Re-read the ldap.conf(5) manpage or the OpenLDAP Admin Guide. Your
cacerts directory is not configured correctly for use with the
TLS_CACERTDIR directive.
AH HA!
From the Admin Guide:
-------------
12.2.2.2. TLS_CACERTDIR <path>
This is equivalent to the server's TLSCACertificatePath option. The
specified directory must be managed with the OpenSSL c_rehash utility as
well.
--------------
Unfortunately, I had been using the ldap.conf man page instead, which
conveniently completely omits the part about the directory needing to be
managed by c_rehash. :-/
Further, the openssl install on fedora doesn't seem to have a c_rehash
utility:
# rpm -qa | grep openssl
openssl-0.9.7f-7
openssl-devel-0.9.7f-7
# rpm -ql openssl | grep c_rehash
# rpm -ql openssl-devel | grep c_rehash
#
Looks like I need to file a bug report with fedora. Maybe also we can
get ldap.conf updated to include this information? Is there somewhere I
should report that?
Thanks Howard and everyone for the help! I ended up just going to the
TLS_CACERTFILE option instead since right now there's only one
cacert.pem file, but would like to learn how to manage the directory
with c_rehash, so maybe I'll install openssl on a box from source to
play with it.
-Fran
--
Fran Fabrizio
Senior Systems Analyst
Department of Computer and Information Sciences
University of Alabama at Birmingham
http://www.cis.uab.edu/
205.934.0653
---
You are currently subscribed to ldap@umich.edu as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the
SUBJECT of the message.
