I just came across the messages regarding RHEL4, LDAP and TLS on the list
previously:
https://www.redhat.com/archives/redhat-list/2005-May/msg00210.html
I had been struggling with the same problem, and this was just the push
that I needed to figure out how to get RHEL 4 working as a client.
The key insight was that RHEL4's nss_ldap module validates the certificate
by default, despite this bit of documentation in /etc/ldap.conf:
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
#tls_checkpeer yes
It appears that the default has changed to "tls_checkpeer yes" without the
comment being changed in the configuration file. This is documented in
Bugzilla:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=122129
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123877
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=126474
If you are running with a self-signed certificate (as is the case by
default if you don't install another certificate), RHEL 4's nss_ldap will
fail unless "tls_checkpeer no" is set in /etc/ldap.conf.
Alternatively, if you are concerned about SSL security, you can use a
properly signed SSL certificate, and use the tls_cacert or tls_cacertdir
directives to point nss_ldap at the CA's certificate so that it can
validate the presented LDAP certificate.
I set up my own CA and then generated a certificate for the LDAP server,
signed it, and then made my CA's certificate available through the
tls_cacert directive, and it worked. If you generate a certificate and
have it signed by a commercial CA, you could set tls_cacert as follows:
tls_cacert /usr/share/ssl/certs/ca-bundle.crt
--
Richard Bullington-McGuire, Managing Partner, PKR Internet, LLC
Email: rbulling@xxxxxxxxxxxxxxx Web: http://pkrinternet.com/
Phone: +1 (703) 271 0607 Fax: +1 (703) 271 0580
PGP key IDs: RSA: 0x9386230 DH/DSS: 0xDAC3028E
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
