Subject: | |
From: | |
Reply To: | |
Date: | Thu, 22 Jan 2009 19:59:28 +0000 |
Content-Type: | TEXT/PLAIN |
Parts/Attachments: |
|
|
On Thu, 22 Jan 2009, Olf Epler wrote:
> Dear colleagues,
>
> since a couple of days I try to switch on the ssl connection
> for a ldap client on SL-5.2 x86_64.
> I cleaned this installation so that only x86_64 packets are
> installed and runs also yum upgrade.
> My server works without any problems with SL-4.2 i386/x86_64,
> SL-5.1 i386 and also on port 389 with SL-5.2 x86_64.
> openssl097a and openssl-0.9.8b are installed.
> As soon I change to "ldaps://<server>" in ldap.conf nothing
> happens.
> "ssl on" in ldap.conf allows "getent passwd" or ldapsearch
> but disables console logins. A further login is only possible
> as root with ssh.
> "ssl tls_start" also doesn't work.
> I've recompiled nss_ldap and also pam_ldap - no result.
> Because pam works well if I use port 389 I believe something
> other must be wrong. Can anybody help?
At least two types of problems were reported with ldap use at about the
time that the updates for sl52 came out.
One was related to dbus not being listed as an ignoregroups option and so
systems would hang during dbus startup.
Another was related to changes in nss_ldap which changes how the
ldap.conf was being parsed - so previously working configs stopped - and
most of the reported problems were with people using ssl. That may have
been related to the port option in the config (or might not).
Using "ldap://<server>" and "ssl tls_start" may work depending on whether
your ldap server allows starttls.
If you include a copy of your /etc/ldap.conf (and perhaps the ldap server
config) it may all be obvious to those who had the problems last year...
--
/--------------------------------------------------------------------\
| "Computers are different from telephones. Computers do not ring." |
| -- A. Tanenbaum, "Computer Networks", p. 32 |
---------------------------------------------------------------------|
| Jon Peatfield, _Computer_ Officer, DAMTP, University of Cambridge |
| Mail: [log in to unmask] Web: http://www.damtp.cam.ac.uk/ |
\--------------------------------------------------------------------/
|
|
|