On Fri, 23 Jan 2009, Olf Epler wrote:
Hello,
following the related parts of slapd.conf:
TLSCACertificateFile /usr/etc/openldap/CA/cacert.pem
TLSCertificateFile /usr/etc/openldap/CA/sacert.pem
TLSCertificateKeyFile /usr/etc/openldap/CA/sackey.pem
The server runs as follows:
/usr/libexec/slapd -u ldap -h ldap:/// ldaps:///
Normally the port 389 (ldap:///) is closed.
and ldap.conf:
base dc=organization,dc=com
uri ldaps://ldap_server.organizatiom.com
sizelimit 0
bind_policy soft
tls_cacert /usr/etc/openldap/CA/cacert.pem
tls_checkpeer yes
-> new
ssl yes
The file cacert.pem is a self signed certificate I created
together with sacert.pem and the key file sakey.pem.
As I already wrote - exactly the same configuration works without
any problems on different installations including SL-5.1.
Therefore it's not clear for me why I have now to set the port option
because I use uri!
Regards, Olf Epler
The case I was thinking of was that in the changelog of nss_ldap it
mentioned that 'port' in the ldap.conf was previously being ignored, so a
config mentioning it might work and then stop after the upgrade (from 5.1
to 5.2 say).
If you don't have port mentioned then it seems unlikely that is the issue.
Can you tell if the client is actually trying to connect to the ldap
server - and if so check that it is doing so on the right address/port?
-- Jon
