<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:Courier New,courier,monaco,monospace,sans-serif;font-size:12pt"><div style="font-family: Courier New,courier,monaco,monospace,sans-serif; font-size: 12pt;"><div>To answer a few questions,<br>Searching for any thing about ldap.conf in google gave me a lot of openldap specific stuff. Sorry to have to post into this mailling list, but I figure that if im having this much trouble getting this to work, then there is a good chance others are too.<br><br>I've tried a few combinations of these and none have worked for me.<br>TLS_CACERT is pointing to CACert's root certificate.<br><br><br>Here is the current tail of my ldap.conf file.<br>TLS_CACERT /etc/pki/tls/certs/cacert.org-root.txt<br>TLS_CACERT_DIR /etc/pki/tls/certs<br>TLS_REQCERT allow<br>uri ldaps://rhds.example.com:636/<br>ssl no<br>#tls_cacertdir /etc/pki/tls/certs<br>pam_password
ssha<br><br><br><br>Interestingly enough, it worked after doing the following.<br>cat /etc/pki/tls/certs/cacert.org-root.txt >> /etc/pki/tls/cert.pem<br>This is the symlink to ca-bundle.crt<br><br>My fear with this, is that I'll run a yum -y update on all my servers, and then nobody will be able to log in anywhere.<br><br><br><br></div><div style="font-family: Courier New,courier,monaco,monospace,sans-serif; font-size: 12pt;"><br><div style="font-family: arial,helvetica,sans-serif; font-size: 13px;"><font size="2" face="Tahoma"><hr size="1"><b><span style="font-weight: bold;">From:</span></b> Jean-Noel Chardron <Jean-Noel.Chardron@dr15.cnrs.fr><br><b><span style="font-weight: bold;">To:</span></b> General discussion list for the 389 Directory server project. <fedora-directory-users@redhat.com><br><b><span style="font-weight: bold;">Sent:</span></b> Wednesday, June 24, 2009 1:19:36 PM<br><b><span style="font-weight:
bold;">Subject:</span></b> Re: [389-users] Trouble using self signed certificates.<br></font><br>David Christensen a écrit :<br>> <br>> I was having a similar issue yesterday, everything worked until I<br>> appended more then one CA to the file in /etc/openldap/cacerts, then it<br>> kept failing until I limited it to one CA. Are you<br>> using a single
CA?<br>> <br>The client authenticates to a server with a single authority, so why try to install two or more. otherwise you must use a file by CA in the directory.<br>unless you speak CA chain.<br><br>--<br>389 users mailing list<br><a rel="nofollow" ymailto="mailto:389-users@redhat.com" target="_blank" href="mailto:389-users@redhat.com">389-users@redhat.com</a><br><a rel="nofollow" target="_blank" href="https://www.redhat.com/mailman/listinfo/fedora-directory-users">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br></div></div></div></div><br>
</body></html>