I have several computers on a small network that I recently upgraded from 11.2 to 13.1. Previously I was using LDAP, without TLS, to maintain the users and passwords. After the upgrade I am trying to recreate the database but I always and getting connection problems. From what I’ve been able to figure out, somewhere along the way between 11.2 and 13.1 they made it mandatory for LDAP clients to connect to the server using TLS/SSL even if you uncheck the box in the YaST ldap client module. I’ve tried two things:
First, I tried to setup TLS/SSL certificates following the instructions at
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_obsolete.html
and at
http://www.zarafa.com/wiki/index.php/Configure_OpenLDAP_with_SSL/TLS
Depending on how I have the configuration setup it either gives me error
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate)
or it says something about “hostname does not match CN in peer certificate”.
Second, I tried to patch up the client to work without TLS using the instructions at
https://forums.opensuse.org/english/get-technical-help-here/install-boot-login/478283-how-do-i-disable-tls-ldap.html
That just plain didn’t work. It made the computer take forever to boot and login and still wouldn’t let me become one of the LDAP users.
Also, the very first symptom that I noticed on these computer is that if I have a bash shell up as root I can su to an LDAP user, but if I’m a local user and I try to su to an LDAP user it says something about “unable to authenticate”. So it sees the server and knows that the user exists, but it isn’t talking right.
Right now, the computer I am working on is both the LDAP server and a client. Once I get it working on this machine I’ll duplicate the configuration to the other computers.
Honestly if anyone could point me to a current manual on how to install LDAP or configure certificates that would be appreciated. Everything I have been able to find is mostly out of date. For instance I’ve found things that say to edit slapd.conf, but it isn’t being used anymore because the settings are stored in a back-end database.
Thanks for your help.