Hi!
I was having problems getting ldapsearch (openldap) and sssd to accept x509 certs from CAcert.org.
Thanks to sgallagh for pointing me to where to find a solution. Apparently, in F15, openldap and sssd do not use openssl for TLS/SSL libs. They use Mozilla NSS instead. Therefore, the default locations for certificate authority certs has to be explicitly configured in /etc/openldap/ldap.conf
By adding the following to my /etc/openldap/ldap.conf file, I got ldapsearch and sssd to work over SSL to my LDAP server.
TLS_CACERTDIR /etc/pki/tls/certs TLS_CACERT /etc/pki/tls/cert.pem
Uggh. This was really frustrating . . . . . I dont suppose something could be placed in release notes when these kinds of changes occur?
Thanks,
Bobby
Bobby Krupczak wrote:
Uggh. This was really frustrating . . . . . I dont suppose something could be placed in release notes when these kinds of changes occur?
I've said the same thing for the past several releases. The NSS folks don't care. They only want to use NSS to be certified for FIPS. It's not a technical reason it's political.
You're more than welcome to reach out to them yourself. Maybe you will have better luck that I have.
Hi!
Bobby Krupczak wrote:
Uggh. This was really frustrating . . . . . I dont suppose something could be placed in release notes when these kinds of changes occur?
I've said the same thing for the past several releases. The NSS folks don't care. They only want to use NSS to be certified for FIPS. It's not a technical reason it's political.
You're more than welcome to reach out to them yourself. Maybe you will have better luck that I have.
My past experiences making "suggestions" have been frustrating as well. Not sure I want to add to it.
Thanks,
Bobby