On Tue, Oct 13, 2015 at 10:37 AM <bnatara...@castlighthealth.com> wrote:

> Hi,
>
> I have tried to setup LDAP authentication, but in the log shows
>
> LDAP error: {'info': "TLS error -8179:Peer's Certificate issuer is not
> recognized.", 'desc': "Can't contact LDAP server"}
>
>
This error means exactly what it says: the SSL  certificate provided by the
LDAP server cannot be trusted. Because of this, the only safe thing for
Review Board to do is refuse to connect (because user passwords are sent in
the clear over LDAP, so if you can't trust that you're actually connected
to the right server, you might be leaking passwords to an attacker in a
MitM attack).

What you need to do is get the LDAP administrator to provide you a copy of
the public key of the CA that signed the LDAP server and then you need to
drop it in the appropriate place on your filesystem. If this is a
Fedora/RHEL/CentOS system, that would mean dropping it
in /etc/openldap/certs/ and then running
`cacertdir_rehash /etc/openldap/certs/`

-- 
Supercharge your Review Board with Power Pack: 
https://www.reviewboard.org/powerpack/
Want us to host Review Board for you? Check out RBCommons: 
https://rbcommons.com/
Happy user? Let us know! https://www.reviewboard.org/users/
--- 
You received this message because you are subscribed to the Google Groups 
"reviewboard" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to reviewboard+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to