Victor Duchovni wrote:
On Wed, Feb 25, 2009 at 03:30:51PM -0600, Nick Geron wrote:
Well, I have found my problem. I probably should have mentioned earlier
(how many times has than appeared on this list?) that ldap is used on this
system for local user authentication, meaning pam/nss are tied into ldap.
I noticed in traces that the system configs and certificates were being
loaded/read by proxymap and wondered if proxymap was not resetting the
value of the ca cert or ca dir as one would expect after it reads in the
alias map config.
This is an OpenLDAP API design issue. The OpenLDAP library (at least up
to version 2.3) has a single global SSL_CTX object, that is initialized
just once by the first call that creates an SSL-protected LDAP connection.
All requests to set the global SSL context properties are ignored silently
after that point.
To solve your problem you must make sure that your nsswitch CAfile and
CAfile include all the certificates needed by Postfix.
Understood. Thanks again to Victor and Quanah.
-Nick
