Thanks Jan! It appears that nss_ldap_253-12 breaks ldaps://ldap.server mechanism on port 636, which was in my /etc/ldap.conf file (used by nss_ldap).
After I modified /etc/ldap.conf with ldap://ldap.server along with ssl start_tls tls_checkpeer yes nss_ldap-253-12 is happy and it gets data from ldap server with TLS On the other hand, I still kept my /etc/openldap/ldap.conf the way it was, that is URI ldaps://ldap.server rather than ldap://ldap.server TLS_REQCERT demand otherwise, ldapsearch seems to happily ignore the TLS_REQCERT demand and sends/gets data on port 389 in the clear unless your specifiy -ZZ argument. This thread is directly related to Faye Gibbins's "Openssl breaks ldap on SL5.0" thread! It is nss_ldap rather than openssl's fault. Jan Kundrát wrote: > Zhi-Wei Lu wrote: >> 2. Turn on ssl and add the nss_initgrous_ignoreusers line, the message >> bus was fine and system rebooted, but ldap query is still not working >> via ldaps, therefore, the latest nss_dap_253-12 breaks something. > > Instead of "ldaps" (as in LDAP over SSL), we use starttls (plaintext > connection that is converted to SSL after a while) -- our LDAP servers > are configured in such a way that they won't talk to you unless you > access them over a secure channel. I've tried changing the settings to > ldaps (and indeed the machines talked to slapd at port 636), but saw no > difference. > > Anyway, dump of configuration that *works* for me with recent nss_ldap > on 32bit SL5 box is at http://dev.gentoo.org/~jkt/ldap/sl5/ , perhaps > you can spot a difference against your setup. > > These are the packages I use (and whose version might matter here): > > openldap-clients-2.3.27-8.el5_1.3.i386 > openssl-0.9.8b-8.3.el5_0.2.i686 > compat-openldap-2.3.27_2.2.29-8.el5_1.3.i386 > nss_db-2.2-35.3.i386 > openssh-4.3p2-42.sl5.i386 > nss-3.11.7-1.3.el5.i386 > openldap-2.3.27-8.el5_1.3.i386 > pam-0.99.6.2-3.26.el5.i386 > openssh-server-4.3p2-42.sl5.i386 > nss-tools-3.11.7-1.3.el5.i386 > nss_ldap-253-12.el5.i386 > > Cheers, > -jkt -- Zhi-Wei Lu Institute for Data Analysis and Visualization University of California, Davis (530) 752-0494
