/tls/certs/slapd.pem" you have configured as the CA certificate
and client certificate. Use tools such as cat(1) to verify proper
permissioning and chmod as appropriate.

You might want to read up on TLS basics before proceeding. Typically, I
would not configure a client certificate (which should be used only by one
particular identity) and a CA certificate (which is likely to be used much
more widely) to read the same file. You also want to consider appropriate
protections for your slapd(8) server certificate (e.g. referenced by
TLSCertificateKeyFile) for your environment.