[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Slapd TLS issue
Eric Falbe wrote:
Yes, the openldap rpm was just updated, but it did not take effect until the
slapd deamon was restarted. I have not explicitly tried to use the Mozilla
NSS database, I did not use the TLSCADIR(?) attribute and instead used:
olcTLSCertificateFile , olcTLSCertificateKeyFile, and olcTLSCACertificateFile.
I will look into that bug and the documentation you pointed me at.
For the record, RedHat uses Mozilla NSS, not GnuTLS. But regardless, neither
is recommended. Quoting from the bug report linked below:
https://bugzilla.redhat.com/show_bug.cgi?id=707599#c56
"Finally, I have a solution, there were too many bugs which were complicating
this:"
The referenced bugs were eventually fixed, but myriad problems remain and
MozNSS itself is fundamentally broken by design; or rather, it was designed
for single-user web browsers and was never meant to be used as a system
library that multi-user services depend on. If you enjoy pounding square pegs
into round holes, you can keep trying to use OpenLDAP as built by RedHat, but
most sensible people will use something that's actually fit for the purpose.
Thanks
Eric Falbe
On Thu, Mar 6, 2014 at 5:29 PM, Terje Trane <terjet@funcom.com
<mailto:terjet@funcom.com>> wrote:
On 05.03.2014 22:27, Eric Falbe wrote:
I have attempted to rebuild the database backend (with slapcat and
slapadd), but am still getting this same error. I have my ssl
(self-signed) certificates located in
/etc/pki/tls/certs/ldap.__cassens.com.pem
/etc/pki/tls/tls/certa/ca.pem
/etc/pki/tls/private/ldap.__cassens.comKey.pem
These certificates worked fine up untill today, does anyone have any
insight on where to look to being troubleshooting this issue?
Just a guess, but was the openldap rpm just updated? (or the service just
restarted for the first time after a previous update).
Could this be related to RedHat/CentOS rpms deciding to start using GnuTLS
instead of OpenSSL? Try searching in their bug databases.
E.g.: https://bugzilla.redhat.com/__show_bug.cgi?id=707599
<https://bugzilla.redhat.com/show_bug.cgi?id=707599>
---
This email is free from viruses and malware because avast! Antivirus
protection is active.
http://www.avast.com
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/