http://qa.mandrakesoft.com/show_bug.cgi?id=4462
[EMAIL PROTECTED] changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |NEW
Ever Confirmed| |1
------- Additional Comments From [EMAIL PROTECTED] 2003-04-08 21:53 -------
Alternatively, maybe the libldap(2) package should own /etc/ldap.conf, if it is
configured to use it, since pam_ldap and and nss_ldap (and any other package
that would uses ldap) should require it.
Dirk, what settings are you using for TLS_REQCERT?
I got can't get ldaps to work unless I set:
TLS_REQCERT allow
This effectively turns off certificate validation (which is a bad thing), but
seems to affect Mandrake 9.1 and cooker (9.0 is not affected), which may be
because of openssl-0.9.7 over openssl-0.9.6. I am using a cert signed by our own
self-signed CA cert, which is specified as:
TLS_CACERT /etc/ssl/ca.crt
and
tls_cacertfile /etc/ssl/ca.crt
But this would be a seperate bug I guess. I will confirm this one, I think
libldap should own /etc/ldap.conf.
--
Configure bugmail: http://qa.mandrakesoft.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
------- Reminder: -------
assigned_to: [EMAIL PROTECTED]
status: NEW
creation_date:
description:
Hi,
The following all has to do with the openldap-clients rpm and is more a
suggestion than a bug report.
I've played around with ldaps (secure LDAP) on the new 9.2 beta, gone are the
exception errors � THANKS!.
I had some difficulty trying to let my client accept the certificate of my
server, which did not happen in 9.0!
So I came across this bit in the FAQ on the openldap site
http://www.openldap.org/faq/data/cache/185.html
This is where I went off to the the link that leads to the documentation:
http://www.openldap.org/doc/admin21/tls.html
going down to the client part is where the answer lies:
TLS_CERT <filename>
or
TLS_REQCERT { never | allow | try | demand }
This has to be done in the /etc/ldap.conf file and not the
/etc/openldap/ldap.conf which can be confusing because I was, up to now, under
the impression it is only used by the nss_ldap and pam_ldap modules.
This file naturally can be overruled by any .ldaprc file in a user's home directory.
Ok so here is some kind of suggestion:
Is there a value that can be specified for the location of the config file that
ldapsearch for instance will be using, when these binaries are compiled.
If so, should it not be a better place to put in in /etc/openldap/?
Why I make this suggestion: these are TWO seperate set of packages ( the
nss_ldap/ pam_ldap that uses /etc/ldap.conf VS the openldap packages that uses
config files in /etc/openldap/)
The current openldap-clients package has no config file that gets installed
(/etc/ldap.conf) thus I assume this will make it difficult for the average Joe
out there to eventually get ldaps going, taking me as an example!
Perhaps you can package a �ldaps_sample_config� file with it and a readme, so
the person can quickly grasp what to do, rather than going to the Net and search
and experiment.
If you need any further input please feel free to contact me.
Dirk 27-12-841-3042
or cell 27-72-596-3050
