Re: SSL Problem: TLS negotiation failure

On Tue, Oct 07, 2008 at 10:43:23PM +0100, Neil Levine said:
>
>  TLSCACertificateFile /etc/ldap/foo.org.pem

This line was obviously wrong. I corrected it to:

TLSCACertificatePath /etc/ssl/certs/

> Running strace -f /usr/sbin/sshd -d seems to show lots of open calls to
> the files in /etc/ssl/certs.

So after looking at the strace more closely, I discovered that there was
an open call to /etc/pam_ldap.conf and /etc/libnss-pam.conf as expected
but there was ALSO an open call to /etc/ldap/ldap.conf.

I was under the impression that /etc/ldap/ldap.conf was only read my the
openldap tools (ldapsearch etc) and was not looked at by the pam/libnss
libraries. I tried commenting out both of these lines:

TLS_CACERTDIR /etc/ssl/certs
TLS_REQCERT allow

and pam-ldap/ssl worked, however, ldapsearch did not.

So, I changed TLS_REQCERT to never and consequently both ldapsearch and
pam-ldap worked.

So my questions:

1. Why are pamldap/libnss looking at /etc/ldap/ldap.conf?
2. Why doesn't ldapsearch work without TLS_REQCERT never?

Neil