[389-users] Trouble using self signed certificates.
John A. Sullivan III
jsullivan at opensourcedevel.com
Wed Jun 24 18:38:00 UTC 2009
On Wed, 2009-06-24 at 11:28 -0700, Dumbo Q wrote:
> To answer a few questions,
> Searching for any thing about ldap.conf in google gave me a lot of
> openldap specific stuff. Sorry to have to post into this mailling
> list, but I figure that if im having this much trouble getting this to
> work, then there is a good chance others are too.
>
> I've tried a few combinations of these and none have worked for me.
> TLS_CACERT is pointing to CACert's root certificate.
>
>
> Here is the current tail of my ldap.conf file.
> TLS_CACERT /etc/pki/tls/certs/cacert.org-root.txt
> TLS_CACERT_DIR /etc/pki/tls/certs
> TLS_REQCERT allow
> uri ldaps://rhds.example.com:636/
> ssl no
> #tls_cacertdir /etc/pki/tls/certs
> pam_password ssha
>
>
>
> Interestingly enough, it worked after doing the following.
> cat /etc/pki/tls/certs/cacert.org-root.txt >> /etc/pki/tls/cert.pem
> This is the symlink to ca-bundle.crt
This may go back to using the wrong variables and thus falling through
to the defaults which point tls_cacertfile to ca-bubdle.crt. Just a
guess - John
>
> My fear with this, is that I'll run a yum -y update on all my servers,
> and then nobody will be able to log in anywhere.
>
>
>
>
>
>
> ______________________________________________________________________
> From: Jean-Noel Chardron <Jean-Noel.Chardron at dr15.cnrs.fr>
> To: General discussion list for the 389 Directory server project.
> <fedora-directory-users at redhat.com>
> Sent: Wednesday, June 24, 2009 1:19:36 PM
> Subject: Re: [389-users] Trouble using self signed certificates.
>
> David Christensen a écrit :
> >
> > I was having a similar issue yesterday, everything worked until I
> > appended more then one CA to the file in /etc/openldap/cacerts, then
> it
> > kept failing until I limited it to one CA. Are you
> > using a single CA?
> >
> The client authenticates to a server with a single authority, so why
> try to install two or more. otherwise you must use a file by CA in the
> directory.
> unless you speak CA chain.
>
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
More information about the 389-users
mailing list