There is something wrong with how we handle the SSL certificate of the LDAP server in Debian Edu. I'm not sure what is wrong, nor how to fix it. This is bug #1211 in bugzilla.
It started when I decided I wanted to make sure the public part of the SSL certificate for the LDAP server was distributed to the clients, to make it possible for them to verify that they connect to the correct LDAP server. I modified mkslapdcert to extract what I thought was the public part of the SSL key and store it in /var/www/ldap-server-pubkey.pem. Next, I wrote an init.d script executed when the clients boot, copying the file from http://www/ldap-server-pubkey.pem to /etc/ldap/ssl/ldap-server-pubkey.pem. I believed this would make sure every client had the public key info it needed to verify that it connected to the correct server. It proved to not work when I removed the 'TLS_REQCERT never' setting in /etc/ldap/ldap.conf. There were several problems. - The file I extracted as ldap-server-pubkey.pem was not the file the client needed. I was told that it really was the CERTIFICATE block in slapd.pem, so the file we distributed did not work. This is now fixed. - I was also explained how I could extract the certificate from the LDAP server directly, and rewrote the init.d script to connect to port 636 and extract the certificate that way instead of using http. This need some tuning to make the file prettier, but is working. - Next, I discovered that it was not enough to store the certificate in /etc/ldap/ssl/, I had to mention it explicitly in /etc/ldap/ldap.conf as well. This is now done. So these bugs are fixed, and with those in place I was able to get 'ldapwhoami -ZZ -x -h ldap' working on the client. I am told this command only work if the client have the valid server certificate available. But, the problem did not solve the initial problem, that lwap web serveice was unable to log in the admin user. Also, there seem to be something wrong with samba. At least the self test at the end of the installation report that samba isn't working as it should. I have no idea what is wrong here. As the ldapwhoami command is working, I suspect something else than LDAP is involved. Perhaps apache/lwat and samba are using a different ldap configuration file, and need to be told where the certificate is? This do not make sense, as it do helt p add 'TLS_REQCERT never' in /etc/ldap/ldap.conf to get it working. Anyone got any clues? A quickfix is to drop the certificate checking, but this make the clients prone to man-in-the-middle attacks. I would rather fix the certificate checking. At the moment the lwat and samba is broken. pam and nss seem to work as they should, so the ldap server seem to be working. :/ Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

