LDAP auth
Patrick Nelson
pnelson at neatech.com
Thu Jan 8 06:57:35 UTC 2004
On Mon, 2004-01-05 at 10:02, Bevan C. Bennett wrote:
> >
> > and TLS stuff:
> >
> > ------snip-------
> > TLSCertificateFile /usr/share/ssl/certs/slapd.pem
> > TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
> > ------snip-------
> >
> > anything blatantly wrong here?
>
> Your ACLs look fine. Is that certificate your old cert, or the one
> that's created for you on the new system? If the latter, you should
> create a new certificate that contains the FQDN of the server (as
> referenced by the LDAP clients) instead of 'localhost.localdomain'. This
> is noted as a warning somewhere... but I can't find it at the moment.
>
> In any case, you should start by temporarily turning off SSL on the
> client side (put "ssl no" in the client /etc/ldap.conf file). That's not
> a 'safe' configuration, but it'll let you test the basic ldap
> functionality without worrying if SSL/TLS is the problem.
>
> Are you also using ldap in nsswitch? If so you'll want to restart the
> client's nscd (if running) after you switch ldap.conf.
>
> Note that ldapsearch uses /etc/openldap/ldap.conf, while PAM and NSS use
> /etc/ldap.conf, which are similar in format, but generally -not- identical.
>
> As another easy thing to check, is the new server's firewall configured
> to let ports 389 (and possibly 636) in? Again, temporarily turning off
> iptables entirely can quickly determine if that's the problem.
>
Thanks for the Troubleshooting check list. I turned off nscd and
wala...
More information about the fedora-list
mailing list