Finally, I fixed the problem I was having with start_tls being in /etc/ldap.conf. Here’s what would happen:
I’d ssh as my test user and I’d get in fine. But then, I’d issue an ls command and it would hang. In the logs on the node I’d logged into (not the ldap server), I’d get these messages:
Oct 25 12:47:00 client ls: nss_ldap: could not search LDAP server - Server is unavailable Oct 25 12:48:08 client ls: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...
What it was trying to do was lookup the uid for the uidnumber associated with the files it was listing. I just couldn’t figure out why it wasn’t working.
I then ran the following command as my test user:
[testuser1@client ~]$ ldapsearch -x -ZZ -d4 request done: ld 0x8c24068 msgid 1 TLS: could not load verify locations (file:`/etc/openldap/cacerts/slapd.pem',dir:`/etc/openldap/cacerts'). TLS: error:0200100D:system library:fopen:Permission denied bss_file.c:122 TLS: error:2006D002:BIO routines:BIO_new_file:system lib bss_file.c:127 TLS: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib by_file.c:279 ldap_start_tls: Connect error (-11)
This basically showed that I had a problem with my pem file, as in, it couldn’t be read. As soon as I changed permissions on this file to 644, everything worked fine.
Now I just have to check what sort of security risks I have with these settings.