I wrote: >> But the truss shows that at no time (at startup or later when talking to an >> LDAP server) >> does the parent or any child httpd try to open() the file >> /var/local/etc/certs/foo. >> So (not surprisingly), attempts by httpd to verify certificates issued by >> the CA whose cert is in 'foo' fail.
"Eric Covener" <[EMAIL PROTECTED]> wrote: >Can you try truss -u ::ldap_set_option and see if we're passing the >cert info off to openldap? openldap would be the one actually on the >hook for doing the checking. > >Coercing some trace out of openldap might yeild a clue too Further trusses showed that httpd *does* open64(), read(), and close() one of the CA cert files specified in my httpd.conf (actually, the same process did so twice, which seemed odd). But it only did so for the last of the CA cert files mentioned in httpd.conf: When I reduced my httpd.conf to just a single LDAPTrustedGlobalCert statement, it works fine. When I have two or more LDAPTrustedGlobalCert statements (to bring other CA certs), it only works if the CA I need is the last one mentioned in httpd.conf. Whatever's the cause, I've worked around it for now by specifying just a single LDAPTrustedGlobalCert statement; currently all my LDAP servers have certificates signed by the same CA. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
