I have an OpenLDAP server running which I am trying to get to use SSL/TLS. It works without it, but it does not work when I switch on ssl/tls.
returns nothing from the ldap server, and the logs show:
Code:
Jun 12 13:23:22 myhost getent: nss_ldap: failed to bind to LDAP server ldaps://ldap.mydomain.com/: Can't contact LDAP server
Jun 12 13:23:22 myhost getent: nss_ldap: could not search LDAP server - Server is unavailable
Jun 12 13:23:22 myhost slapd[31771]: conn=9 fd=15 ACCEPT from IP=x.x.x.x:59963 (IP=0.0.0.0:636)
Jun 12 13:23:22 myhost slapd[31771]: conn=9 fd=15 closed (TLS negotiation failure)
I have set these options in ldap.conf for the nss/pam ldap modules
Code:
tls_checkpeer yes
tls_ciphers HIGH
ssl yes
tls_cacert /etc/openldap/cacerts/slapd.cert
and I have the following options in slapd.conf:
Code:
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/slapd.cert
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
I don't think that increasing debugging in slapd will help as it looks like it's the client nss and pam ldap modules that are failing to verify the certificate. Setting
allows the getent to work, but of course this is insecure...
The cert file and pem file are there with the right permissions, and I am testing this from the same server that slapd is running from right now, so the cacert mentioned in the ldap.conf file is there on the local filesystem too and I copied it to the right path...
So my question is, how do I go about debugging this? I cannot see any more logging information or options to increase logging for the pam/nss modules... and I don't know much about openssl in general (I know I should but I've always hated it)
