> From: Thierry Bingen > Sent: Monday, July 28, 2014 10:37 AM > > The native ldapsearch having been compiled without the DEBUG option, I > installed the OpenLDAP version of ldapsearch which lets you use the debug > options. The latter informed me that "TLS certificate verification: Error, self > signed certificate in certificate chain". I had installed the (private) CA > certificate in the NSS DB (cert8.db, key3.db, secmod.db) with certutil though. > I then replaced the TLS_CACERTDIR of the OpenLDAP ldap.conf pointing to > the NSS DB directory with a TLS_CACERT pointing directly to the CA > certificate PEM file, and, bingo, it worked!
I don't believe openldap uses NSS format certificate databases, so pointing it at one is presumably doomed to failure regardless of the validity of the database. > I therefore suspect that there is something wrong with my NSS DB. I read > somewhere that it shouldn't be cert8.db but cert7.db. I also read the > opposite. Other than that, certutil seems happy with the contents of the NSS > DB. I am lost. As a point of reference, for both solaris and illumos I have successfully used cert8.db and key3.db format NSS certificate repositories. _______________________________________________ OmniOS-discuss mailing list [email protected] http://lists.omniti.com/mailman/listinfo/omnios-discuss
