I had tried that as well. You seem to be going down the line of thought I had last night. :-) Not sure why, but I can't get it to work at all with LDAPNOINIT=true whether the ~/.ldaprc file exists or not. Regardless of whatever other options I throw at it, I always get:
$ LDAPNOINIT=true LDAPTLS_REQCERT=allow ldapsearch -LLL -x -H ldaps://server.domain.com -D "<SNIP>" -w <SNIP> -b dc=domain,dc=com uid=user ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) I also tried this variant, with TLS_REQCERT=allow defined in a custom rc file: $ LDAPNOINIT=true LDAPRC=.ldaprc-server ldapsearch -LLL -x -H ldaps://server.domain.com -D "<SNIP>" -w <SNIP> -b dc=domain,dc=com uid=user but, LDAPNOINIT prevents the custom file from being sourced as well (which, in this case, is probably to be expected). -- Jared On 10/09/2013 02:01 PM, Chad Scott wrote: > Try: > > LDAPNOINIT=true LDAPTLS_REQCERT=allow ldapsearch ... > > > On Wed, Oct 9, 2013 at 11:52 AM, Jared <[email protected] > <mailto:[email protected]>> wrote: > > Hi, Chad. Thanks for the suggestions. > > I actually did try your LDAPTLS_REQCERT=allow suggestion, but when the > existing ~/.ldaprc is in place (with the TLS_REQCERT=demand line), that > option seems to be ignored for some reason. I don't know why. > > To illustrate: > > $ cat ~/.ldaprc > TLS_CERT /home/ldap/certs/admin.crt > TLS_KEY /home/ldap/certs/admin.key > TLS_REQCERT demand > SASL_MECH external > > $ LDAPTLS_REQCERT=allow ldapsearch -LLL -x -H > ldaps://server.autozone.com <http://server.autozone.com> -D "<SNIP>" > -w <SNIP> -b dc=domain,dc=com > uid=user > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > > $ mv ~/.ldaprc ~/.ldaprc-old > > $ LDAPTLS_REQCERT=allow ldapsearch -LLL -x -H > ldaps://server.autozone.com <http://server.autozone.com> -D "<SNIP>" > -w <SNIP> -b dc=domain,dc=com > uid=user > dn: uid=user,ou=people,dc=domain,dc=com > uid: user > <SNIP> > > It seems like the ~/.ldaprc file is overriding what I specify on the > command line, but as I mentioned before, I *have* to have that global > configuration there for all of the other LDAP server this account > interacts with. > > Likewise, I did try messing with the LDAPRC variable. I actually > mentioned that in my original post: > > * Creating a separate ~/.ldaprc-server file and exporting > LDAPRC=.ldaprc-server - in this case, both ~/.ldaprc AND > ~/.ldaprc-server are sourced (found using strace), so again my > host-specific settings are ignored. > > I'd consider that a bug in ldapsearch - if I'm explicitly defining > LDAPRC, I'd expect it to ready that file *instead* of ~/.ldaprc, but it > actually reads it *in addition* to ~/.ldaprc, which I discovered by > examining strace output. There may be some cases where this behavior is > desired, but in this case, it causes my global configuration to > (apparently) again take precedence, overriding the TLS_REQCERT=allow > setting. > > Any other suggestions? > > -- > Jared > > On 10/09/2013 01:26 PM, Chad Scott wrote: > > Set environment variables. > > > > export LDAPTLS_REQCERT=allow > > > > or > > > > LDAPTLS_REQCERT=allow ldapsearch ... > > > > If neither of those work, specify a specific LDAPRC with: > > > > export LDAPRC=somefile.conf > > > > or > > > > LDAPRC=somefile.conf ldapsearch ... > > > > > > On Wed, Oct 9, 2013 at 11:12 AM, Jared <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > but I can. As I mentioned in my original post, adding this to > ~/.ldaprc > > or /etc/openldap/ldap.conf makes ldapsearch work perfectly fine: > > > > HOST server.domain.com <http://server.domain.com> > <http://server.domain.com> > > PORT 636 > > TLS_REQCERT allow > > > > The problem is with applying this configuration to the one > host while > > still setting my default configuration for SASL certificate-based > > authentication to everything else. How do I do that? > > > > or, to ask the question differently, forget the fact that I'm > dealing > > with an invalid cert. There's no need to to get hung up on > that detail. > > I have one ldaprc configuration that I need to define for a > host, and a > > default ldaprc configuration I need to define for all other > hosts. How > > do I make them work together? > > > > -- > > Jared > > > > On 10/09/2013 01:06 PM, Michael Ströder wrote: > > > Jared wrote: > > >> expired and self-signed. > > > > > > You cannot work around expired certs. But in case of self-signed > > certs you can > > > put them into trusted CA certs file. > > > > > > Ciao, Michael. > > > > > > > > >
