LDAP auth
Bevan C. Bennett
bevan at fulcrummicro.com
Mon Jan 5 18:02:25 UTC 2004
>
> and TLS stuff:
>
> ------snip-------
> TLSCertificateFile /usr/share/ssl/certs/slapd.pem
> TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
> ------snip-------
>
> anything blatantly wrong here?
Your ACLs look fine. Is that certificate your old cert, or the one
that's created for you on the new system? If the latter, you should
create a new certificate that contains the FQDN of the server (as
referenced by the LDAP clients) instead of 'localhost.localdomain'. This
is noted as a warning somewhere... but I can't find it at the moment.
In any case, you should start by temporarily turning off SSL on the
client side (put "ssl no" in the client /etc/ldap.conf file). That's not
a 'safe' configuration, but it'll let you test the basic ldap
functionality without worrying if SSL/TLS is the problem.
Are you also using ldap in nsswitch? If so you'll want to restart the
client's nscd (if running) after you switch ldap.conf.
Note that ldapsearch uses /etc/openldap/ldap.conf, while PAM and NSS use
/etc/ldap.conf, which are similar in format, but generally -not- identical.
As another easy thing to check, is the new server's firewall configured
to let ports 389 (and possibly 636) in? Again, temporarily turning off
iptables entirely can quickly determine if that's the problem.
More information about the fedora-list
mailing list