I knew I should have mentioned that. The /etc/openldap/ldap.conf has the same entry
However I did notice that I was using CACERTDIR instead of CACERT to point at the file…
Now I have
I now get this message which seems to be progress but still failing. That the hostname did
not match the cert name and was giving ip as hostname. Changed host line in
/etc/ldap.conf and /etc/openldap/ldap.conf to read fqdn instead of ip addresses and now no
Thanks for making me look at it again so I noticed my error
[mailto:firstname.lastname@example.org] On Behalf Of Angel Bosch Mora
Sent: Tuesday, October 04, 2011 10:12 AM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Start TLS request accepted. Server willing to negotiate SSL
is not the same
seems that you're missing second one.
While attempting to change a directory password I keep getting this message…
[root@xxx ~]# ldappasswd -x -ZZ -D "cn=directory manager" -w “mypass”
uid=se253264,ou=people,dc=xxx,dc=cle=dc=us" -a "oldpass" -s
ldap_start_tls: Connect error (-11)
additional info: Start TLS request accepted.Server willing to negotiate SSL.
In researching this I found to add –d1 for additional debugging information and found this
TLS: could not load client CA list
TLS: error:0200A014:system library:opendir:Not a directory ssl_cert.c:816
TLS: error:140D7002:SSL routines:SSL_add_dir_cert_subjects_to_stack:system lib
I do have the following in my /etc/ldap.conf file
And the cacert.asc does exist in that directory. This is the cacert.asc that was created
during setup of this machine using the setupssl.sh script and I copied it to the requested
directory. I am not seeing anything additional on the HowtoSSL page and realize that TLS
is necessary for the password change function.
Thanks for any help you may have. I am also under the impression I am supposed to copy
the cacert.asc to each client machine so they can authenticate against the cert. is this
David Hoskinson | DATATRAK International
Mayfield Heights, Ohio, USA
+1.440.443.0082 x 124 (p) | +1.216.280.5457 (m)
389 users mailing list