[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Error in certificate

On Wed, 2003-09-17 at 11:13, tsg wrote:

> 1.Some clients need ldap.conf in /etc, at list in RH, so it's better to add
> ln -s /etc/openldap/ldap.conf /etc/

no.. /etc/ldap.conf on RH is the config file for the PADL modules.
/etc/openldap/ldap.conf is the config file for the openldap clients. It
is inadvisable to just link the two as this will lead to confusion of
which options are actually applicable. This is quite aside from the
confusion of which options are "user only" ie only applicable in
~/.ldaprc. This is ameliorated to some extent in Debian (testing) which
has 3 seperate (and differently named) config files for each module and
the openldap clients.

Another reason to keep them seperate is that you may have different ldap
servers serving directories for different purposes. An authentication
server would need the /etc/ldap.conf whereas a phone-directory type
server would more likely be listed in /etc/openldap/ldap.conf. 

> 2. Actually, it's do not necessary to use -ZZ, -Z is enough and client 
> behavior will depend on slapd configuration.

using a single "-Z" won't tell you if encryption is actually being used,
it simply uses it if it can. Using "-ZZ" forces encryption so if
"ldapsearch -xZZ objectclass=*" works you know it has definitely invoked
start_tls successfully.

anyhoo... back to hacking on ACLs...


Greg Matthews
iTSS Wallingford	01491 692445