On Mon, 21 May 2007, Sjoerd Simons wrote:
You should try -vd9999 - with higher debugging, you can see the notice
that your certificate was likely rejected due to being self-signed.
I've put debug 9999 in /etc/libnss-ldap.conf but that doesn't reveal more
information..
Then I wonder if you are really connecting at all ! You should see data
like:
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject: /C=US/O=RSA
Data Security
, Inc./OU=Secure Server Certification Authority, issuer: /C=US/O=RSA
Data Security
, Inc./OU=Secure Server Certification Authority
...
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
...
TLS trace: SSL_connect:SSLv3 flush data
Using allow instead of never makes it fail because the CN doesn't match or at
least it makes ldapsearch fail.. For nss it doesn't make a difference (as in ,
it still fails).. We're using ldap.spacelabs.nl which refers to two ldap
servers, but both have their own certificates with their respective hostnames
as CN (oh, wonderfull SSL world)
You can do a wildcard certificate (something I need to do for my setup,
but haven't yet).
Also didn't help..
Again, I wonder if you are actually making a connection
What are the host/uri lines in /etc/ldap/ldap.conf ?
--
Rick Nelson
"I don't know why, but first C programs tend to look a lot worse than
first programs in any other language (maybe except for fortran, but then
I suspect all fortran programs look like `firsts')"
(By Olaf Kirch)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
