> > I thought I needed the cacert line in /etc/openldap/ldap.conf to point the > > ldap client to the CA cert we trust, otherwise we might not trust the > > server certificate being signed by the CA. > > > > Thanks again, > > Jo > > > That's correct, you always need the CA cert on all of the servers and > clients. (Unless you're using anonymous cipher suites, in which case you > don't need any certs at all. But that's pretty reckless.) I have server-side, self-generated, self-signed certs. None of those certs exist on any of the clients, all my ldap traffic is ssl-encrypted over 636, no problem. Is that what you mean by "anonymous cipher suites"? If so, why is that reckless? I don't really care if the clients misrepresent themselves, I just care that the server doesn't. Perhaps I'm not understanding what you are saying....? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
