... but TLS_REQCERT never in the client confs helps, but makes me
wonder:
$ man ldap.conf
TLS_REQCERT <level>
never The client will not request or check any server certificate.
This probably should not be the case. Previously <allow> has worked, which
is still a bit dubious.
allow The server certificate is requested. If no certificate is provided,
the session proceeds normally. If a bad certificate is
provided, it will be ignored and the session proceeds normally.
Is there any way to make it work with <try> for example?
This is not a major thing and thanks for your help, in pointing out the obvious
problem. :)
Shouldn't trust and old config, I guess. :)
For the sake of documentation here are the client confs:
$ cat /etc/ldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
URI ldaps://127.0.0.1/
BASE dc=nnn,dc=nnn
TLS_REQCERT never
$ cat /etc/ldap.conf
base dc=nnn,dc=nnn
uri ldaps://127.0.0.1/
timelimit 120
bind_timelimit 120
idle_timelimit 3600
ssl on
pam_password exop
bind_policy soft
TLS_CACERTFILE /etc/pki/tls/certs/ca.nnn.nnn.crt
TLS_REQCERT never
Any comments on those? I've also dabbled with the nss_initgroups_ignoreusers
parameter, but
don't have any conclusive results on that.
--
slapd + gnutls fails
https://bugs.launchpad.net/bugs/217159
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap2.3 in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
