On Wed, 2009-06-24 at 11:28 -0700, Dumbo Q wrote: > To answer a few questions, > Searching for any thing about ldap.conf in google gave me a lot of > openldap specific stuff. Sorry to have to post into this mailling > list, but I figure that if im having this much trouble getting this to > work, then there is a good chance others are too. > > I've tried a few combinations of these and none have worked for me. > TLS_CACERT is pointing to CACert's root certificate. > > > Here is the current tail of my ldap.conf file. > TLS_CACERT /etc/pki/tls/certs/cacert.org-root.txt > TLS_CACERT_DIR /etc/pki/tls/certs > TLS_REQCERT allow > uri ldaps://rhds.example.com:636/ > ssl no > #tls_cacertdir /etc/pki/tls/certs > pam_password ssha > > > > Interestingly enough, it worked after doing the following. > cat /etc/pki/tls/certs/cacert.org-root.txt >> /etc/pki/tls/cert.pem > This is the symlink to ca-bundle.crt This may go back to using the wrong variables and thus falling through to the defaults which point tls_cacertfile to ca-bubdle.crt. Just a guess - John > > My fear with this, is that I'll run a yum -y update on all my servers, > and then nobody will be able to log in anywhere. > > > > > > > ______________________________________________________________________ > From: Jean-Noel Chardron <Jean-Noel.Chardron@xxxxxxxxxxxx> > To: General discussion list for the 389 Directory server project. > <fedora-directory-users@xxxxxxxxxx> > Sent: Wednesday, June 24, 2009 1:19:36 PM > Subject: Re: [389-users] Trouble using self signed certificates. > > David Christensen a écrit : > > > > I was having a similar issue yesterday, everything worked until I > > appended more then one CA to the file in /etc/openldap/cacerts, then > it > > kept failing until I limited it to one CA. Are you > > using a single CA? > > > The client authenticates to a server with a single authority, so why > try to install two or more. otherwise you must use a file by CA in the > directory. > unless you speak CA chain. > > -- > 389 users mailing list > 389-users@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > 389 users mailing list > 389-users@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@xxxxxxxxxxxxxxxxxxx http://www.spiritualoutreach.com Making Christianity intelligible to secular society -- 389 users mailing list 389-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
