[Techtalk] problems setting up TLS with openldap

[Wim De Smet]

FWIW the problem was that the certificate file wasn't readable by the
user. Woops. :-)

On Nov 6, 2007 10:18 PM, Wim De Smet <kromagg at gmail.com> wrote:
> Hi,
>
> I've been playing around with openldap and some debian/ubuntu clients,
> trying to get it to do TLS authentication. On the server I seem to
> have everything set up correctly. I've created some self-signed
> certificates, set them in the config file, set permissions etc.
> However, on the client I'm running into some problems when logging.
>
> I've got it configured to use TLS as follows:
> ssl start_tls
> tls_checkpeer yes
> tls_cacertfile [...]
>
> This "works" as it allows me to login, however libnss-ldap seems to be
> having trouble with it. It doesn't really need to be using TLS as I'm
> only requiring this for authentication, but since the config file is
> shared (on ubuntu) I don't have much choice, though I could try
> splitting it by specificing it somewhere. In any case, once logged in
> home dir information etc is not available and simple commands like
> "whoami" fail. Output in /var/log/auth.log goes like:
> Nov  6 21:54:30 timmy -bash: nss_ldap: reconnecting to LDAP server...
> Nov  6 21:54:31 timmy -bash: nss_ldap: reconnecting to LDAP server
> (sleeping 1 seconds)...
> Nov  6 21:54:32 timmy -bash: nss_ldap: could not search LDAP server -
> Server is unavailable
> Nov  6 21:54:32 timmy id: nss_ldap: reconnecting to LDAP server...
> Nov  6 21:54:32 timmy id: nss_ldap: reconnecting to LDAP server
> (sleeping 1 seconds)...
> Nov  6 21:54:33 timmy id: nss_ldap: could not search LDAP server -
> Server is unavailable
>
> And so on and so on. Anyone have any experience with this? Any ideas?
>
> greets,
> Wim
>