I knew I should have mentioned that. The /etc/openldap/ldap.conf has the same entry
TLS_CACERTDIR /etc/openldap/cacerts/cacert.asc TLS_REQCERT allow However I did notice that I was using CACERTDIR instead of CACERT to point at the file… Now I have TLS_CACERT /etc/openldap/cacerts/cacert.asc I now get this message which seems to be progress but still failing. That the hostname did not match the cert name and was giving ip as hostname. Changed host line in /etc/ldap.conf and /etc/openldap/ldap.conf to read fqdn instead of ip addresses and now no more problems. Thanks for making me look at it again so I noticed my error From: 389-users-boun...@lists.fedoraproject.org [mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of Angel Bosch Mora Sent: Tuesday, October 04, 2011 10:12 AM To: General discussion list for the 389 Directory server project. Subject: Re: [389-users] Start TLS request accepted. Server willing to negotiate SSL is not the same /etc/ldap.conf than /etc/openldap/ldap.conf seems that you're missing second one. ________________________________ While attempting to change a directory password I keep getting this message… [root@xxx ~]# ldappasswd -x -ZZ -D "cn=directory manager" -w “mypass” uid=se253264,ou=people,dc=xxx,dc=cle=dc=us" -a "oldpass" -s "newpass" ldap_start_tls: Connect error (-11) additional info: Start TLS request accepted.Server willing to negotiate SSL. In researching this I found to add –d1 for additional debugging information and found this probably relevant TLS: could not load client CA list (file:`',dir:`/etc/openldap/cacerts/cacert.asc'). TLS: error:0200A014:system library:opendir:Not a directory ssl_cert.c:816 TLS: error:140D7002:SSL routines:SSL_add_dir_cert_subjects_to_stack:system lib ssl_cert.c:818 ldap_perror I do have the following in my /etc/ldap.conf file ssl yes tls_cacertdir /etc/openldap/cacerts TLS_REQCERT allow pam_password exop And the cacert.asc does exist in that directory. This is the cacert.asc that was created during setup of this machine using the setupssl.sh script and I copied it to the requested directory. I am not seeing anything additional on the HowtoSSL page and realize that TLS is necessary for the password change function. Thanks for any help you may have. I am also under the impression I am supposed to copy the cacert.asc to each client machine so they can authenticate against the cert. is this true also? David Hoskinson | DATATRAK International Systems Engineer Mayfield Heights, Ohio, USA +1.440.443.0082 x 124 (p) | +1.216.280.5457 (m) david.hoskin...@datatrak.net<mailto:david.hoskin...@datatrak.net> | www.datatrak.net<http://www.datatrak.net/> -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users