Stephen Ingram wrote:
> On Fri, Jan 2, 2015 at 10:02 AM, Rob Crittenden <rcrit...@redhat.com
> <mailto:rcrit...@redhat.com>> wrote:
> 
>     Stephen Ingram wrote:
>     > On Mon, Dec 15, 2014 at 6:40 PM, Stephen Ingram <sbing...@gmail.com 
> <mailto:sbing...@gmail.com>
>     > <mailto:sbing...@gmail.com <mailto:sbing...@gmail.com>>> wrote:
>     >
>     >     I have one client using a certificate issued by a third party
>     >     provider such that any secure (TLS) LDAP queries are refused since
>     >     the certificates were not issued by IPA. Since there are only
>     a few
>     >     clients with foreign certificates, can the CA simply be added
>     to the
>     >     NSS database used by the 389 directory server so IPA will
>     establish
>     >     a secure connection with them?
>     >
>     >
>     > I should have added, "or do I have to somehow add the certificate
>     to the
>     > IPA directory?"
> 
>     Need a little more context here. IPA doesn't use SSL client
>     authentication so it shouldn't be an issue. Can you provide more details
>     on what the client side is doing and what errors you are seeing?
> 
> 
> Thanks Rob. I imported the CA into both the httpd and ldap NSS databases
> and it works. Interestingly, I'm currently using version 3.0 of IPA
> which still has the split directories. The CA imported properly into the
> main IPA directory, but would not import into the PKI directory without
> errors on restart. As I only really needed it in the main directory, I'm
> OK for now, however, I'm wondering if this will be a problem when we
> move to version 3.3 and the two directories are combined.

I'd need to see the errors you were getting. I don't see why the
existence of a trusted CA cert would cause a service to not start.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to