--On Wednesday, February 25, 2009 2:23 PM -0600 Nick Geron
<nge...@corenap.com> wrote:
Thanks for the replay Quanah. I agree. Unfortunately the root problem I
see is that proxymap is not reading the CA I'm trying to provide via the
tls_ca_cert_file (or dir) configuration in my alias map. Strace
demonstrates that postmap loads the CA and performs lookups over tls
fine, but proxymap does not load the CA, hence determines the cert to be
invalid. I've posted output from syslog and strace in my last reply to
Victor on this thread.
Well, I can confirm this is all working for me @ Zimbra, with self-signed
certs, using OpenLDAP 2.3.43 and OpenSSL 0.9.8g. You may want to up the
debuglevel setting as well. Try 7, it should add a bit of output from the
LDAP libraries that way, and you can see something more than just "startTLS
failed", which might help.
Also, when you tested via ldapsearch with these same certs, did you use -ZZ
or -ZZZ? -ZZZ will force verification that -ZZ doesn't.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
