[389-users] Trouble using self signed certificates.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 2009-06-24 at 11:28 -0700, Dumbo Q wrote:
> To answer a few questions,
> Searching for any thing about ldap.conf in google gave me a lot of
> openldap specific stuff.  Sorry to have to post into this mailling
> list, but I figure that if im having this much trouble getting this to
> work, then there is a good chance others are too.
> 
> I've tried a few combinations of these and none have worked for me.
> TLS_CACERT is pointing to CACert's root certificate.
> 
> 
> Here is the current tail of my ldap.conf file.
> TLS_CACERT /etc/pki/tls/certs/cacert.org-root.txt
> TLS_CACERT_DIR /etc/pki/tls/certs
> TLS_REQCERT  allow
> uri ldaps://rhds.example.com:636/
> ssl no
> #tls_cacertdir /etc/pki/tls/certs
> pam_password ssha
> 
> 
> 
> Interestingly enough,  it worked after doing the following.
> cat /etc/pki/tls/certs/cacert.org-root.txt >> /etc/pki/tls/cert.pem
> This is the symlink to ca-bundle.crt
This may go back to using the wrong variables and thus falling through
to the defaults which point tls_cacertfile to ca-bubdle.crt.  Just a
guess - John
> 
> My fear with this, is that I'll run a yum -y update on all my servers,
> and then nobody will be able to log in anywhere.
> 
> 
> 
> 
> 
> 
> ______________________________________________________________________
> From: Jean-Noel Chardron <Jean-Noel.Chardron at dr15.cnrs.fr>
> To: General discussion list for the 389 Directory server project.
> <fedora-directory-users at redhat.com>
> Sent: Wednesday, June 24, 2009 1:19:36 PM
> Subject: Re: [389-users] Trouble using self signed certificates.
> 
> David Christensen a ?crit :
> > 
> > I was having a similar issue yesterday, everything worked until I
> > appended more then one CA to the file in /etc/openldap/cacerts, then
> it
> > kept failing until I limited it to one CA.  Are you
> >  using a single CA?
> >  
> The client authenticates to a server with a single authority, so why
> try to install two or more. otherwise you must use a file by CA in the
> directory.
> unless you speak CA chain.
> 
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> 
> 
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux