© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
4d1350f
(Get the code!)
Mystery solved.
In 1-5, I wrote:
> You don't need to have 'tls_cacertfile' line. System will find CA certificate by itself as long as you put it in standard certificate folder (/etc/ssl/certs/).
That's a lie. I leaned, for a CA certificate file to be automatically found, not only it must reside in standard folder, but it also has to be named based on it's hash value.
Our CA certificate file name is not. Nobody can find it, unless we tell them where it is, in one way or another.
These are the software we used and how they find where CA certificate is.
OpenLDAP utility client (ldapsearch, ldapmodify, ...)
-> libldap
-> 'TLS_CACERT' line in /etc/ldap/ldap.conf
libnss_ldap
-> 'tls_cacertfile' line in /etc/ldap.conf
-> libldap
-> 'TLS_CACERT' line in /etc/ldap/ldap.conf
smbd
-> libldap
-> 'TLS_CACERT' line in /etc/ldap/ldap.conf
smbldap-tools
-> 'cafile' line in /etc/smbldap-
-> Net::LDAP
Server machine I configured did not need 'tls_cacertfile' line in /etc/ldap.conf, because I had 'TLS_CACERT' line in /etc/ldap/
Apparently, one way (probably a better way) to do this is to use 'update-
So I'm going to stick with '/etc/ssl/
I revise my previous report in following 2 sections.
In 1-4.
--- old lines ---
> Edit a line in /etc/ldap/
>
> TLS_CACERT /etc/ssl/
--- replaced with ---
Edit /etc/ldap/ldap.conf and have these two lines.
TLS_REQCERT demand
TLS_CACERT /etc/ssl/
--- end ---
In 1-5.
--- old lines --
Then add a line:
ssl start_tls
You don't need to have 'tls_cacertfile' line. System will find CA certificate by itself as long as you put it in standard certificate folder (/etc/ssl/certs/).
--- replaced with ---
Then add a line:
ssl start_tls
- Edit /etc/ldap/ldap.conf and have these two lines, if you haven't done so yet.
TLS_REQCERT demand
TLS_CACERT /etc/ssl/
--- end ---
This should be sufficient.
Chao.