[Pkg-openldap-devel] Bug#462588: Bug#462588: Fails to start slapd ldaps:/// on upgrade
Niccolo Rigacci
niccolo at rigacci.org
Mon Feb 4 09:03:27 UTC 2008
> > However this is strange beacuse LDAP.CONF(5) states that
> > TLS_REQCERT "allow" means:
>
> > The server certificate is requested. If no certificate is
> > provided, the session proceeds normally. If a bad certificate
> > is provided, it will be ignored and the session proceeds normally.
>
> What client are you using? If you use ldapsearch -ZZ, for instance, this
> overrides the TLS_REQCERT value in /etc/ldap/ldap.conf.
On the client (which is not the slapd server) I use the following
command line:
ldapsearch -x -H ldaps://cheope.mydomain.org/ \
-x -D "cn=admin,dc=mydomain,dc=org" -W \
-b "dc=mydomain,dc=org"
Doing it with the alias server name and "TLS_REQCERT allow"
results into the error:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
On the server the log reports:
slapd[29352]: conn=25 fd=16 ACCEPT from IP=192.168.200.244:37323 (IP=0.0.0.0:636)
slapd[29352]: conn=25 fd=16 TLS established tls_ssf=32 ssf=32
slapd[29352]: conn=25 fd=16 closed (connection lost)
I need "TLS_REQCERT never" on the client to succeed.
ldapsearch is version 2.4.7-3, slapd is version 2.4.7-3, no
TLSVerifyClient option is set in slapd.conf.
--
Niccolo Rigacci
Firenze - Italy
More information about the Pkg-openldap-devel
mailing list