[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [Lam-public] ssl not working with ldap-lam



On Wed, 3 Mar 2004, Gémes Géza wrote:

> 
> Buchan Milne írta:

> Just to clarify some points:
> /etc/openldap/ldap.conf belongs to package openldap-clients, and is used
> by command line ldap tools, as well as other tools built with libldap,
> like gq, directory-administrator, and I think php-ldap, which is used by
> both lam and PHPLdapAdmin.

And since libldap2 doesn't require openldap-clients, this is wrong. 
/etc/openldap/ldap.conf must reside in libldap2 or a package required by 
libldap2.

> BTW. /etc/ldap.conf belongs to nss_ldap, and is used by pam_ldap also.
> The problem is, that whilst nss and pam works out of the box, if you
> specify ssl=start_tls, or ssl=on in your /etc/ldap.conf, everything else
> ~  (including Samba) is using libldap,and thus you must build your own
> certificate authority, and create certs for your ldap server, and
> configure your /etc/openldap/ldap.conf accordingly, e.g.:
> TLS_CACERT      /etc/ssl/CA/cacert.pem
> TLS_REQCERT     demand

In general this is correct, but currently using Mandrake packages this 
configuration must go into /etc/ldap.conf (see the patch 
openldap-conffile.patch.bz2 in the Mandrake openldap SRPM or by viewing 
the packaging CVS at 
http://cvs.mandrakesoft.com/cgi-bin/cvsweb.cgi/SPECS/openldap), 
or you have to do hacks like:

> 
> and convince your ldap applications to use that configuration:
> [root@linux1 ~]# cat /etc/profile.d/ldap.sh
> #!/bin/sh
> 
> #Set up all the clients, with the central configuration
> 
> export LDAPCONF=/etc/openldap/ldap.conf
> [root@linux1 ~]# cat /etc/profile.d/ldap.csh
> 
> #Set up all the clients, with the central configuration
> 
> setenv LDAPCONF /etc/openldap/ldap.conf
> 
> or specify that configs in your ~/.ldaprc. I just simply prefered a
> global (for all users an uses) solution.


As I said, this thread isn't on topic for this list, please take it to 
cooker-server (where a lot of the issues you are mentioned are discussed, 
including the fact that placing both libldap2 and nss_ldap directives in 
/etc/ldap.conf works but should not be necessary) or file a bug in 
Mandrake bugzilla.

I don't want to deal with this issue here any longer, we're just 
duplicating discussions that have already occurred in more appropriate 
places.

Regards,
Buchan