RE: LDAPS: ldapsearch working, back-ldap failing?

[Mitchell Im <sogarthm@hotmail.com>]

Okay. Egg on my face.

Thank you for the recommendation to build a newer release. Although it
didn't end up fixing the issue per se, it forced me to dig further, to
conclude that it wasn't related to the OpenLDAP version (I built a newer
one) or NSS (I built it against OpenLDAP as well). As it turns out, it ended
up being an selinux issue where the process couldn't read the CA cert.

So, it turns out it was my fault, but thank you very much for the driver to
look further.

-----Original Message-----
From: openldap-technical-bounces@OpenLDAP.org
[mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Michael
Stroder
Sent: Wednesday, April 02, 2014 12:03 AM
To: Mitchell Im; openldap-technical@openldap.org
Subject: Re: LDAPS: ldapsearch working, back-ldap failing?

Mitchell Im wrote:
> The OpenLDAP proxy works if it
> connects to the backend LDAP server via ldap://. The OpenLDAP proxy does
> *not* work if it connects to the backend LDAP server via ldaps://, though.
> What am I missing?
> 
> This is on CentOS 6.5, packages openldap-servers-2.4.23-34.el6_5.1.x86_64,
> nss-3.15.3-6.el6_5.x86_64 (Red Hat's decision).

I vaguely remember a bug in this old version regarding TLS CA cert
configuration.

Try to set the LDAPTLS_CACERT env var when starting slapd or better use a
newer release which has a fix for this.

Ciao, Michael.