joe wrote:
The OP's issue is possibly due to not having the CA's cert on the machine.
Yes, indeed I didn't have it on the client. I've done that now. So I'm
making progress... but I'm not quite there. see below.
Michael Ströder wrote:
If you get a TLS handshake leading to the error message above the server is
likely correctly configured.
Provided you have OpenSSL installed I'd play with
openssl s_client -connect adserver:636 -CAfile rootca.pem
to first test the TLS connection.
OK so, I've exported the CA cert from the server with:
*certutil -ca.cert ca_name.cer*
and converted it with openssl to "PEM" format. Then specified the file
in .ldaprc with TLS_CACERT.
I got a different response now using debug level 7. There is a lot of
data. At the end I get:
-----
ldap_sasl_interactive_bind_s: server supports: GSSAPI GSS-SPNEGO
EXTERNAL DIGEST-MD5
ldap_int_sasl_bind: GSSAPI GSS-SPNEGO EXTERNAL DIGEST-MD5
ldap_int_sasl_open: host=adserver.domain.com
SASL/GSSAPI authentication started
ldap_err2string
ldap_sasl_interactive_bind_s: Local error (-2)
-----
(will send the full message if it is necessary - it's just very long)
I did a bit of a search and found some things on this list's archives.
However, I'm not trying to connect an ldap server to an ldap server. So
I only have ldap-utils installed and not the server. Is there some SASL
configuration necessary?
Any ideas? Many thanks!
