On Wed, 8 Oct 2008, Neil Levine wrote:
> On Tue, Oct 07, 2008 at 10:43:23PM +0100, Neil Levine said:
>>
>> TLSCACertificateFile /etc/ldap/foo.org.pem
>
> This line was obviously wrong. I corrected it to:
>
> TLSCACertificatePath /etc/ssl/certs/
>
>> Running strace -f /usr/sbin/sshd -d seems to show lots of open calls to
>> the files in /etc/ssl/certs.
>
> So after looking at the strace more closely, I discovered that there was
> an open call to /etc/pam_ldap.conf and /etc/libnss-pam.conf as expected
> but there was ALSO an open call to /etc/ldap/ldap.conf.
>
> I was under the impression that /etc/ldap/ldap.conf was only read my the
> openldap tools (ldapsearch etc) and was not looked at by the pam/libnss
> libraries. I tried commenting out both of these lines:
>
> TLS_CACERTDIR /etc/ssl/certs
> TLS_REQCERT allow
>
> and pam-ldap/ssl worked, however, ldapsearch did not.
>
> So, I changed TLS_REQCERT to never and consequently both ldapsearch and
> pam-ldap worked.
>
> So my questions:
>
> 1. Why are pamldap/libnss looking at /etc/ldap/ldap.conf?
Both of those use the openldap library (libldap.so), so it is probably the
openldap library that is consulting ldap.conf. My understanding is that
options set in pam_ldap.conf override the settings in ldap.conf.
> 2. Why doesn't ldapsearch work without TLS_REQCERT never?
I don't know... To me, that setting only makes sense from the server-side
(allow client certificates).
Andy
