Re: Client says Can't contact LDAP server, but it can!

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Friday 25 July 2008 17:16:12 John Oliver wrote:
> On Fri, Jul 25, 2008 at 10:20:55AM +0200, Buchan Milne wrote:
> > On Friday 25 July 2008 01:13:37 John Oliver wrote:
> > > On Thu, Jul 24, 2008 at 04:04:10PM -0700, Quanah Gibson-Mount wrote:
> > > > Any client will need to know about the CA that signed your
> > > > self-signed cert.
> > >
> > > I created my certificate with:
> > >
> > > openssl req -new -x509 -nodes -out /etc/ssl/ldap.pem -keyout
> > > /etc/openldap/ssl/ldap.pem -days 3650
> > >
> > > In slapd.conf I have:
> > >
> > > TLSCertificateFile /etc/ssl/ldap.pem
> > > TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem
> > > TLSCACertificateFile /etc/ssl/ldap.pem
> > >
> > > What do I need to do differently?
> >
> > Configure the *client* ???
>
> The clients work perfectly with the working server.  Why would they have
> to have a different configuration to talk to the backup LDAP server?

They don't necessarily need a different configuration, but it being valid for 
one server doesn't guarantee it will be valid for another server, especially 
when it comes to ssl, certificate validation etc.

>  At the moment, I'm far more interested in getting the
> second LDAP server working than I am in having perfect security. 

Then it's easy, turn off SSL.

If you don't want to do that, turn of certificate validation. It's better than 
exposing keys.

Or, ensure that the "CA certificate" that the clients use contains the 
certificates of the issuer of both of the server certificates, and that the 
value of the subject CN on both certificates matches the name you use to 
connect to the servers.

Regards,
Buchan