[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Client says Can't contact LDAP server, but it can!

On Mon, Jul 28, 2008 at 12:02:44PM -0700, Howard Chu wrote:
> John Oliver wrote:
> >On my test client, ldap.conf has:
> >
> >host
> >base dc=mydomain,dc=com
> >url ldaps://unix-services2.mydomain.com:636
> >timelimit 120
> >bind_timelimit 120
> >idle_timelimit 3600
> >ssl yes
> >tls_cacertdir /etc/openldap/cacerts
> >tls_checkpeer no
> >pam_password md5
> The above is not valid for an OpenLDAP ldap.conf. (See the ldap.conf(5) 
> manpage for what's valid.) It appears to be a PADL nss_ldap config file, 
> but it's still invalid for that purpose. Make sure you're actually looking 
> at the correct config file...
> >If I change the "host" and "url" to the other LDAP server, it works
> >perfectly.

I'm looking at that page now.  But if that config "isn't valid", why
does it work perfectly if I change it to:

base dc=mydomain,dc=com
url ldaps://unix-services.mydomain.com:636
timelimit 120
bind_timelimit 120
idle_timelimit 3600
ssl yes
tls_cacertdir /etc/openldap/cacerts
tls_checkpeer no
pam_password md5

That results in perfectly working authentication.  Yes, I understand
that that may mean that my working server is borken, and my borken
ldap.conf just happens to be borken in just the right way to work.

I do appreciate all of the help, and apologize if I seem dense.  I know
that the root cause is my lack of knowledge here.  I'm reading as fast
as I can, but an awful lot of this documentation assumes a lot of
things.  I've never worked with SSL before, and my eyes are rolling back
in my head :-)  On top of that, I have people breathing down the back of
my neck to make this work on a short deadline.  Very frustrating :-(

* John Oliver                             http://www.john-oliver.net/ *
*                                                                     *