You shouldn't symlink /etc/ldap.conf to /etc/ldap/ldap.conf (/etc/openldap/ldap.conf), /etc/ldap.conf is for nss_ldap configuration and the other for openldap. You should add the appropriate ssl and tls_* configuration to each file.
Adjust to taste: /etc/ldap.conf tls_cacertdir /etc/ssl/certs tls_cacertfile /etc/ssl/certs/cacert.pem /etc/openldap/ldap.conf TLS_CACERTDIR /etc/ss/certs TLS_CACERT /etc/ssl/certs/cacert.pem On 10/12/2012 01:48 PM, Roland Gruber wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Anil, > > please try to symlink /etc/ldap.conf to /etc/ldap/ldap.conf. Sometimes > the LDAP commandline tools use a different location than the web server. > > The file must include something like this: > > TLS_CACERT /etc/ldap/ca/myCA/cacert.pem > > > Best regards > > Roland > > > On 12.10.2012 12:07, Anil Kumar 10 wrote: >> Hi >> >> We have installed openldap 2.4.2 with self singed certificate and >> LAM 3.9 on same server with apache2.2.15. >> >> If we do ldapserach -ZZ or ldapsearch -H ldaps://hostname it works >> fine >> >> CN in certificate is same as the hostname. >> >> We are able to connect on 389 from LAM. >> >> But its not working when we use either tls or ldaps. >> >> Logs from LAM >> >> 2012-10-12 05:51:18: LDAP Account Manager >> (bcnt18dq2stm7ceakpfnptkc70 - 172.25.18.67) - DEBUG: Display login >> page 2012-10-12 05:51:18: LDAP Account Manager >> (bcnt18dq2stm7ceakpfnptkc70 - 172.25.18.67) - DEBUG: LAM 3.9 >> 2012-10-12 05:51:23: LDAP Account Manager >> (dim73luup4blkp10u3mbi795v1 - 172.25.18.67) - ERROR: User >> cn=Manager,dc=idm,dc=com (172.25.18.67) failed to log in (LDAP >> error: Can't contact LDAP server). 2012-10-12 05:51:23: LDAP >> Account Manager (dim73luup4blkp10u3mbi795v1 - 172.25.18.67) - >> DEBUG: Display login page 2012-10-12 05:51:23: LDAP Account Manager >> (dim73luup4blkp10u3mbi795v1 - 172.25.18.67) - DEBUG: LAM 3.9 >> 2012-10-12 05:53:41: LDAP Account Manager >> (hhighd48ms1fggv518msemp1h6 - 172.25.18.67) - DEBUG: Display login >> page 2012-10-12 05:53:41: LDAP Account Manager >> (hhighd48ms1fggv518msemp1h6 - 172.25.18.67) - DEBUG: LAM 3.9 >> 2012-10-12 05:53:45: LDAP Account Manager >> (eo7imttp8g193vo9k6bsqhffu1 - 172.25.18.67) - NOTICE: User >> cn=Manager,dc=idm,dc=com (172.25.18.67) successfully logged in. >> 2012-10-12 05:54:06: LDAP Account Manager >> (eo7imttp8g193vo9k6bsqhffu1 - 172.25.18.67) - NOTICE: User >> cn=Manager,dc=idm,dc=com logged off. 2012-10-12 05:54:06: LDAP >> Account Manager (oungeu5vkcuvb0hfs33q9v9li0 - 172.25.18.67) - >> DEBUG: Display login page 2012-10-12 05:54:06: LDAP Account Manager >> (oungeu5vkcuvb0hfs33q9v9li0 - 172.25.18.67) - DEBUG: LAM 3.9 >> 2012-10-12 05:54:55: LDAP Account Manager >> (r8eqv0kvr7mqncn8523u4q57u4 - 172.25.18.67) - DEBUG: Display login >> page 2012-10-12 05:54:55: LDAP Account Manager >> (r8eqv0kvr7mqncn8523u4q57u4 - 172.25.18.67) - DEBUG: LAM 3.9 >> 2012-10-12 05:55:02: LDAP Account Manager >> (n858ttle2iiov00lhvnqfa1c40 - 172.25.18.67) - NOTICE: User >> cn=Manager,dc=idm,dc=com (172.25.18.67) successfully logged in. >> 2012-10-12 05:55:07: LDAP Account Manager >> (n858ttle2iiov00lhvnqfa1c40 - 172.25.18.67) - NOTICE: User >> cn=Manager,dc=idm,dc=com logged off. 2012-10-12 05:55:08: LDAP >> Account Manager (qs9o5ka8602i7mjkdarhp8k0b0 - 172.25.18.67) - >> DEBUG: Display login page 2012-10-12 05:55:08: LDAP Account Manager >> (qs9o5ka8602i7mjkdarhp8k0b0 - 172.25.18.67) - DEBUG: LAM 3.9 >> 2012-10-12 05:55:54: LDAP Account Manager >> (q6cnro2po2h34jadk3t2g48l47 - 172.25.18.67) - DEBUG: Display login >> page 2012-10-12 05:55:54: LDAP Account Manager >> (q6cnro2po2h34jadk3t2g48l47 - 172.25.18.67) - DEBUG: LAM 3.9 >> 2012-10-12 05:55:58: LDAP Account Manager >> (6u3f8g6msnpmovq7jnt27i9r82 - 172.25.18.67) - ERROR: User >> cn=Manager,dc=idm,dc=com (172.25.18.67) failed to log in (LDAP >> error: Can't contact LDAP server). 