Aleksander Adamowski wrote:
That should be fine. Fedora DS can do the same thing e.g. with server-to-server chaining and replication, using the server cert for client cert auth. It just depends on the type of cert issued and/or the trust flags on the cert.Rich Megginson wrote:Do you need to use cert based auth? If not, just configure the application to not use cert. based auth - just use username/password auth over SSL (or TLS). If you must use cert. based auth, you may be able to use the certutil command to change the trust flags of the cert - see certutil -H. See also this page for information about cert. based auth - http://directory.fedoraproject.org/wiki/Howto:CertMappingHmm, this has given me an idea for a solution. After switching Encryption -> Client Authentication settings of dirsrv from "Allow client authentication" to "Do not allow client authentication" I got this working.It seems that whenever certificate authentication is an allowed possibility on the FDS server side, OpenLDAP client tries using it even if it is operating inside an OpenLDAP server environment (in which case it supplies its server certificate as client's - thus the problem).This case is special since OpenLDAP server acts as an LDAP client to FDS server. I think the problem is on OpenLDAP side (it shouldn't use its server certificate for client authentication when acting as an LDAP client).
Read carefully: I wasn't talking about nsswitch.conf (which is for Name Service Switch), but nss.conf (which is a config file for mod_nss which is based on Network Secirity Services library).NSS (Netscape^H^H^H^H^Hwork Security Services) for crypto and nss (name switch service - as in nss_ldap) are completely different and unfortunately share the same name.Like, say some tweaks in nss.conf?The FDS admin server (dirsrv-admin) is based on Apache and it uses mod_nss for handling SSL connections. So inside /etc/dirsrv/admin-serv/nss.conf you can tweak SSL-related behaviour of dirsrv-admin.
Ok. I thought we were talking about the directory server only.
See the RHDS 8.0 Admin Guide, Chapter 12 - http://www.redhat.com/docs/manuals/dir-server/ag/8.0/ and http://tinyurl.com/688w9yI thought that there might be a similar method to tweak behaviour of dirsrv (although not through nss.conf since dirsrv doesn't use mod_nss and doesn't contain a http server in any part ), like some undocumented setting in dse.ldif. However, more correct fix turned out to be disallow certificate-based client authentication.
See also the detailed information for all of the security/encryption configuration entries and attributes - http://tinyurl.com/35qddb - there is also an apparently undocumented entry cn=RSA, cn=encryption, cn=config.
<<attachment: smime.p7s>>
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
