[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Slapd TLS issue



Eric Falbe wrote:
Yes, the openldap rpm was just updated, but it did not take effect until the
slapd deamon was restarted.  I have not explicitly tried to use the  Mozilla
NSS database, I did not use the TLSCADIR(?) attribute and instead used:
olcTLSCertificateFile , olcTLSCertificateKeyFile, and olcTLSCACertificateFile.

I will look into that bug and the documentation you pointed me at.

For the record, RedHat uses Mozilla NSS, not GnuTLS. But regardless, neither is recommended. Quoting from the bug report linked below:

https://bugzilla.redhat.com/show_bug.cgi?id=707599#c56

"Finally, I have a solution, there were too many bugs which were complicating this:"

The referenced bugs were eventually fixed, but myriad problems remain and MozNSS itself is fundamentally broken by design; or rather, it was designed for single-user web browsers and was never meant to be used as a system library that multi-user services depend on. If you enjoy pounding square pegs into round holes, you can keep trying to use OpenLDAP as built by RedHat, but most sensible people will use something that's actually fit for the purpose.



Thanks
Eric Falbe


On Thu, Mar 6, 2014 at 5:29 PM, Terje Trane <terjet@funcom.com
<mailto:terjet@funcom.com>> wrote:

    On 05.03.2014 22:27, Eric Falbe wrote:

        I have attempted to rebuild the database backend (with slapcat and
        slapadd), but am still getting this same error.  I have my ssl
        (self-signed) certificates located in
        /etc/pki/tls/certs/ldap.__cassens.com.pem
        /etc/pki/tls/tls/certa/ca.pem
        /etc/pki/tls/private/ldap.__cassens.comKey.pem

        These certificates worked fine up untill today, does anyone have any
        insight on where to look to being troubleshooting this issue?


    Just a guess, but was the openldap rpm just updated? (or the service just
    restarted for the first time after a previous update).

    Could this be related to RedHat/CentOS rpms deciding to start using GnuTLS
    instead of OpenSSL? Try searching in their bug databases.

    E.g.: https://bugzilla.redhat.com/__show_bug.cgi?id=707599
    <https://bugzilla.redhat.com/show_bug.cgi?id=707599>

    ---
    This email is free from viruses and malware because avast! Antivirus
    protection is active.
    http://www.avast.com




--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/