On 06/07/2013 09:26 AM, Jan Cholasta wrote:
On 7.6.2013 15:17, John Dennis wrote:
On 06/07/2013 08:57 AM, Jan Cholasta wrote:
Yes, this is correct. The DS certificate must be directly signed by the
CA trusted by IPA (specified by --root-ca-cert in ipa-server-install),
there may be no intermediate CAs, because ldapsearch and friends and
python-ldap don't like them.
That doesn't sound right. Do we understand why a chain length > 1 is
LDAP utilities and python-ldap only trust certificates directly issued
by CAs you point them to (at least on Fedora 18).
This sounds like a bug in MozLDAP (i.e. the NSS LDAP crypto provider).
Have we filed a bug? Let's file the bug here in the Red Hat bugzilla,
not upstream, we're the maintainers of MozLDAP and upstream is already
frustrated with it.
Freeipa-devel mailing list