I knew I should have mentioned that. The /etc/openldap/ldap.conf has the same entry
TLS_CACERTDIR /etc/openldap/cacerts/cacert.asc
TLS_REQCERT allow
However I did notice that I was using CACERTDIR instead of CACERT to point at the file…
Now I have
TLS_CACERT /etc/openldap/cacerts/cacert.asc
I now get this message which seems to be progress but still failing. That the hostname did
not match the cert name and was giving ip as hostname. Changed host line in
/etc/ldap.conf and /etc/openldap/ldap.conf to read fqdn instead of ip addresses and now no
more problems.
Thanks for making me look at it again so I noticed my error
From: 389-users-bounces(a)lists.fedoraproject.org
[mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Angel Bosch Mora
Sent: Tuesday, October 04, 2011 10:12 AM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Start TLS request accepted. Server willing to negotiate SSL
is not the same
/etc/ldap.conf
than
/etc/openldap/ldap.conf
seems that you're missing second one.
________________________________
While attempting to change a directory password I keep getting this message…
[root@xxx ~]# ldappasswd -x -ZZ -D "cn=directory manager" -w “mypass”
uid=se253264,ou=people,dc=xxx,dc=cle=dc=us" -a "oldpass" -s
"newpass"
ldap_start_tls: Connect error (-11)
additional info: Start TLS request accepted.Server willing to negotiate SSL.
In researching this I found to add –d1 for additional debugging information and found this
probably relevant
TLS: could not load client CA list
(file:`',dir:`/etc/openldap/cacerts/cacert.asc').
TLS: error:0200A014:system library:opendir:Not a directory ssl_cert.c:816
TLS: error:140D7002:SSL routines:SSL_add_dir_cert_subjects_to_stack:system lib
ssl_cert.c:818
ldap_perror
I do have the following in my /etc/ldap.conf file
ssl yes
tls_cacertdir /etc/openldap/cacerts
TLS_REQCERT allow
pam_password exop
And the cacert.asc does exist in that directory. This is the cacert.asc that was created
during setup of this machine using the setupssl.sh script and I copied it to the requested
directory. I am not seeing anything additional on the HowtoSSL page and realize that TLS
is necessary for the password change function.
Thanks for any help you may have. I am also under the impression I am supposed to copy
the cacert.asc to each client machine so they can authenticate against the cert. is this
true also?
David Hoskinson | DATATRAK International
Systems Engineer
Mayfield Heights, Ohio, USA
+1.440.443.0082 x 124 (p) | +1.216.280.5457 (m)
david.hoskinson@datatrak.net<mailto:david.hoskinson@datatrak.net> |
www.datatrak.net<http://www.datatrak.net/>
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users