While attempting to change a directory password I keep getting this message…

[root@xxx ~]# ldappasswd -x -ZZ -D "cn=directory manager" -w “mypass” uid=se253264,ou=people,dc=xxx,dc=cle=dc=us" -a "oldpass" -s "newpass"

ldap_start_tls: Connect error (-11)

        additional info: Start TLS request accepted.Server willing to negotiate SSL.

In researching this I found to add –d1 for additional debugging information and found this probably relevant

TLS: could not load client CA list (file:`',dir:`/etc/openldap/cacerts/cacert.asc').

TLS: error:0200A014:system library:opendir:Not a directory ssl_cert.c:816

TLS: error:140D7002:SSL routines:SSL_add_dir_cert_subjects_to_stack:system lib ssl_cert.c:818

ldap_perror

I do have the following in my /etc/ldap.conf file

ssl yes

tls_cacertdir /etc/openldap/cacerts

TLS_REQCERT allow

pam_password exop

And the cacert.asc does exist in that directory.  This is the cacert.asc that was created during setup of this machine using the setupssl.sh script and I copied it to the requested directory.  I am not seeing anything additional on the HowtoSSL page and realize that TLS is necessary for the password change function.

Thanks for any help you may have.  I am also under the impression I am supposed to copy the cacert.asc to each client machine so they can authenticate against the cert. is this true also?

David Hoskinson | DATATRAK International
Systems Engineer
Mayfield Heights, Ohio, USA 
+1.440.443.0082 x 124 (p) | +1.216.280.5457 (m)
david.hoskinson@datatrak.net | www.datatrak.net