2012-10-12 05:55:58: LDAP >> Account Manager (6u3f8g6msnpmovq7jnt27i9r82 - 172.25.18.67) - >> DEBUG: Display login page 2012-10-12 05:55:58: LDAP Account Manager >> (6u3f8g6msnpmovq7jnt27i9r82 - 172.25.18.67) - DEBUG: LAM 3.9 >> >> >> Debug logs from ldap >> >> >> slap_listener_activate(10): daemon: epoll: listen=7 >> active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 >> tvp=zero daemon: epoll: listen=9 active_threads=0 tvp=zero daemon: >> epoll: listen=10 busy >>>>> slap_listener(ldaps:///) >> daemon: listen=10, new connection on 17 daemon: added 17r (active) >> listener=(nil) daemon: activity on 1 descriptor daemon: activity >> on: daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: >> epoll: listen=8 active_threads=0 tvp=zero daemon: epoll: listen=9 >> active_threads=0 tvp=zero daemon: epoll: listen=10 active_threads=0 >> tvp=zero daemon: activity on 1 descriptor daemon: activity on: 17r >> daemon: read active on 17 daemon: epoll: listen=7 active_threads=0 >> tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: >> epoll: listen=9 active_threads=0 tvp=zero daemon: epoll: listen=10 >> active_threads=0 tvp=zero connection_get(17) connection_get(17): >> got connid=1027 connection_read(17): checking for input on id=1027 >> TLS trace: SSL_accept:before/accept initialization tls_read: >> want=11, got=0 >> >> TLS: can't accept: (unknown). connection_read(17): TLS accept >> failure error=-1 id=1027, closing connection_closing: readying >> conn=1027 sd=17 for close connection_close: conn=1027 sd=17 daemon: >> removing 17 daemon: activity on 1 descriptor daemon: activity on: >> daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: >> listen=8 active_threads=0 tvp=zero daemon: epoll: listen=9 >> active_threads=0 tvp=zero daemon: epoll: listen=10 active_threads=0 >> tvp=zero daemon: activity on 1 descriptor daemon: activity on: >> slap_listener_activate(10): daemon: epoll: listen=7 >> active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 >> tvp=zero daemon: epoll: listen=9 active_threads=0 tvp=zero daemon: >> epoll: listen=10 busy >>>>> slap_listener(ldaps:///) >> daemon: listen=10, new connection on 17 daemon: added 17r (active) >> listener=(nil) daemon: activity on 1 descriptor daemon: activity >> on: daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: >> epoll: listen=8 active_threads=0 tvp=zero daemon: epoll: listen=9 >> active_threads=0 tvp=zero daemon: epoll: listen=10 active_threads=0 >> tvp=zero daemon: activity on 1 descriptor daemon: activity on: 17r >> daemon: read active on 17 daemon: epoll: listen=7 active_threads=0 >> tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: >> epoll: listen=9 active_threads=0 tvp=zero daemon: epoll: listen=10 >> active_threads=0 tvp=zero connection_get(17) connection_get(17): >> got connid=1028 connection_read(17): checking for input on id=1028 >> TLS trace: SSL_accept:before/accept initialization tls_read: >> want=11, got=0 >> >> TLS: can't accept: (unknown). connection_read(17): TLS accept >> failure error=-1 id=1028, closing connection_closing: readying >> conn=1028 sd=17 for close connection_close: conn=1028 sd=17 daemon: >> removing 17 daemon: activity on 1 descriptor daemon: activity on: >> >> >> >> Regards Anil >> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> > Don't let slow site performance ruin your business. Deploy New Relic APM >> Deploy New Relic app performance management and know exactly what >> is happening inside your Ruby, Python, PHP, Java, and .NET app Try >> New Relic at no cost today and get our sweet Data Nerd shirt too! >> http://p.sf.net/sfu/newrelic-dev2dev >> >> >> >> _______________________________________________ Lam-public mailing >> list [email protected] >> https://lists.sourceforge.net/lists/listinfo/lam-public > > - -- > > Mit freundlichen Grüßen > > Roland Gruber > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.12 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAlB4V9sACgkQq/ywNCsrGZ6VPgCdEaURZefsrIBSf7U7qcD1QXw+ > ntoAnij2kCxhTzl2kJOznU0VjtxsY3Gs > =TA1Y > -----END PGP SIGNATURE----- > > ------------------------------------------------------------------------------ > Don't let slow site performance ruin your business. Deploy New Relic APM > Deploy New Relic app performance management and know exactly > what is happening inside your Ruby, Python, PHP, Java, and .NET app > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > _______________________________________________ > Lam-public mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/lam-public > -- Darin Perusich Email: [email protected] Office: 716-888-3690 The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient of this message, please contact the sender and delete this material from this computer. ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Lam-public mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/lam-public
