[389-users] Trouble using self signed certificates.

[John A. Sullivan III]

On Wed, 2009-06-24 at 09:32 -0700, Dumbo Q wrote:
> I've managed to get past the the strangely obscure method of
> installing an SSL certificate, and from the server side everything
> appears to be OK. Actually its a "CACert" certificate, rather then
> self signed.  Using Jxplorer, I can connect the the DS using SSL,
> accept the certificate, and I'm all set.
> 
> However, I am having a ton of trouble figuring out how to use an
> untrusted ca for my linux user authentication.  I
> changed /etc/ldap.conf to use ldaps://, and it attemtps to connect as
> expected.  I think this would work, if I could figure out how to tell
> it to accept the certificate.   I get the following error message in
> DS after running getent passwd.
> 
> [24/Jun/2009:12:24:02 -0400] conn=3 op=-1 fd=66 closed - Peer does not
> recognize and trust the CA that issued your certificate.
> [24/Jun/2009:12:24:02 -0400] conn=4 op=-1 fd=67 closed - Peer does not
> recognize and trust the CA that issued your certificate.
> 
> 
> Any thoughts?
<snip>
I believe you'll find the way we did it in several of my recent posts.
You'll need to configure the rest of the SSL portions of ldap.conf.  In
particular, you will need to tell it where to find the CA cert.  I
believe we stuck ours in /etc/pki/tls/certs/ and pointed the tlscertfile
(?) parameter to it.  Hope this helps - John
> 
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society