Re: LDAP clients fail to connect with SSL enabled

[Dan White <dwhite@olp.net>]

On 21/11/10 17:24 -0500, bluethundr wrote:
> I am attempting to setup SSL/TLS support on my openLDAP 2.4 server on FreeBSD.
>
> LBSD2# pkg_info | grep openldap
> openldap-sasl-client-2.4.23 Open source LDAP client implementation
> with SASL2 support
> openldap-sasl-server-2.4.23 Open source LDAP server implementation


> LBSD2# cat slapd.conf | grep -i tls
> ## TLS options for slapd
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCertificateFile  /usr/local/etc/openldap/cacerts/bsd2.summitnjhome.com.crt
> TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem
> TLSCACertificateFile  /usr/local/etc/openldap/cacerts/sf_issuing.crt


> Connection closed by 127.0.0.1
>
> [root@VIRTCENT08:/etc/openldap/cacerts]#getent passwd | grep ldapAccount
> [same interminable wait as above]
>
>
> This is what my /etc/ldap.conf file looks like on the client:
>
> [root@VIRTCENT08:/etc/openldap/cacerts]#cat /etc/ldap.conf
> base dc=summitnjhome,dc=com
> timelimit 120
> bind_timelimit 120
> idle_timelimit 3600
> uri ldap://ldap.summitnjhome.com/
> ssl start_tls
> tls_cacertdir /etc/openldap/cacerts
> pam_password crypt
<commented out lines removed>

Does an ldapsearch -d -1 -ZZ successfully connect?

If so, then that should rule out a problem with your slapd configuration
and ldap client library configuration (the options within your ldap.conf
used by the OpenLDAP client library). In that case, you might focus on your
ldap nss configuration.

--
Dan White