Hi Susan,
I was using capital Z in the ldapsearch, I''ve uncommented "ssl
on" in
/etc/ldap.conf
Still the same problem.
# ldapsearch -x -ZZ -h ldapserver -b ''dc=example,dc=com''
''(uid=someuser)''
ldap_start_tls: Connect error (-11)
additional info: Start TLS request accepted.Server willing to
negotiate SSL.
Any other thought?
Thanks again,
Jo
Is your client a redhat-based machine? If so, you can run system-config-authentication (or redhat-) and just fill in the fields. That''ll modify all the necessary files for you, real easy. Then you can leave off -h and -b flags and just run ldapsearch -x -ZZ, that should return everything. --- Jo De Troy <jo.de.troy@gmail.com> wrote:> Hi Susan, > > I was using capital Z in the ldapsearch, I''ve uncommented "ssl on" in > /etc/ldap.conf > Still the same problem. > # ldapsearch -x -ZZ -h ldapserver -b ''dc=example,dc=com'' ''(uid=someuser)'' > ldap_start_tls: Connect error (-11) > additional info: Start TLS request accepted.Server willing to > negotiate SSL. > > Any other thought? > > Thanks again, > Jo > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >__________________________________________ Yahoo! DSL Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com
Mark McLoughlin
2006-Jan-09 15:46 UTC
Re: [Fedora-directory-users] password history question
On Mon, 2006-01-09 at 15:53 +0100, Jo De Troy wrote:> Hi Susan, > > I was using capital Z in the ldapsearch, I''ve uncommented "ssl on" > in /etc/ldap.conf > Still the same problem. > # ldapsearch -x -ZZ -h ldapserver -b ''dc=example,dc=com'' > ''(uid=someuser)'' > ldap_start_tls: Connect error (-11) > additional info: Start TLS request accepted.Server willing to > negotiate SSL. > > Any other thought?A quick way to check whether TLS support is enabled in the server is to do something like: $> openssl s_client -showcerts -connect ldapserver:636 Once you''ve verified that much, then work on getting ldapsearch to work. If it''s the OpenLDAP utils you''re using, then you want to modify /etc/openldap/ldap.conf - /etc/ldap.conf is used by nss-ldap and pam-ldap. Also, use something like "ldapsearch -d 10" to get better error messages. You may find a problem like the server''s certificate can''t be verified because you haven''t configured the utilities to trust the CA which issued it. You might need something like: TLS_CACERT /etc/pki/tls/cacert.pem Cheers, Mark.
is this set: TLS_REQCERT allow in /etc/openldap/ldap.conf ? --- Jo De Troy <jo.de.troy@gmail.com> wrote:> Hi Susan, > > I was using capital Z in the ldapsearch, I''ve uncommented "ssl on" in > /etc/ldap.conf > Still the same problem. > # ldapsearch -x -ZZ -h ldapserver -b ''dc=example,dc=com'' ''(uid=someuser)'' > ldap_start_tls: Connect error (-11) > additional info: Start TLS request accepted.Server willing to > negotiate SSL. > > Any other thought? > > Thanks again, > Jo > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >__________________________________________ Yahoo! DSL Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com