On Wed, May 07, 2014 at 02:22:07PM -0700, Quanah Gibson-Mount wrote:
--On May 7, 2014 at 4:14:36 PM -0400 "Andrew D. Arenson" aarenson@iu.edu wrote:
On Tue, May 06, 2014 at 09:45:17PM -0700, Quanah Gibson-Mount wrote:
--On May 6, 2014 at 11:26:47 AM -0400 "Andrew D. Arenson" aarenson@iu.edu wrote:
I am trying to understand how a ldap server's certificate is being verified in the absence of the appropriate CA certificates. I have openldap 2.4.23-34 installed.
So I'm guessing you are using RHEL's utterly broken packages for OpenLDAP. I would advise you to get a real, functioning OpenLDAP build, or build OpenLDAP yourself. You can obtain functional builds from Symas or the LTB project.
It is, indeed, RHEL. Have you got a pointer to info about howthey are broken?
They link to a non-standard SSL implementation they linked in themselves, for one, that has serious issues (You can search on that if you like) They ship 2.4.23 which is *years* out of date and has many numerous bugs fixed since then (See the change log on the OpenLDAP website)
It should never be used for a production installation.
Thank you.
The change log shows that 2.4.23 is from the middle of 2010. Ugh.
I see that RHEL links to something called NSS. If you have handy links to documentation/info about the problems with NSS, I would love to see them. I'll be looking, but if you already know where to look, I'd certainly appreciate it.
Andy