Anyone with pam_ldap/nss_ldap against ldaps working?

Albert Chin freebsd-ports at mlists.thewrittenword.com
Fri Apr 13 20:12:43 UTC 2007 

On Fri, Apr 13, 2007 at 02:23:26PM -0500, Albert Chin wrote:
> I have configured the latest pam_ldap/nss_ldap on FreeBSD 6-STABLE.
> I have /usr/local/etc/nss_ldap.conf and /usr/local/etc/ldap.conf
> hard linked. Everything works fine with:
>   uri ldap://ldap.il.thewrittenword.com
>   base ou=users,dc=thewrittenword,dc=com
>   ldap_version 3
>   rootbinddn cn=Manager,dc=thewrittenword,dc=com
>   pam_filter objectclass=posixAccount
>   pam_login_attribute uid
>   pam_member_attribute uniquemember
>   pam_min_uid 1000
>   pam_password exop
>   nss_base_passwd ou=users,dc=thewrittenword,dc=com?one
>   nss_base_shadow ou=users,dc=thewrittenword,dc=com?one
>   nss_base_group ou=groups,dc=thewrittenword,dc=com?one
>   timelimit 10
>   bind_timelimit 10
> and:
>   uri ldap://ldap.il.thewrittenword.com
>   base ou=users,dc=thewrittenword,dc=com
>   ldap_version 3
>   rootbinddn cn=Manager,dc=thewrittenword,dc=com
>   pam_filter objectclass=posixAccount
>   pam_login_attribute uid
>   pam_member_attribute uniquemember
>   pam_min_uid 1000
>   pam_password exop
>   nss_base_passwd ou=users,dc=thewrittenword,dc=com?one
>   nss_base_shadow ou=users,dc=thewrittenword,dc=com?one
>   nss_base_group ou=groups,dc=thewrittenword,dc=com?one
>   ssl start_tls
>   tls_checkpeer yes
>   tls_cacertfile <path to crt>
>   timelimit 10
>   bind_timelimit 10
> 
> But this doesn't work:
>   uri ldaps://ldap.il.thewrittenword.com
>   base ou=users,dc=thewrittenword,dc=com
>   ldap_version 3
>   rootbinddn cn=Manager,dc=thewrittenword,dc=com
>   pam_filter objectclass=posixAccount
>   pam_login_attribute uid
>   pam_member_attribute uniquemember
>   pam_min_uid 1000
>   pam_password exop
>   nss_base_passwd ou=users,dc=thewrittenword,dc=com?one
>   nss_base_shadow ou=users,dc=thewrittenword,dc=com?one
>   nss_base_group ou=groups,dc=thewrittenword,dc=com?one
>   tls_checkpeer yes
>   tls_cacertfile <path to crt>
>   timelimit 10
>   bind_timelimit 10

Ok, found the problem. "ssl on" was required.

-- 
albert chin (china at thewrittenword.com)

More information about the freebsd-ports mailing list