[Date Prev][Date Next]
Re: ldaps and Active Directory
Marco D'Ettorre wrote:
AddNO. That simply allows the certificate errors to be ignored. They've
gone to the trouble of exporting the CA cert, the correct thing to do
here is to tell them how to use the CA cert properly.
(or "allow" or "never") in your ldap.conf. The default is "demand" (or
"hard"), then you are trying to verify server certificate. See
Please re-read the Admin Guide
http://www.openldap.org/doc/admin23/tls.html sections 220.127.116.11,
18.104.22.168, 22.214.171.124, and 126.96.36.199. Note that you are not supposed to use
both the TLS_CACERTDIR and TLS_CACERT options, just use one or the other.
Run ldapsearch with "-d7" and see what the actual TLS error messages
are. Also run slapd with "-d7" and see the TLS messages on the server
side. Don't go changing options at random, find out what the real
Grant Sturgis wrote:
I am attempting to get ldap authentication to Active Directory
working from our RHEL 4 systems. I have read the several articles
and howto documents out there and am very close to getting everything
pam_ldap and nss_ldap is working well with unencrypted ldap, as is
ldapsearch queries. The next step is getting ldaps to work, and I am
hoping for some suggestions from the list to get me over the hump.
RHEL ES 4 fully patched (up2date)
This works fine:
ldapsearch -x -H ldap://server.domain.com/ -D
cn=ldap,ou=Users-OU,dc=domain,dc=com -W ""
but changing ldap to ldaps results in this error:
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I have installed Certificate Services on the W2K domain controller
and exported the CA Cert and copied the file to the linux
box:/etc/openldap/cacerts. In /etc/openldap/ldap.conf I have tried:
Any suggestions would be greatly appreciated.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/