[389-users] Start TLS request accepted. Server willing to negotiate SSL
David Hoskinson
david.hoskinson at datatrak.net
Tue Oct 4 13:16:23 UTC 2011
While attempting to change a directory password I keep getting this message...
[root at xxx ~]# ldappasswd -x -ZZ -D "cn=directory manager" -w "mypass" uid=se253264,ou=people,dc=xxx,dc=cle=dc=us" -a "oldpass" -s "newpass"
ldap_start_tls: Connect error (-11)
additional info: Start TLS request accepted.Server willing to negotiate SSL.
In researching this I found to add -d1 for additional debugging information and found this probably relevant
TLS: could not load client CA list (file:`',dir:`/etc/openldap/cacerts/cacert.asc').
TLS: error:0200A014:system library:opendir:Not a directory ssl_cert.c:816
TLS: error:140D7002:SSL routines:SSL_add_dir_cert_subjects_to_stack:system lib ssl_cert.c:818
ldap_perror
I do have the following in my /etc/ldap.conf file
ssl yes
tls_cacertdir /etc/openldap/cacerts
TLS_REQCERT allow
pam_password exop
And the cacert.asc does exist in that directory. This is the cacert.asc that was created during setup of this machine using the setupssl.sh script and I copied it to the requested directory. I am not seeing anything additional on the HowtoSSL page and realize that TLS is necessary for the password change function.
Thanks for any help you may have. I am also under the impression I am supposed to copy the cacert.asc to each client machine so they can authenticate against the cert. is this true also?
David Hoskinson | DATATRAK International
Systems Engineer
Mayfield Heights, Ohio, USA
+1.440.443.0082 x 124 (p) | +1.216.280.5457 (m)
david.hoskinson at datatrak.net<mailto:david.hoskinson at datatrak.net> | www.datatrak.net<http://www.datatrak.net/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20111004/1cfff2e5/attachment.html>
More information about the 389-users
mailing list