Quanah Gibson-Mount <[EMAIL PROTECTED]> writes: > --On Wednesday, August 23, 2006 8:18 PM +0200 Karsten Römke > <[EMAIL PROTECTED]> wrote: > >> ok, t would be nice if it is a configuration problem >> I have tried the openssl -s_client. >> openssl s_client -connect oracle.hhb.bonn.de:636 -showcerts >> CONNECTED(00000003) >> 8907:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert >> handshake failure:s23_clnt.c:465: >> >> and here is a part of slapd.conf >> TLSCACertificateFile /etc/openldap/cacert.pem >> TLSCertificateFile /etc/openldap/servercrt.pem >> TLSCertificateKeyFile /etc/openldap/serverkey.pem >> >># loglevel 1 >> >> and the ldap.conf >> tls_cacert /etc/openldap/cacert.pem >> nss_base_passwd ou=People,dc=hhb,dc=bonn,dc=de >> nss_base_shadow ou=People,dc=hhb,dc=bonn,dc=de >> nss_base_group ou=Groups,dc=hhb,dc=bonn,dc=de >> host 10.100.0.202 >> base dc=hhb,dc=bonn,dc=de >> ldap_version 3 >> ssl start_tls >> pam_password crypt > > These do not look like valid parameters to ldap.conf(5) for OpenLDAP. > I'm guessing these are the parameters for PAM's ldap.conf. You need > to properly configure the appropriate ldap.conf for openldap and PAM > separately. I'm guessing you currently have PAM configuration lines > in the ldap.conf that would be used by ldapsearch, and nothing in the > ldap.conf that would be used by PAM. But maybe not, you don't note > the location of your ldap.conf file.
In addition to Quanah's comments I would like to see a condensed output of 'openssl x509 -in servercert.pem -text'. The data of modules, signature algorithm and certificate are not required. -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6 --- You are currently subscribed to [email protected] as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
