[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Slapd TLS issue

To: Eric Falbe <ericf706@gmail.com>, Terje Trane <terjet@funcom.com>
Subject: Re: Slapd TLS issue
From: Howard Chu <hyc@symas.com>
Date: Thu, 06 Mar 2014 17:38:28 -0800
Cc: openldap-technical@openldap.org
In-reply-to: <CABm5hZ-7+wiCmEOPrbNA1-zdNbe-8aEyaXK8KiQoYX_T533A8g@mail.gmail.com>
References: <CABm5hZ8+pYonrKMHyvqFQ-hSi1mTm7wZOiyqQBODOfy4e8W1wA@mail.gmail.com> <531904BE.7080208@funcom.com> <CABm5hZ-7+wiCmEOPrbNA1-zdNbe-8aEyaXK8KiQoYX_T533A8g@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26a1

Eric Falbe wrote:

Yes, the openldap rpm was just updated, but it did not take effect until the
slapd deamon was restarted.  I have not explicitly tried to use the  Mozilla
NSS database, I did not use the TLSCADIR(?) attribute and instead used:
olcTLSCertificateFile , olcTLSCertificateKeyFile, and olcTLSCACertificateFile.

I will look into that bug and the documentation you pointed me at.

For the record, RedHat uses Mozilla NSS, not GnuTLS. But regardless, neitheris recommended. Quoting from the bug report linked below:


https://bugzilla.redhat.com/show_bug.cgi?id=707599#c56

"Finally, I have a solution, there were too many bugs which were complicatingthis:"

The referenced bugs were eventually fixed, but myriad problems remain andMozNSS itself is fundamentally broken by design; or rather, it was designedfor single-user web browsers and was never meant to be used as a systemlibrary that multi-user services depend on. If you enjoy pounding square pegsinto round holes, you can keep trying to use OpenLDAP as built by RedHat, butmost sensible people will use something that's actually fit for the purpose.


Thanks
Eric Falbe


On Thu, Mar 6, 2014 at 5:29 PM, Terje Trane <terjet@funcom.com
<mailto:terjet@funcom.com>> wrote:

    On 05.03.2014 22:27, Eric Falbe wrote:

        I have attempted to rebuild the database backend (with slapcat and
        slapadd), but am still getting this same error.  I have my ssl
        (self-signed) certificates located in
        /etc/pki/tls/certs/ldap.__cassens.com.pem
        /etc/pki/tls/tls/certa/ca.pem
        /etc/pki/tls/private/ldap.__cassens.comKey.pem

        These certificates worked fine up untill today, does anyone have any
        insight on where to look to being troubleshooting this issue?


    Just a guess, but was the openldap rpm just updated? (or the service just
    restarted for the first time after a previous update).

    Could this be related to RedHat/CentOS rpms deciding to start using GnuTLS
    instead of OpenSSL? Try searching in their bug databases.

    E.g.: https://bugzilla.redhat.com/__show_bug.cgi?id=707599
    <https://bugzilla.redhat.com/show_bug.cgi?id=707599>

    ---
    This email is free from viruses and malware because avast! Antivirus
    protection is active.
    http://www.avast.com



--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- Slapd TLS issue
  - From: Eric Falbe <ericf706@gmail.com>
- Re: Slapd TLS issue
  - From: Terje Trane <terjet@funcom.com>
- Re: Slapd TLS issue
  - From: Eric Falbe <ericf706@gmail.com>

Prev by Date: Re: Slapd TLS issue
Next by Date: RE: Help with trying to setup RE: Issues with setting up multiple master
Index(es):
- Chronological
- Thread