On Wed, 2009-06-24 at 09:32 -0700, Dumbo Q wrote: > I've managed to get past the the strangely obscure method of > installing an SSL certificate, and from the server side everything > appears to be OK. Actually its a "CACert" certificate, rather then > self signed. Using Jxplorer, I can connect the the DS using SSL, > accept the certificate, and I'm all set. > > However, I am having a ton of trouble figuring out how to use an > untrusted ca for my linux user authentication. I > changed /etc/ldap.conf to use ldaps://, and it attemtps to connect as > expected. I think this would work, if I could figure out how to tell > it to accept the certificate. I get the following error message in > DS after running getent passwd. > > [24/Jun/2009:12:24:02 -0400] conn=3 op=-1 fd=66 closed - Peer does not > recognize and trust the CA that issued your certificate. > [24/Jun/2009:12:24:02 -0400] conn=4 op=-1 fd=67 closed - Peer does not > recognize and trust the CA that issued your certificate. > > > Any thoughts? <snip> I believe you'll find the way we did it in several of my recent posts. You'll need to configure the rest of the SSL portions of ldap.conf. In particular, you will need to tell it where to find the CA cert. I believe we stuck ours in /etc/pki/tls/certs/ and pointed the tlscertfile (?) parameter to it. Hope this helps - John > -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@xxxxxxxxxxxxxxxxxxx http://www.spiritualoutreach.com Making Christianity intelligible to secular society -- 389 users mailing list 389-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users