From: Rich Megginson [mailto:rich.megginson@gmail.com] See http://www.openldap.org/faq/data/cache/1514.html - Hi Rich, Thanks for responding. I read that. So, I did ln -s /usr/lib64/libnssckbi.so to my nss key directory… doesn’t seem to have any effect. If I do certutil -d /etc/openldap/nssdb/ -L -h all then it shows all of those certs as expected, including: Builtin Object Token:GeoTrust Global CA C,C,C Builtin Object Token:GeoTrust Global CA 2 C,C,C Builtin Object Token:GeoTrust Universal CA C,C,C Builtin Object Token:GeoTrust Universal CA 2 C,C,C Builtin Object Token:GeoTrust Primary Certification Authority C,, Builtin Object Token:GeoTrust Primary Certification Authority - G3 C,C,C Builtin Object Token:GeoTrust Primary Certification Authority - G2 C,C,C For Geotrust. It still shows the geotrust-intermediate cert that I imported: geotrust-intermediate ,, as well. But with or without an explicit “olcTLSCACertificateFile: geotrust-intermediate”, ldapwhomi -d1 produces: ldap_url_parse_ext(ldaps://ds.clarku.edu) ldap_create ldap_url_parse_ext(ldaps://ds.clarku.edu:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ds.clarku.edu:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 140.232.1.12:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code). ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) What am I missing? |