[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS error: fatal: protocol version



On Mon, 2004-11-01 at 15:01, Howard Chu wrote:
> If you intend for a particular CA cert to be used systemwide then it 
> should be configured in OpenLDAP's ldap.conf file, not in your personal 
> .ldaprc. If the CA cert has not been made available to your nssldap 
> library then that could be part of the problem.

true, but I have a need to connect to many different remote ldap systems
and while *most* share a common CA I still need to personalise my
.ldaprc file to address this need. The CA cert is available to the
nssldap library.

> That's also possible. Since you say that ldapsearch works, what is the 
> likelihood that your nssldap module is actually linked against a 
> different set of libraries from your OpenLDAP commandline tools?

that is a possibility... I'll need to look further into it, however,
both the openssl and nssldap software packages are standard debian
packages from the sarge revision. It would be bad if they were
mismatched!

> >my workaround to the above problem is to turn of tls_checkpeer which is
> >default behaviour in many distros anyway. Am thinking not many are using
> >this option and perhaps it is broken.
> >  
> >
> No, it works fine in the Symas builds at least. Further discussion of 
> nss/pam_ldap config keywords probably belongs elsewhere, but I'll note 
> that in the Symas builds we discourage all use of the SSL/TLS options in 
> the nss/pam config file. Instead we set those options systemwide in the 
> ldap.conf. Anyone running with tls_checkpeer disabled for such a 
> sensitive security service may as well just turn TLS off and ask to be 
> hacked.

surely the pam/nss config file(s) are completely different and seperate
from the openldap config files so setting tls options in one will not
affect the operation of the other. I have these options in both config
files anyway so that users can use encryption when they wish to bind to
the directory as themselves. The last sentence above is a little harsh I
think... passwords are protected by ACLs, TLS encryption prevents idle
network snooping turning up user/proxy information, of course automount
info is visible for everyone to see (grrr).

As you say, this is getting off topic.

cheer

GREG

-- 
Greg Matthews
iTSS Wallingford	01491 692445