[Fedora-directory-users] [OT?] tls_checkpeer yes problems
John A. Sullivan III
jsullivan at opensourcedevel.com
Thu Jan 29 18:32:12 UTC 2009
Hello, all. This may be a bit off-topic as it is primarily an ldap
client issue but I am having a bear of a time getting my test centos
clients to access fds. The problem is tls_checkpeer. I do want it set
to yes but this breaks access. It is as if the directory server's cert
cannot be validated against the CA cert. Here are the pertinent
settings from my centos client ldap.conf (as you can see, I've tried
many combinations):
uri ldap://ldap.mycompany.com/
#host ldap.mycompany.com
#ssl on
ssl start_tls
#tls_cacertdir /etc/pki/tls/certs
tls_cacertfile /etc/pki/tls/certs/SSICA.pem
pam_password md5
tls_checkpeer yes
tls_ciphers TLSv1
An strace shows that the SSICA.pem file is opened. Apparently, this is
a problem in Ubuntu because of a change to gnutls. However, I can
confirm the combination of uri ldap://, ssl start_tls, and tls_certfile
rather than tls_certdir work on Ubuntu. My problem is redhat style
systems.
Our test bed is CentOS 5.2. Does anyone have this working on newer
redhat based systems? If so, with what configuration? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
More information about the Fedora-directory-users
mailing list