On 02/24/2012 01:31 PM, Aaron Bennett wrote:
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Aaron Bennett
Sent: Friday, February 24, 2012 3:25 PM
To: [email protected]
Cc: [email protected]
Subject: RE: Mozilla NSS -- how to deploy intermediate certificate
From: Rich Megginson [mailto:[email protected]]
Sent: Friday, February 24, 2012 2:50 PM
To: Aaron Bennett
Cc: [email protected]
Subject: Re: Mozilla NSS -- how to deploy intermediate certificate
Is the ldapwhoami client on the same machine as the server? What is the
client TLS configuration?
No. If I run the ldapwhoami from the server it works correctly. In this
particular case, I'm running it from an Ubuntu 11.10 workstation. Apache
Directory Studio on Windows also throws a certificate error when trying to
connect. Likewise I have reports of failure to connect via PHP-Ldap from a
third computer.
TLS/SSL clients need at the very least the CA certificate chain in order
to verify the server's certificate.
--------------
On other oddity about this is there are two boxes in play -- one's hostname is
'animal.clarku.edu' and the other is 'zoot.clarku.edu'; they are round-robin'd
behind the hostname 'ds.clarku.edu.' However the cert I have installed on each
box is for ds.clarku.edu.
Not sure how this works with openldap - the usual way to handle this is
to use subjectAltName so that the server's cert has animal.clarku.edu
zoot.clarku.edu and ds.clarku.edu
