[389-users] Trouble using self signed certificates.

John A. Sullivan III jsullivan at opensourcedevel.com
Wed Jun 24 18:38:00 UTC 2009 

On Wed, 2009-06-24 at 11:28 -0700, Dumbo Q wrote:
> To answer a few questions,
> Searching for any thing about ldap.conf in google gave me a lot of
> openldap specific stuff.  Sorry to have to post into this mailling
> list, but I figure that if im having this much trouble getting this to
> work, then there is a good chance others are too.
> 
> I've tried a few combinations of these and none have worked for me.
> TLS_CACERT is pointing to CACert's root certificate.
> 
> 
> Here is the current tail of my ldap.conf file.
> TLS_CACERT /etc/pki/tls/certs/cacert.org-root.txt
> TLS_CACERT_DIR /etc/pki/tls/certs
> TLS_REQCERT  allow
> uri ldaps://rhds.example.com:636/
> ssl no
> #tls_cacertdir /etc/pki/tls/certs
> pam_password ssha
> 
> 
> 
> Interestingly enough,  it worked after doing the following.
> cat /etc/pki/tls/certs/cacert.org-root.txt >> /etc/pki/tls/cert.pem
> This is the symlink to ca-bundle.crt
This may go back to using the wrong variables and thus falling through
to the defaults which point tls_cacertfile to ca-bubdle.crt.  Just a
guess - John
> 
> My fear with this, is that I'll run a yum -y update on all my servers,
> and then nobody will be able to log in anywhere.
> 
> 
> 
> 
> 
> 
> ______________________________________________________________________
> From: Jean-Noel Chardron <Jean-Noel.Chardron at dr15.cnrs.fr>
> To: General discussion list for the 389 Directory server project.
> <fedora-directory-users at redhat.com>
> Sent: Wednesday, June 24, 2009 1:19:36 PM
> Subject: Re: [389-users] Trouble using self signed certificates.
> 
> David Christensen a écrit :
> > 
> > I was having a similar issue yesterday, everything worked until I
> > appended more then one CA to the file in /etc/openldap/cacerts, then
> it
> > kept failing until I limited it to one CA.  Are you
> >  using a single CA?
> >  
> The client authenticates to a server with a single authority, so why
> try to install two or more. otherwise you must use a file by CA in the
> directory.
> unless you speak CA chain.
> 
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> 
> 
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

More information about the 389-users mailing list