On Mon, Jun 01, 2009 at 02:54:13PM +0200, Arthur de Jong wrote:
> On Sun, 2009-05-24 at 14:22 -0300, Rodrigo Campos wrote:
> > What is weird is that I have all options commented in /etc/ldap.conf
> > and I have no ~/.ldaprc.
>
> On Sun, 2009-05-24 at 14:34 -0300, Rodrigo Campos wrote:
> > I meant /etc/ldap/ldap.conf (I dont have a /etc/ldap.conf file)
> >
> > And now that I check, I do have "tls_checkpeer no"
> > in /etc/pam_ldap.conf, perhaps that file was parsed too ?
>
> This file shouldn't be parsed as far as I know. You can try to start the
> old nslcd with:
> strace -f -o /tmp/strace.log nslcd -d
> and have a look in the logfile to see which files are opened.
The files that opened are:
/etc/nss-ldapd.conf
/etc/nsswitch.conf
/etc/passwd
/etc/group
/var/run/nslcd/nslcd.pid
/etc/resolv.conf
/etc/host.conf
/etc/hosts
/etc/ldap/ldap.conf
/root/ldaprc
/root/.ldaprc
ldaprc
So /etc/pam_ldap.conf is not checked. And /root/ldaprc, /root/.ldaprc, ldaprc
does not exist, /etc/ldap/ldap.conf is all commented, and in /etc/nss-ldapd.conf
is not turned on. The others does not have anything either...
Looking in the man of nss-ldapd.conf 0.6.7.1, it says:
tls_checkpeer
Specifies whether to require and verify the server certificate or
not, when using SSL/TLS with the OpenLDAP client library. The
default is to use the default behaviour of the client library; for
OpenLDAP 2.0 and earlier it is "no", for OpenLDAP 2.1 and later it is
"yes". At least one of tls_cacertdir and tls_cacertfile is required if
peer verification is enabled.
In the man of nss-ldapd.conf 0.6.10 says:
tls_reqcert
Specifies what checks to perform on a server-supplied
certificate. The meaning of the values is described in the ldap.conf(5)
manual page. At least one of tls_cacertdir and tls_cacertfile is
required if peer verification is enabled.
and it the man of ldapd.conf it does not say anything about the default. So if
I'm not wrong the default have changed ?
Anyways, I think I'm using OpenLDAP 2.1 or later of the client library. I have
installed libldap2 2.1.30-13.4 and libldap-2.4-2 2.4.11-1 (if I'm not is
probably that ?). So the default of "yes" without specifing tls_cacertfile or
tls_cacertdir is not possible with 0.6.7.1 (because I wasn't specifing it) and
perhaps that makes tls_checkpeer default to "no" in 0.6.7.1 ?
Sorry for the delay again, I've been sick :S
Thanks a lot,
Rodrigo
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]