Aleksander Adamowski wrote: > Rich Megginson wrote: >> Do you need to use cert based auth? If not, just configure the >> application to not use cert. based auth - just use username/password >> auth over SSL (or TLS). If you must use cert. based auth, you may be >> able to use the certutil command to change the trust flags of the >> cert - see certutil -H. See also this page for information about >> cert. based auth - >> http://directory.fedoraproject.org/wiki/Howto:CertMapping > Hmm, this has given me an idea for a solution. After switching > Encryption -> Client Authentication settings of dirsrv from "Allow > client authentication" to "Do not allow client authentication" I got > this working. > > It seems that whenever certificate authentication is an allowed > possibility on the FDS server side, OpenLDAP client tries using it > even if it is operating inside an OpenLDAP server environment (in > which case it supplies its server certificate as client's - thus the > problem). > > This case is special since OpenLDAP server acts as an LDAP client to > FDS server. > I think the problem is on OpenLDAP side (it shouldn't use its server > certificate for client authentication when acting as an LDAP client). That should be fine. Fedora DS can do the same thing e.g. with server-to-server chaining and replication, using the server cert for client cert auth. It just depends on the type of cert issued and/or the trust flags on the cert. > >>> Like, say some tweaks in nss.conf? >> NSS (Netscape^H^H^H^H^Hwork Security Services) for crypto and nss >> (name switch service - as in nss_ldap) are completely different and >> unfortunately share the same name. > Read carefully: I wasn't talking about nsswitch.conf (which is for > Name Service Switch), but nss.conf (which is a config file for mod_nss > which is based on Network Secirity Services library). > > The FDS admin server (dirsrv-admin) is based on Apache and it uses > mod_nss for handling SSL connections. > So inside /etc/dirsrv/admin-serv/nss.conf you can tweak SSL-related > behaviour of dirsrv-admin. Ok. I thought we were talking about the directory server only. > > I thought that there might be a similar method to tweak behaviour of > dirsrv (although not through nss.conf since dirsrv doesn't use mod_nss > and doesn't contain a http server in any part ), like some > undocumented setting in dse.ldif. However, more correct fix turned out > to be disallow certificate-based client authentication. See the RHDS 8.0 Admin Guide, Chapter 12 - http://www.redhat.com/docs/manuals/dir-server/ag/8.0/ and http://tinyurl.com/688w9y See also the detailed information for all of the security/encryption configuration entries and attributes - http://tinyurl.com/35qddb - there is also an apparently undocumented entry cn=RSA, cn=encryption, cn=config. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20080414/c5b2329a/attachment.bin
