On 01/31/2014 04:13 PM, Todd Maugh wrote:

asked:   Can you provide your /etc/openldap/ldap.conf?


#File modified by ipa-client-install

URI ldaps://se-idm-01.boingo.com
BASE dc=boingo,dc=com
TLS_CACERT /etc/ipa/ca.crt
TLS_CACERTDIR /etc/openldap/cacerts/

This will allow errors where the hostname in the cert subject DN does not match the IP address or vice versa.

What happens if you set it to TLS_REQCERT demand?

Or, if you don't want to touch this file (because it will probably break other things), try this:

LDAPTLS_REQCERT=demand LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -d 1 -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b "cn=idm admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm admin,cn=users,dc=boingoqa,dc=local" -W 'objectclass=*' dn

If that works, then please provide the output of

rpm -q 389-ds-base openldap nss


TLS: certificate [CN=QATESTDC2.boingoqa.local] is not valid - error -8179:Peer's Certificate issuer is not recognized..

This is saying QATESTDC2.boingoqa.local cannot be resolved - or the IP address does not match.

This is usually a problem, but perhaps you have set your ldap.conf to continue despite this problem?
PING qatestdc2.boingoqa.local ( 56(84) bytes of data.
64 bytes from qatestdc2.boingoqa.local ( icmp_seq=1 ttl=124 time=0.559 ms 64 bytes from qatestdc2.boingoqa.local ( icmp_seq=2 ttl=124 time=0.660 ms
--- qatestdc2.boingoqa.local ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1070ms
rtt min/avg/max/mdev = 0.559/0.609/0.660/0.056 ms

Ok.  Does resolve to qatestdc2.boingoqa.local?

TLS certificate verification: subject: CN=QATESTDC2.boingoqa.local, issuer: CN=SKYWARPCA,DC=boingoqa,DC=local, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not reusable: 0
Enter LDAP Password:

Freeipa-users mailing list

Reply via email to