FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.

» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User
Reload this Page Solved - F15, ldap/ssl/sssd and certs from CAcert.org

 
 
LinkBack Thread Tools
 
Old 08-10-2011, 02:46 PM
Bobby Krupczak
 
Default Solved - F15, ldap/ssl/sssd and certs from CAcert.org
Hi!

I was having problems getting ldapsearch (openldap) and sssd to accept
x509 certs from CAcert.org.

Thanks to sgallagh for pointing me to where to find a solution.
Apparently, in F15, openldap and sssd do not use openssl for TLS/SSL
libs. They use Mozilla NSS instead. Therefore, the default locations
for certificate authority certs has to be explicitly configured in
/etc/openldap/ldap.conf

By adding the following to my /etc/openldap/ldap.conf file, I got
ldapsearch and sssd to work over SSL to my LDAP server.

TLS_CACERTDIR /etc/pki/tls/certs
TLS_CACERT /etc/pki/tls/cert.pem

Uggh. This was really frustrating . . . . . I dont suppose something
could be placed in release notes when these kinds of changes occur?

Thanks,

Bobby
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-10-2011, 04:38 PM
Michael Cronenworth
 
Default Solved - F15, ldap/ssl/sssd and certs from CAcert.org
Bobby Krupczak wrote:
> Uggh. This was really frustrating . . . . . I dont suppose something
> could be placed in release notes when these kinds of changes occur?

I've said the same thing for the past several releases. The NSS folks
don't care. They only want to use NSS to be certified for FIPS. It's not
a technical reason it's political.

You're more than welcome to reach out to them yourself. Maybe you will
have better luck that I have.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-10-2011, 05:17 PM
Bobby Krupczak
 
Default Solved - F15, ldap/ssl/sssd and certs from CAcert.org
Hi!

> Bobby Krupczak wrote:
> > Uggh. This was really frustrating . . . . . I dont suppose something
> > could be placed in release notes when these kinds of changes occur?
>
> I've said the same thing for the past several releases. The NSS folks
> don't care. They only want to use NSS to be certified for FIPS. It's not
> a technical reason it's political.
>
> You're more than welcome to reach out to them yourself. Maybe you will
> have better luck that I have.

My past experiences making "suggestions" have been frustrating as
well. Not sure I want to add to it.

Thanks,

Bobby

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 10:20 PM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org

Contact Us - Linux Archive - Archive - Top -