Re-read the ldap.conf(5) manpage or the OpenLDAP Admin Guide. Your cacerts directory is not configured correctly for use with the TLS_CACERTDIR directive.


From the Admin Guide:

------------- TLS_CACERTDIR <path>

This is equivalent to the server's TLSCACertificatePath option. The specified directory must be managed with the OpenSSL c_rehash utility as well.

Unfortunately, I had been using the ldap.conf man page instead, which conveniently completely omits the part about the directory needing to be managed by c_rehash. :-/

Further, the openssl install on fedora doesn't seem to have a c_rehash utility:

# rpm -qa | grep openssl
# rpm -ql openssl | grep c_rehash
# rpm -ql openssl-devel | grep c_rehash

Looks like I need to file a bug report with fedora. Maybe also we can get ldap.conf updated to include this information? Is there somewhere I should report that?

Thanks Howard and everyone for the help! I ended up just going to the TLS_CACERTFILE option instead since right now there's only one cacert.pem file, but would like to learn how to manage the directory with c_rehash, so maybe I'll install openssl on a box from source to play with it.


Fran Fabrizio
Senior Systems Analyst
Department of Computer and Information Sciences
University of Alabama at Birmingham

You are currently subscribed to as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the 
SUBJECT of the message.

Reply via email to