Hi,
don't forget either to
* add on the client workstation the CA certificate that signed the LDAP
server certifcate to /etc/openldap/ldap.conf (TLS_CACERT parameter)
* or to disable the certificate check: ("TLS_REQCERT never")
You can easily test fro the client whethe rit worked or not :
ldapsearch -x -H ldaps://your.ldap.server.example.com -b "" -s base
if the result of this command is the follwoing error then you have not
configured the CA on the workstation correctly:
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Otherwise you will have the DSE base attributes...
@+
2012/7/25 Chaudhari, Rohit K. <[email protected]>
> Hello everyone,
>
> The setup is as follows. We have set up a server with 389 DS without DNS
> (hardcoded IP addresses in /etc/hosts) and created a CA certificate for
> distribution on servers and clients. The 389 client has been set up to
> allow users created on the server to authenticate against LDAP when logging
> in for the first time. However, this is failing.
>
> The server has 389 and a CA certificate.
> The client is given the CA certificate as certificate.asc. Then, we used
> authconfig-tui to configure the client to use LDAP authentication against
> the server using TLS/SSL.
>
> In regards to a previous thread, one had brought up that there might be
> issues using LDAP authentication with TLS if the server is set up without
> DNS and has IP addresses hard-coded in /etc/hosts. Does anyone have any
> suggestions as to why I am unable to log in against the server from my
> client machine. The user created in LDAP is given POSIX attributes so that
> if it's a user attempting to log in for the first time, it is able to do so
> (since POSIX attributes includes Group ID, UID, etc.)
>
> Thanks.
> ________________________________________
> --
> 389-devel mailing list
> [email protected]
> https://admin.fedoraproject.org/mailman/listinfo/389-devel
--
389-devel mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-devel
