[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldaps and Active Directory

(or "allow" or "never") in your ldap.conf. The default is "demand" (or "hard"), then you are trying to verify server certificate. See ldap.conf (5)

Grant Sturgis wrote:

Greetings List,

I am attempting to get ldap authentication to Active Directory working from our RHEL 4 systems. I have read the several articles and howto documents out there and am very close to getting everything working.

pam_ldap and nss_ldap is working well with unencrypted ldap, as is ldapsearch queries. The next step is getting ldaps to work, and I am hoping for some suggestions from the list to get me over the hump.

RHEL ES 4 fully patched (up2date)

This works fine:

ldapsearch -x -H ldap://server.domain.com/ -D cn=ldap,ou=Users-OU,dc=domain,dc=com -W ""

but changing ldap to ldaps results in this error:

ldap_bind: Can't contact LDAP server (-1)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I have installed Certificate Services on the W2K domain controller and exported the CA Cert and copied the file to the linux box:/etc/openldap/cacerts. In /etc/openldap/ldap.conf I have tried:

TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/openldap/cacerts/cacert.pem

Any suggestions would be greatly appreciated.


Ing. Marco D?Ettorre

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
Office:   +39.0382.573859 (102)
Mobile:   +39.348.1510674
Email:    marco.dettorre@sys-net.it