On [Thu, 29.01.2009 13:32], John A. Sullivan III wrote: >Hello, all. This may be a bit off-topic as it is primarily an ldap >client issue but I am having a bear of a time getting my test centos >clients to access fds. The problem is tls_checkpeer. I do want it set >to yes but this breaks access. It is as if the directory server's cert >cannot be validated against the CA cert. Here are the pertinent >settings from my centos client ldap.conf (as you can see, I've tried >many combinations): > >uri ldap://ldap.mycompany.com/ >#host ldap.mycompany.com >#ssl on >ssl start_tls >#tls_cacertdir /etc/pki/tls/certs >tls_cacertfile /etc/pki/tls/certs/SSICA.pem >pam_password md5 >tls_checkpeer yes >tls_ciphers TLSv1 > >An strace shows that the SSICA.pem file is opened. Apparently, this is >a problem in Ubuntu because of a change to gnutls. However, I can >confirm the combination of uri ldap://, ssl start_tls, and tls_certfile >rather than tls_certdir work on Ubuntu. My problem is redhat style >systems. > >Our test bed is CentOS 5.2. Does anyone have this working on newer >redhat based systems? If so, with what configuration? Thanks - John gnutls has a bug in some ubunto versions. This prevents correct certificate validation. See here: https://bugs.launchpad.net/ubuntu/+source/gnutls12/+bug/305264 How did you test access to FDS on Red Hat systems? If you use OpenLDAP commandline tools like ldapsearch to get access to FDS, you have to run cacertdir_rehash on the directory where the CA cert is stored. What is the output from: # openssl s_client -connect your_host_fqdn:443 (make sure you have the cacert available in ca-bundle.crt) Happy Day. Thorsten -- "Eternity is a very long time, especially towards the end." ? Stephen Hawking -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3855 bytes Desc: not available Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20090205/6e11ce49/attachment.bin
