[sudo-users] odd problems with ldap + ssl

Russell Van Tassell russell+sudo-users at loosenut.com
Tue Nov 22 20:18:05 EST 2005

On Tue, Nov 22, 2005 at 03:18:08PM -0800, Jeff wrote:
> > > URI ldaps://barium
> > 
> > ...you might want to fully qualify the URI.  Some resolvers 
> > can be a bit of a pain with their search path or whatever...  
> > it would also be helpful to note if you have any other LDAP 
> > clients working on the same machine.
> In my real config file it is fully resolved.
> Note that I forgot to mention that if I set my LDAP server
> to allow non-encrypted connections and change the above URI
> to: 
> ldap://barium
> it works!

Sounds like it might be a SSL problem, perhaps as simple as not having
the trust relationship with your CA (for the self-signed certificate);
basically the equivalent of always needing the intermediary cert for any
of the "well-known" certificate authorities (eg. Verisign).  You might
try establishing an SSL connection to it to see if there are any obvious
errors.  Something like:

	openssl s_client -connect your.machine.domain.tld:636 -crlf

Of course, compare that with a "known working" one, if you can...


Russell M. Van Tassell
russell at loosenut.com

"If you don't have a PhD in rocket science, then you probably won't
 understand this.."

More information about the sudo-users mailing list