===========================================
Openldap and SSL Certificate research notes
===========================================

Overview:
=========

As referenced in the centos_ldap_install doc, openldap is using encryption
and I'm able to get linux systems to authenticate but I have to add

TLS_REQCERT allow # short version: allow certs that clients can't validate

or some variation of that in the relevant config files:

*   /etc/openldap/ldap.conf ldapsearch
*   /etc/nslcd.conf: legacy authentication
*   /etc/sssd/sssd.conf: System Security Services Daemon - current auth

So, what's up with that?

Solution:
=========

``ldapsearch -d 5 -LLL -x -b dc=oci,dc=com`` showed the answer: ::

    # ldapsearch -d 5 -LLL -x -b dc=oci,dc=com uid=qwer dn
    [[boring bits snipped]]
    TLS: loaded CA certificate file /etc/openldap/cacerts/cacert.pem.
    TLS: certificate [CN=ldapsvr.olearycomputers.com,OU=IT,O=IT,L=Naperville,ST=IL,C=US] is valid
    TLS certificate verification: subject: CN=ldapsvr.olearycomputers.com,OU=IT,O=IT,L=Naperville,ST=IL,C=US, issuer: CN=caauth.olearycomputers.com,OU=IT,O=OCI,L=IL,ST=Naperville,C=US, cipher: AES-256, security level: high, secret key bits: 256, total key bits: 256, cache hits: 0, cache misses: 0, cache not reusable: 0
    TLS: hostname (192.168.122.20) does not match common name in certificate (ldapsvr.olearycomputers.com).
    ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
    

**TLS: hostname (192.168.122.20) does not match common name**

It's becasue I had the IP address in the URI vs the fqdn.  F'ing nice!