Aleksander Adamowski wrote: > Hi! > > I have a proxy OpenLDAP server (based on slapd-ldap) backend that > connects to Fedora Directory server. > > All is fine if OpenLDAP is configured to connect using non-SSL URI > without TLS. > > However, whenever I try TLS on port 389 or SSL on port 636, OpenLDAP > uses its server certificate during TLS/SSL negotiation and Fedora > Directory decides that this certificate usage isn't good because it's > not a client certificate. In FDS logs I can see: > > [14/Apr/2008:11:33:33 +0200] conn=1474 fd=65 slot=65 SSL connection > from IP_OF_OPENLDAP to IP_OF_FDS > [14/Apr/2008:11:33:33 +0200] conn=1474 Netscape Portable Runtime error > -8101 (Certificate type not approved for application.); > unauthenticated client E=some_email,CN=hostname,ETC,ETC,; issuer > E=ISSUER_DATA > [14/Apr/2008:11:33:33 +0200] conn=1474 op=-1 fd=65 closed - > Certificate type not approved for application. > > Is there a way to relax those requirements in Fedora Directory for > this particular case (LDAP client that uses a server certificate)? Do you need to use cert based auth? If not, just configure the application to not use cert. based auth - just use username/password auth over SSL (or TLS). If you must use cert. based auth, you may be able to use the certutil command to change the trust flags of the cert - see certutil -H. See also this page for information about cert. based auth - http://directory.fedoraproject.org/wiki/Howto:CertMapping > Like, say some tweaks in nss.conf? NSS (Netscape^H^H^H^H^Hwork Security Services) for crypto and nss (name switch service - as in nss_ldap) are completely different and unfortunately share the same name. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20080414/7107291d/attachment.bin
