John A. Sullivan III wrote: > On Wed, 2009-06-24 at 18:55 +0200, Jean-Noel Chardron wrote: > >> Dumbo Q a ?crit : >> >>> I've managed to get past the the strangely obscure method of >>> installing an SSL certificate, and from the server side everything >>> appears to be OK. Actually its a "CACert" certificate, rather then >>> self signed. Using Jxplorer, I can connect the the DS using SSL, >>> accept the certificate, and I'm all set. >>> >>> However, I am having a ton of trouble figuring out how to use an >>> untrusted ca for my linux user authentication. I changed >>> /etc/ldap.conf to use ldaps://, and it attemtps to connect as >>> expected. I think this would work, if I could figure out how to tell >>> it to accept the certificate. I get the following error message in DS >>> after running getent passwd. >>> >>> [24/Jun/2009:12:24:02 -0400] conn=3 op=-1 fd=66 closed - Peer does not >>> recognize and trust the CA that issued your certificate. >>> [24/Jun/2009:12:24:02 -0400] conn=4 op=-1 fd=67 closed - Peer does not >>> recognize and trust the CA that issued your certificate. >>> >>> >>> Any thoughts? >>> >>> >> I think you have to use the directive TLS_CACERT or TLS_CACERT_DIR in >> /etc/ldap.conf >> man ldap.conf : >> TLS_CACERT <filename> >> Specifies the file that contains certificates for all of >> the Certificate Authorities the client will recognize. >> >> TLS_CACERTDIR <path> >> Specifies the path of a directory that contains Certifi? >> cate Authority certificates in separate individual files. >> The TLS_CACERT is always used before TLS_CACERTDIR. This >> parameter is ignored with GNUtls. >> >> >>> <snip> >>> > I think these may be the wrong variables. If I recall correctly, those > variables are for /etc/openldap/ldap.conf and control openldap (and > openldap related queries). pam uses /etc/ldap.conf. do "man nss_ldap" to see the configuration variables for /etc/ldap.conf - they are similar enough to /etc/openldap/ldap.conf to cause confusion. > I believe the > variables are set like this: > > ssl start_tls > tls_checkpeer yes > tls_cacertfile /usr/share/ca-certificates/CA.pem > > or whatever the path happens to be. Again, I'm not an expert - just > sharing what we did that worked - John > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20090624/2fcd8476/attachment.bin
