[Fedora-directory-users] NSS/SSL oddities
Richard Megginson
rmeggins at redhat.com
Fri Jan 6 14:57:38 UTC 2006
Mark McLoughlin wrote:
>Hi,
> A couple of quick questions about things that have been bugging me:
>
> - If I import a server certificate and a CA certificate with pk12util
> and change the trust attributes on the CA cert to "C,," - i.e. that
> it should be a trusted CA for server certificates - and then start
> slapd I get:
>
>[05/Jan/2006:17:21:57 +0000] conn=0 op=-1 fd=64 closed - No certificate authority is trusted for SSL client authentication.
>
> Which seems strange to me - I would have thought the CA certs in
> nssckbi would be trusted for client auth?
>
>
Hmm - not sure.
>
> - Unless /opt/fedora-ds/alias is owned by nobody:nobody you get
>
>[05/Jan/2006:17:43:40 +0000] - SSL alert: Security Initialization: NSS initialization failed (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.): path: /opt/fedora-ds/alias/, certdb prefix: slapd-foo-, keydb prefix: slapd-foo-.
>[05/Jan/2006:17:43:40 +0000] - ERROR: NSS Initialization Failed.
>
> Couldn't we not make the directory owned by nobody:nobody by
> default in the RPM? root:root doesn't seem like a useful default.
>
>
Yes, and it should be nobody:nobody - the setup script for FDS 1.0.1
should be setting that directory to be owned by nobody:nobody. Did you
run setup after installing FDS 1.0.1? We're currently revamping the RPM
installation.
>Cheers,
>Mark.
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060106/714c3bba/attachment.bin>
More information about the Fedora-directory-users
mailing list