[Date Prev][Date Next]
Re: libnss-ldap and slapd (was: TLS configuration needs client certification (why?))
On 8/23/07, Frank Cornelissen <firstname.lastname@example.org> wrote:
> On Aug 15, 2007, at 9:00 AM, Frank Cornelissen wrote:
> > Hello all,
> > why does slapd require a peer/client certificate? I'm slapd 2.3.30
> > on debian (package 2.3.30-5 to be precise).
> > when connexting with ssl to slapd using
> > ldapsearch -H ldaps://artemis.t310.org -b dc=t310,dc=org -x
> > I get the following error from slapd (started with -d 8):
> > TLS: can't accept.
> > TLS: error:140890C7:SSL
> > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a
> > certificate s3_srvr.c:2455
> After some debugging, this seems to be caused by the fact that on
> this machine libnss-ldap is enabled. This library will be loaded and
> will set some libldap options which seem to be global and thus
> interfering with the options from slapd. Anybody got an idea how to
> solve this, apart from setting up a seperate machine for openldap|?
I haven't looked at this specific issue, but other issues relating to
using ldap-enabled software on a host using nss_ldap could be worked
around by using nscd. However, the problems I've seen were fixed in
the latest release of nss_ldap (257). Versions affected were at least
254-256, but it may depend on the ssl library (and version).
More details would help ... (if this hasn't been resolved yet).