Aleksander Adamowski wrote:
Do you need to use cert based auth? If not, just configure the application to not use cert. based auth - just use username/password auth over SSL (or TLS). If you must use cert. based auth, you may be able to use the certutil command to change the trust flags of the cert - see certutil -H. See also this page for information about cert. based auth - http://directory.fedoraproject.org/wiki/Howto:CertMappingHi!I have a proxy OpenLDAP server (based on slapd-ldap) backend that connects to Fedora Directory server.All is fine if OpenLDAP is configured to connect using non-SSL URI without TLS.However, whenever I try TLS on port 389 or SSL on port 636, OpenLDAP uses its server certificate during TLS/SSL negotiation and Fedora Directory decides that this certificate usage isn't good because it's not a client certificate. In FDS logs I can see:[14/Apr/2008:11:33:33 +0200] conn=1474 fd=65 slot=65 SSL connection from IP_OF_OPENLDAP to IP_OF_FDS [14/Apr/2008:11:33:33 +0200] conn=1474 Netscape Portable Runtime error -8101 (Certificate type not approved for application.); unauthenticated client E=some_email,CN=hostname,ETC,ETC,; issuer E=ISSUER_DATA [14/Apr/2008:11:33:33 +0200] conn=1474 op=-1 fd=65 closed - Certificate type not approved for application.Is there a way to relax those requirements in Fedora Directory for this particular case (LDAP client that uses a server certificate)?
NSS (Netscape^H^H^H^H^Hwork Security Services) for crypto and nss (name switch service - as in nss_ldap) are completely different and unfortunately share the same name.Like, say some tweaks in nss.conf?
<<attachment: smime.p7s>>
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
