Sorry to not reply sooner. On Sat, 2009-03-28 at 16:57 -0700, Jamie Heilman wrote: > With 0.6.7 if I have "tls_reqcert never" in /etc/ldap/ldap.conf then > nslcd can connect to my ldap servers (which unfortunately have > certificate problems and are outside of my administrative control) and > things work quite happily. The switch to 0.6.8 broke this capability > (almost surely the "clean the environment and set LDAPNOINIT" change > is responsible), even when I put "tls_reqcert never" in my > /etc/nss-ldapd.conf, which notably hasn't been well tested according > to the warning messages.
Could you give me an summary of /etc/ldap/ldap.conf and /etc/nss-ldapd.conf? That would make it easier to track this down. > Without "tls_reqcert never" in /etc/nss-ldapd.conf I just got this: > > Mar 28 03:39:41 deadhour nslcd[11653]: [6c6125] failed to bind to LDAP server > ldaps://id.sea/: Can't contact LDAP server: Operation now in progress [...] > While I'm not surprised it couldn't establish the connection due to > not being able to verify the certs, the error message could stand to be > more informative. The problem is that I've no idea how to get better error messages out of the OpenLDAP library. "Can't contact LDAP server" is what I get from OpenLDAP and "Operation now in progress" is what I get from errno (which may or may not be useful). Running nslcd in debug mode (nslcd -d) could give more details in some situations. > After adding "tls_reqcert never" to /etc/nss-ldapd.conf the messages > changed slightly to: > > Mar 28 03:41:02 deadhour nslcd[7158]: [8b4567] failed to bind to LDAP server > ldaps://id.sea/: Can't contact LDAP server: No such file or directory [...] Could you include the output of nslcd -d here? Can you also give some more details on what kind of certificate is used (self-signed, etc). Thanks for your bugreport. -- -- arthur - [email protected] - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part
