« Return to Thread: Can't get SSL working properly with openSUSE LDAP client (works with ldapsearch + SSL though)
Re: Can't get SSL working properly with openSUSE LDAP client (works with ldapsearch + SSL though)
by ian2
::
Rate this Message:
On Tuesday 13 November 2007 02:40:17 Tony Earnshaw wrote:
> ian2 skrev, on 12-11-2007 07:49:
>
> To cut out as much as possible of the chaff:
> > nss_map_attribute uniqueMember member
>
> [...]
>
> Don't do that, it slows down OL e^n degrees. Think of something else.
>
OK, either that was a default setting in the conf file or when I tried to use
YAST to setup the ldap client, it added it. I then hacked the conf file
because yast doesn't provide a way to specify any SSL settings.
I've commented that line out
>
> > On the server's messages log, I get:
> > Nov 9 20:22:59 daemon kernel: Connection attempt to TCP 192.168.0.5:389
>
> Whatever you think you're doing, you're still trying to connect to your
> server on its ldap port (389) instead of its ldaps port (636). But you
> killed off the ldap port when you reconfigured your server, not?
>
> Your "quoted" /etc/ldap.conf came through all screwed up (heh ... "all
> down under"):-)
> so it's not good to see what relevant parts you changed.
You mean the original or the bit where I tried to show the changes I made?
Sorry, I should have explained what I was doing there (it was supposed to
look like a diff file).
Basically, the original was:
bind_policy soft
pam_lookup_policy yes
pam_password md5
nss_initgroups_ignoreusers root,ldap
nss_schema rfc2307bis
ssl start_tls
ldap_version 3
pam_filter objectclass=posixAccount
nss_base_passwd dc=daemon,dc=com
nss_base_shadow dc=daemon,dc=com
nss_base_group dc=daemon,dc=com
tls_checkpeer no
base dc=daemon,dc=com
uri ldap://daemon.foo.lan
tls_cacert /etc/openldap/cacert.pem
tls_reqcert never
scope sub
rootbinddn cn=admin,dc=daemon,dc=com
After the changes for SSL, it looks like:
bind_policy soft
pam_lookup_policy yes
pam_password md5
nss_initgroups_ignoreusers root,ldap
nss_schema rfc2307bis
#ssl start_tls
ldap_version 3
pam_filter objectclass=posixAccount
nss_base_passwd dc=daemon,dc=com
nss_base_shadow dc=daemon,dc=com
nss_base_group dc=daemon,dc=com
tls_checkpeer no
base dc=daemon,dc=com
uri ldaps://daemon.foo.lan
tls_cacert /etc/openldap/cacert.pem
tls_reqcert never
scope sub
rootbinddn cn=admin,dc=daemon,dc=com
IE, I commented out the start_tls line and changed the uri from ldap: to
ldaps:
Will try Wade's suggestions and see how I go.
Thanks,
--
Ian
gpg key: http://home.swiftdsl.com.au/~imoore/no-spam.asc
> ian2 skrev, on 12-11-2007 07:49:
>
> To cut out as much as possible of the chaff:
> > nss_map_attribute uniqueMember member
>
> [...]
>
> Don't do that, it slows down OL e^n degrees. Think of something else.
>
OK, either that was a default setting in the conf file or when I tried to use
YAST to setup the ldap client, it added it. I then hacked the conf file
because yast doesn't provide a way to specify any SSL settings.
I've commented that line out
>
> > On the server's messages log, I get:
> > Nov 9 20:22:59 daemon kernel: Connection attempt to TCP 192.168.0.5:389
>
> Whatever you think you're doing, you're still trying to connect to your
> server on its ldap port (389) instead of its ldaps port (636). But you
> killed off the ldap port when you reconfigured your server, not?
>
> Your "quoted" /etc/ldap.conf came through all screwed up (heh ... "all
> down under")
> so it's not good to see what relevant parts you changed.
You mean the original or the bit where I tried to show the changes I made?
Sorry, I should have explained what I was doing there (it was supposed to
look like a diff file).
Basically, the original was:
bind_policy soft
pam_lookup_policy yes
pam_password md5
nss_initgroups_ignoreusers root,ldap
nss_schema rfc2307bis
ssl start_tls
ldap_version 3
pam_filter objectclass=posixAccount
nss_base_passwd dc=daemon,dc=com
nss_base_shadow dc=daemon,dc=com
nss_base_group dc=daemon,dc=com
tls_checkpeer no
base dc=daemon,dc=com
uri ldap://daemon.foo.lan
tls_cacert /etc/openldap/cacert.pem
tls_reqcert never
scope sub
rootbinddn cn=admin,dc=daemon,dc=com
After the changes for SSL, it looks like:
bind_policy soft
pam_lookup_policy yes
pam_password md5
nss_initgroups_ignoreusers root,ldap
nss_schema rfc2307bis
#ssl start_tls
ldap_version 3
pam_filter objectclass=posixAccount
nss_base_passwd dc=daemon,dc=com
nss_base_shadow dc=daemon,dc=com
nss_base_group dc=daemon,dc=com
tls_checkpeer no
base dc=daemon,dc=com
uri ldaps://daemon.foo.lan
tls_cacert /etc/openldap/cacert.pem
tls_reqcert never
scope sub
rootbinddn cn=admin,dc=daemon,dc=com
IE, I commented out the start_tls line and changed the uri from ldap: to
ldaps:
Will try Wade's suggestions and see how I go.
Thanks,
--
Ian
gpg key: http://home.swiftdsl.com.au/~imoore/no-spam.asc
signature.asc (201 bytes) « Return to Thread: Can't get SSL working properly with openSUSE LDAP client (works with ldapsearch + SSL though)
| Free Forum Powered by Nabble | Forum Help |