On Mon, May 21, 2007 at 08:32:53AM -0700, Richard A Nelson wrote:
> On Mon, 21 May 2007, Sjoerd Simons wrote:
> Hello, and you win the prize of filing the 1st bug routed to the new
> maintainer - your prize is still being determined :)

:)

> > When upgrading from 251-7.5 libnss-ldap starts failing. Debug shows the
> > following:
> >
> >TLS: can't connect.
> >ldap_err2string
> >ldap_err2string
> 
> You should try -vd9999 - with higher debugging, you can see the notice
> that your certificate was likely rejected due to being self-signed.

I've put debug 9999 in /etc/libnss-ldap.conf but that doesn't reveal more
information..

> > Our ldap server is using a self-signed certificate and ``TLS_REQCERT 
> > never''
> > is specified in /etc/ldap/ldap.conf..
> 
> Please try the following settings instead:
> TLS_CACERTDIR /etc/ssl/certs
> TLS_CRLCHECK none
> # Allow self-signed certificates
> TLS_REQCERT allow

Using allow instead of never makes it fail because the CN doesn't match or at
least it makes ldapsearch fail.. For nss it doesn't make a difference (as in ,
it still fails).. We're using ldap.spacelabs.nl which refers to two ldap
servers, but both have their own certificates with their respective hostnames
as CN (oh, wonderfull SSL world)

> Now, there's a caveat here, that the ca-certificates package can leave
> dangling symlinks in /etc/ssl/certs... and those will also cause
> certificate failure :(
> 
> So, you may need to run `update-ca-certificates -f` to force the cleanup
> (or a q&d script to just remove them).

Also didn't help..

> > Yes i know, this is not the most secure setup and we should fix it 
> > sometime..
> > But it should still work :)
> 
> Yeah,  I'm in the same boat :)

:)


  Sjoerd
-- 
My religion consists of a humble admiration of the illimitable superior
spirit who reveals himself in the slight details we are able to perceive
with our frail and feeble mind.
                -- Albert Einstein


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to