On [Thu, 29.01.2009 13:32], John A. Sullivan III wrote:
Hello, all. This may be a bit off-topic as it is primarily an ldap client issue but I am having a bear of a time getting my test centos clients to access fds. The problem is tls_checkpeer. I do want it set to yes but this breaks access. It is as if the directory server's cert cannot be validated against the CA cert. Here are the pertinent settings from my centos client ldap.conf (as you can see, I've tried many combinations): uri ldap://ldap.mycompany.com/ #host ldap.mycompany.com #ssl on ssl start_tls #tls_cacertdir /etc/pki/tls/certs tls_cacertfile /etc/pki/tls/certs/SSICA.pem pam_password md5 tls_checkpeer yes tls_ciphers TLSv1 An strace shows that the SSICA.pem file is opened. Apparently, this is a problem in Ubuntu because of a change to gnutls. However, I can confirm the combination of uri ldap://, ssl start_tls, and tls_certfile rather than tls_certdir work on Ubuntu. My problem is redhat style systems. Our test bed is CentOS 5.2. Does anyone have this working on newer redhat based systems? If so, with what configuration? Thanks - John
gnutls has a bug in some ubunto versions. This prevents correct certificate validation. See here: https://bugs.launchpad.net/ubuntu/+source/gnutls12/+bug/305264 How did you test access to FDS on Red Hat systems? If you use OpenLDAP commandline tools like ldapsearch to get access to FDS, you have to run cacertdir_rehash on the directory where the CA cert is stored. What is the output from: # openssl s_client -connect your_host_fqdn:443 (make sure you have the cacert available in ca-bundle.crt) Happy Day. Thorsten
-- "Eternity is a very long time, especially towards the end." — Stephen Hawking
<<attachment: smime.p7s>>
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
