-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jean-Noel Chardron wrote: > Dumbo Q a écrit : >> I've managed to get past the the strangely obscure method of >> installing an SSL certificate, and from the server side everything >> appears to be OK. Actually its a "CACert" certificate, rather then >> self signed. Using Jxplorer, I can connect the the DS using SSL, >> accept the certificate, and I'm all set. >> >> However, I am having a ton of trouble figuring out how to use an >> untrusted ca for my linux user authentication. I changed >> /etc/ldap.conf to use ldaps://, and it attemtps to connect as >> expected. I think this would work, if I could figure out how to tell >> it to accept the certificate. I get the following error message in DS >> after running getent passwd. >> >> [24/Jun/2009:12:24:02 -0400] conn=3 op=-1 fd=66 closed - Peer does not >> recognize and trust the CA that issued your certificate. >> [24/Jun/2009:12:24:02 -0400] conn=4 op=-1 fd=67 closed - Peer does not >> recognize and trust the CA that issued your certificate. >> >> >> Any thoughts? >> > I think you have to use the directive TLS_CACERT or TLS_CACERT_DIR in > /etc/ldap.conf > man ldap.conf : > TLS_CACERT <filename> > Specifies the file that contains certificates for all of > the Certificate Authorities the client will recognize. > > TLS_CACERTDIR <path> > Specifies the path of a directory that contains Certifi‐ > cate Authority certificates in separate individual files. > The TLS_CACERT is always used before TLS_CACERTDIR. This > parameter is ignored with GNUtls. > >> ------------------------------------------------------------------------ >> >> -- >> 389 users mailing list >> 389-users@xxxxxxxxxx >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > 389 users mailing list > 389-users@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-directory-users I was having a similar issue yesterday, everything worked until I appended more then one CA to the file in /etc/openldap/cacerts, then it kept failing until I limited it to one CA. Are you using a single CA? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkpCW6YACgkQ5B+8XEnAvquidwCcDcnsJTuyGaVGkfc/NEXYDzdD 3WIAnAx7FBt+G8VQYd9Zf1Vzbo7ebs/2 =lFVu -----END PGP SIGNATURE----- -- 389 users mailing list 389-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
