On Mon, May 21, 2007 at 08:32:53AM -0700, Richard A Nelson wrote:
> On Mon, 21 May 2007, Sjoerd Simons wrote:
> Hello, and you win the prize of filing the 1st bug routed to the new
> maintainer - your prize is still being determined :)
:)
> > When upgrading from 251-7.5 libnss-ldap starts failing. Debug shows the
> > following:
> >
> >TLS: can't connect.
> >ldap_err2string
> >ldap_err2string
>
> You should try -vd9999 - with higher debugging, you can see the notice
> that your certificate was likely rejected due to being self-signed.
I've put debug 9999 in /etc/libnss-ldap.conf but that doesn't reveal more
information..
> > Our ldap server is using a self-signed certificate and ``TLS_REQCERT
> > never''
> > is specified in /etc/ldap/ldap.conf..
>
> Please try the following settings instead:
> TLS_CACERTDIR /etc/ssl/certs
> TLS_CRLCHECK none
> # Allow self-signed certificates
> TLS_REQCERT allow
Using allow instead of never makes it fail because the CN doesn't match or at
least it makes ldapsearch fail.. For nss it doesn't make a difference (as in ,
it still fails).. We're using ldap.spacelabs.nl which refers to two ldap
servers, but both have their own certificates with their respective hostnames
as CN (oh, wonderfull SSL world)
> Now, there's a caveat here, that the ca-certificates package can leave
> dangling symlinks in /etc/ssl/certs... and those will also cause
> certificate failure :(
>
> So, you may need to run `update-ca-certificates -f` to force the cleanup
> (or a q&d script to just remove them).
Also didn't help..
> > Yes i know, this is not the most secure setup and we should fix it
> > sometime..
> > But it should still work :)
>
> Yeah, I'm in the same boat :)
:)
Sjoerd
--
My religion consists of a humble admiration of the illimitable superior
spirit who reveals himself in the slight details we are able to perceive
with our frail and feeble mind.
-- Albert Einstein
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]