<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 01/31/2014 04:13 PM, Todd Maugh
wrote:<br>
</div>
<blockquote
cite="mid:6FB698E172A95F49BE009B36D56F53E226AACD@EXCHMB1-ELS.BWINC.local"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<style id="owaParaStyle" type="text/css">P {margin-top:0;margin-bottom:0;}</style>
<div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;"><br>
<div style="font-family: Times New Roman; color: #000000;
font-size: 16px">
<div>asked: Can you provide your /etc/openldap/ldap.conf?<br>
<br>
<br>
answer:<br>
<br>
/etc/openldap/ldap.con<br>
#File modified by ipa-client-install<br>
<br>
URI <a class="moz-txt-link-freetext" href="ldaps://se-idm-01.boingo.com">ldaps://se-idm-01.boingo.com</a><br>
BASE dc=boingo,dc=com<br>
TLS_CACERT /etc/ipa/ca.crt<br>
TLS_CACERTDIR /etc/openldap/cacerts/<br>
TLS_REQCERT allow<br>
</div>
</div>
</div>
</blockquote>
<br>
This will allow errors where the hostname in the cert subject DN
does not match the IP address or vice versa.<br>
<br>
What happens if you set it to TLS_REQCERT demand?<br>
<br>
Or, if you don't want to touch this file (because it will probably
break other things), try this:<br>
<br>
LDAPTLS_REQCERT=demand
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -d 1
-LLLx -ZZ -H <a class="moz-txt-link-freetext" href="ldap://qatestdc2.boingoqa.local">ldap://qatestdc2.boingoqa.local</a> -b "cn=idm
admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm
admin,cn=users,dc=boingoqa,dc=local" -W 'objectclass=*' dn<br>
<br>
If that works, then please provide the output of<br>
<br>
rpm -q 389-ds-base openldap nss<br>
<br>
<blockquote
cite="mid:6FB698E172A95F49BE009B36D56F53E226AACD@EXCHMB1-ELS.BWINC.local"
type="cite">
<div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;">
<div style="font-family: Times New Roman; color: #000000;
font-size: 16px">
<div>
ping <br>
<br>
<blockquote type="cite">
<div style="direction:ltr; font-family:Tahoma;
color:#000000; font-size:10pt">TLS: certificate
[CN=QATESTDC2.boingoqa.local] is not valid - error
-8179:Peer's Certificate issuer is not recognized..<br>
</div>
</blockquote>
<br>
This is saying QATESTDC2.boingoqa.local cannot be resolved -
or the IP address does not match.<br>
<br>
This is usually a problem, but perhaps you have set your
ldap.conf to continue despite this problem?<br>
PING qatestdc2.boingoqa.local (10.194.55.48) 56(84) bytes of
data.<br>
64 bytes from qatestdc2.boingoqa.local (10.194.55.48):
icmp_seq=1 ttl=124 time=0.559 ms<br>
64 bytes from qatestdc2.boingoqa.local (10.194.55.48):
icmp_seq=2 ttl=124 time=0.660 ms<br>
^C<br>
--- qatestdc2.boingoqa.local ping statistics ---<br>
2 packets transmitted, 2 received, 0% packet loss, time
1070ms<br>
rtt min/avg/max/mdev = 0.559/0.609/0.660/0.056 ms<br>
</div>
</div>
</div>
</blockquote>
<br>
Ok. Does 10.194.55.48 resolve to qatestdc2.boingoqa.local?<br>
<br>
<blockquote
cite="mid:6FB698E172A95F49BE009B36D56F53E226AACD@EXCHMB1-ELS.BWINC.local"
type="cite">
<div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;">
<div style="font-family: Times New Roman; color: #000000;
font-size: 16px">
<div>
<br>
<br>
<br>
<br>
<blockquote type="cite">
<div style="direction:ltr; font-family:Tahoma;
color:#000000; font-size:10pt">TLS certificate
verification: subject: CN=QATESTDC2.boingoqa.local,
issuer: CN=SKYWARPCA,DC=boingoqa,DC=local, cipher:
AES-128, security level: high, secret key bits: 128,
total key bits: 128, cache hits: 0, cache misses: 0,
cache not reusable: 0<br>
Enter LDAP Password: <br>
ldap_sasl_bind<br>
ldap_send_initial_request<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>