[389-users] Stumped - SSL works for auth, sudo, etc, but fails for ldap user cronjobs
Carsten Grzemba
grzemba at contac-dt.de
Thu Jul 19 13:34:17 UTC 2012
Hi,
what kind of certificate do you use, selfsigned? Are the certificates signed by the same CA?
Am 18.07.12, schrieb David Nguyen <d_k_nguyen at yahoo.com>:
> Hi all,
>
> I have a strange one. My current setup is working perfectly. client1
> is able to connect to ldap-server1 via SSL and everything is working
> correctly. I then had a need to add another ldap server (ldap-server2)
> as a multi-master replica and everything is working (user auth, sudo
> via ldap users, ldapsearch, openssl, etc) except cronjobs for users
> served out of ldap fail to run.
>
> I can see this in the error log on ldap-server2:
>
> [18/Jul/2012:11:18:00 -0700] - PR_Recv for connection 467 returns
> -12195 (Peer does not recognize and trust the CA that issued your
> certificate.)
>
> If I set /etc/ldap.conf to not use SSL (URI ldap://fqdn vs URI
> ldaps://fqdn:636), the cronjobs fire just fine.
>
> So it appears as though there is an SSL cert issue, but I'm stumped
> because all of the other services that use ldap on client1 work except
> cron jobs (root cron fires fine as expected since nsswitch is set to
> files then ldap).
>
> If I replace the URI string in /etc/ldap.conf to point at
> ldap-server1, cron starts working.
>
> Both ldap-server1 and ldap-server2 are using running the same OS and
> kernel version (RHEL5) as well as the same version of 389 DS
> (389-ds-1.2.1-1.el5).
>
> Any ideas as to what could be causing this problem? Here is the
> /etc/ldap.conf on client1 if it matters:
>
> ====== begin /etc/ldap.conf =======
> URI ldaps://ops-ldap006.svale.netledger.com:636
> base dc=netsuite,dc=com
>
> timelimit 10
> bind_policy soft
> nss_reconnect_tries 3
> bind_timelimit 6
> idle_timelimit 30
> sudoers_base ou=SUDOers,dc=netsuite,dc=com
> sudoers_debug 0
>
> ##ssl start_tls
> TLS_CACERT /etc/openldap/cacerts/ca.crt
> TLS_CACERTFILE /etc/openldap/cacerts/ca.crt
> TLS_REQCERT demand
> pam_lookup_policy yes
> pam_password exop
>
> nss_initgroups_ignoreusers root,named,avahi,haldaemon,dbus,gdm,postfix,puppet
>
> ====== end /etc/ldap.conf =======
>
>
>
>
> Thanks in advance,
> David
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
--
Carsten Grzemba
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120719/4761b8b2/attachment.html>
More information about the 389-users
mailing list