On 01/31/2014 04:13 PM, Todd Maugh wrote:


asked:   Can you provide your /etc/openldap/ldap.conf?


answer:

/etc/openldap/ldap.con
#File modified by ipa-client-install

URI ldaps://se-idm-01.boingo.com
BASE dc=boingo,dc=com
TLS_CACERT /etc/ipa/ca.crt
TLS_CACERTDIR /etc/openldap/cacerts/
TLS_REQCERT allow

This will allow errors where the hostname in the cert subject DN does not match the IP address or vice versa.

What happens if you set it to TLS_REQCERT demand?

Or, if you don't want to touch this file (because it will probably break other things), try this:

LDAPTLS_REQCERT=demand LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -d 1 -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b "cn=idm admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm admin,cn=users,dc=boingoqa,dc=local" -W 'objectclass=*' dn

If that works, then please provide the output of

rpm -q 389-ds-base openldap nss

ping

TLS: certificate [CN=QATESTDC2.boingoqa.local] is not valid - error -8179:Peer's Certificate issuer is not recognized..

This is saying QATESTDC2.boingoqa.local cannot be resolved - or the IP address does not match.

This is usually a problem, but perhaps you have set your ldap.conf to continue despite this problem?
PING qatestdc2.boingoqa.local (10.194.55.48) 56(84) bytes of data.
64 bytes from qatestdc2.boingoqa.local (10.194.55.48): icmp_seq=1 ttl=124 time=0.559 ms 64 bytes from qatestdc2.boingoqa.local (10.194.55.48): icmp_seq=2 ttl=124 time=0.660 ms
^C
--- qatestdc2.boingoqa.local ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1070ms
rtt min/avg/max/mdev = 0.559/0.609/0.660/0.056 ms

Ok.  Does 10.194.55.48 resolve to qatestdc2.boingoqa.local?





TLS certificate verification: subject: CN=QATESTDC2.boingoqa.local, issuer: CN=SKYWARPCA,DC=boingoqa,DC=local, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not reusable: 0
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to