On 06/07/2013 09:26 AM, Jan Cholasta wrote:
On 7.6.2013 15:17, John Dennis wrote:
On 06/07/2013 08:57 AM, Jan Cholasta wrote:
Yes, this is correct. The DS certificate must be directly signed by the
CA trusted by IPA (specified by --root-ca-cert in ipa-server-install),
there may be no intermediate CAs, because ldapsearch and friends and
python-ldap don't like them.


That doesn't sound right. Do we understand why a chain length > 1 is
failing?


LDAP utilities and python-ldap only trust certificates directly issued
by CAs you point them to (at least on Fedora 18).

This sounds like a bug in MozLDAP (i.e. the NSS LDAP crypto provider). Have we filed a bug? Let's file the bug here in the Red Hat bugzilla, not upstream, we're the maintainers of MozLDAP and upstream is already frustrated with it.

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to