Hello, I'm trying to get secure authentication, addressbook, samba, and email integrated in to one directory on FreeBSD. I'm using openldap server and client 2.4.8, pam_ldap 1.8.4, and nss_ldap 1.257. I've got tls working with the openldap client /usr/local/etc/openldap/ldap.conf and slapd /usr/local/etc/openldap.conf. I know this because an ldapsearch -LxZZ returns my database, and from another host adding -h host to that ldapsearch also works. In slapd.conf i have:
TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv3:+SSLv2 TLSCACertificate file /usr/local/etc/openldap/tls/ca-cert.pem TLSCertificateFile /usr/local/etc/openldap/tls/server.crt TLSCertificateKeyFile /usr/local/etc/openldap/tls/server.key TLSVerifyClient never in my /usr/local/etc/openldap/ldap.conf i have: Base dc=example,dc=com URI ldap://dnsname.example.com/ TLS_CACERT /usr/local/etc/openldap/tls/ca-cert.pem TLS_REQCERT demand As i said this works fine. The issue comes in to play when i uncomment the ssl start_tls line in /usr/local/etc/ldap.conf which is then copied over to /usr/local/etc/nss_ldap.conf after editing. With tls uncommented i'm getting a tls negotiation failed msg when i atempt to log in via ssh or on the same terminal window an id on an ldap user will also return tls negotiation failed. In my /usr/local/etc/ldap.conf and /usr/local/etc/nss_ldap.conf i have: base dc=example,dc=com uri ldap://dnsname.example.com/ ldap_version 3 binddn cn=Manager,dc=example,dc=com bindpw SecretPassword rootbinddn cn=Manager,dc=example,dc=com port 389 scope sub bind_timelimit 3 bind_policy soft pam_filter objectclass=posixAccount pam_login_attribute uid pam_password exop nss_base_passwd ou=people,dc=example,dc=com?sub nss_base_shadow ou=people,dc=example,dc=com?sub nss_base_group ou=groups,dc=example,dc=com?sub ssl start_tls tls_ciphers TLSv1 I'm not sure if my scope line is right, i've tried others and this configuration works without tls, turn it on and it fails. Any suggestions? Thanks. Dave. --- You are currently subscribed to [email protected] as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
